Company boards risk losing the race with cybercriminals

Cybercrime is now the number one risk for financial and related professional services firms, and company boards must do more to meet the challenge, according to findings published today in a new report from TheCityUK and Marsh, a leading global insurance broker and risk adviser.

The report, ‘Governing cyber risk: a guide for company boards’, outlines a new framework for boards to meet the growing cyber threat. It found that many companies were yet to meet the standards published today and need to do more to address the risks.

While boards need to ensure their companies are front-runners in the race to digitise, they also have a responsibility to manage the exposure to cybercrime that digitisation creates. In parallel, rules such as the UK Corporate Governance Code, the Senior Managers & Certification Regime and the General Data Protection Regulation are creating additional board responsibilities for cyber security. Data compiled by Marsh suggests a tripling in directors and officers liability insurance claims within the UK financial sector over the past three years.

Marcus Scott, Chief Operating Officer, TheCityUK, said,

Cyber security is now a major risk demanding board-level oversight as companies find themselves under siege from cyber-attacks. In fact, for many of our members it may well be the biggest single risk. As well as mitigating against external attacks, boards must be aware of supply chain threats which could penetrate a business through internal channels. These criminals are smart and persistent. The best form of defence is a collective, industry-wide approach. It’s essential for all boards to have robust governance systems in place to manage these risks.

Mark Weil, Chief Executive Officer, Marsh, UK & Ireland, said,

While there has been much discussion on the technical aspects of cyber risk, little is said on what company boards should be doing to address this threat. Boards need to drive forward digital transformation to maintain their competitive edge, while ensuring they are resilient to the many forms of cyber-attacks digitisation opens them up to.

While we found big differences in boards’ approach to governing cyber risk, closing the gap should be relatively straightforward as the differences are more about attitude than spend. We want boards to be able to have a ‘no regrets’ position on cyber, meaning that if a breach does occur, they know that everything reasonable has been done to minimise harm.

The report is based on benchmark interviews conducted at board and senior executive level from across TheCityUK’s membership. While all firms are now taking actions to manage cyber security, the research found material differences in the extent to which boards were driving those actions. The report benchmarked boards on how ‘proactive’ they are in engaging and informing themselves on cyber and how much ‘challenge’ they are creating for management in providing active and intrusive oversight.

This benchmarking found that the larger banks and insurers tend to have the most effective board governance of cyber risk. This is derived from experience in risk management, rather than to scale or spend. Given the connectivity of firms, over time regulatory and customer pressure will mean all boards need to take the same approach.

The report gives boards a framework to benchmark themselves on and a set of questions defining a minimum standard that they should aim for:
1. Have relevant statutory and regulatory requirements like GDPR been met?
2. Have cyber exposures been quantified and financial resilience tested?
3. Is an improvement plan in place to bring exposures within the agreed risk appetite?
4. Do regular board discussions take place on concise, clear, actionable management information?
5. Are recently tested breach plans in place, which have been exercised at board-level?
6. Are the roles of key people clear and aligned to standard risk management methodologies?
7. Is there independent validation and assurance of the cyber risk governance programme, whether via testing, certification or insurance?

The report notes that many other operational risks share the same hard-to-measure and hard-to-manage features of cyber security, meaning boards should look to apply the same proactive, challenging governance across all such risks.

The report also recommends cross-industry actions on shared issues including board-level education relating to cyber governance, on supervisory equivalence to avoid duplication of scrutiny across countries and on seeking assurance that common infrastructure is being properly secured.