In response to well-publicized breaches of cybersecurity, regulations and new legislation have proliferated, putting bank directors in the crosshairs of scrutiny. Boards will find it hard to defend inaction on the basis of delegation to information technology and risk management teams.
In a 2014 speech to the New York Stock Exchange, U.S. SEC Commissioner Luis A. Aguilar noted: ‘Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Boards that choose to ignore, or minimize, the importance of cyber security oversight responsibility, do so at their own peril’.
The Bank of England has also stressed the importance of boards viewing cyber risk as a core strategic issue and already is challenging senior management where resilience and recovery plans are inadequate.
In a recent speech, Andrew Gracie elaborated on some common themes:
- ‘Cyber has changed the rules: existing operational resilience arrangements are often geared to dealing with physical threats. These still matter. But cyber changes the game. Cyber is a dynamic, intelligent and adaptive threat. In the cyber arms race, costs are stacked in favour of the attacker, not the defender. To meet the challenge, organisations need to have policies and processes that are dynamic, intelligent and adaptive too. This means investment in capability to identify threats and detect cyber-attacks. Without this situational awareness it is hard to determine and achieve appropriate maturity levels for cyber defence and to allocate resources effectively to meet the threat’.
- ‘Cyber is not a minority sport for technologists only: Of course the first line of defence is critical and we still need IT specialists who understand the technical challenges cyber presents. But good cyber resilience is about much more than technology. It is about culture too and this means people and processes. When Morgan Stanley reported recently its customer information had been breached, this wasn’t due to sophisticated hackers, rather an employee who stole data from over 350,000 customer accounts. All parts of an organisation need to understand cyber risk and their responsibilities towards improved cyber hygiene. This includes Board level engagement. Front line business areas need to understand and own the risk. Management of cyber vulnerabilities needs to feature in strategic planning’.
- ‘Cyber requires effective and regular testing: Of people, processes and technology. Industry investment in cyber is significant but testing the effectiveness of this investment has not kept pace. Assurance is often based on audits and control sampling which is not sufficient, not least because of the challenge for internal audit departments to keep pace with change in this area. And of course, given the dynamic nature of the threat, such tests should take place on a regular basis’.
Effective governance includes ensuring that leadership teams have the skills and knowledge required to understand cyber risk, particularly given the adaptive nature of the threat.
Please read more in our BRG white papers on: