“Put cyber security on the agenda before it becomes the agenda” – NZ Institute of Directors
Do you believe that cyber security is just an issue for the IT department to worry about? If you do, your company may be at risk of more than just a cyber breach.
The consequences of a cyber breach could be serious, ranging from business disruption from a software failure, to loss of data and website security. The potential impact on a company’s reputation could be catastrophic. Cyber security is certainly an IT issue, but is also something for which every person in your company carries some responsibility.
For directors, the risk is even greater. Given the risks to the business as a whole of a cyber breach, there is an increasing need to move the issue of cyber security to the level of the executive or the board. An organisation-wide approach is required to properly mitigate cyber security issues – including HR, communications, finance, and legal.
Increasingly a Board issue
So why has cybersecurity become an issue of such importance that it requires the Board’s attention? In 2015, Norton Cybercrime released a report that estimated New Zealand’s loss to cybercrime at more than $256.8 million. On average, 22 hours were lost and $300 spent per person dealing with the impacts of cyber breaches.
In today’s hyper-connected business environment, the risk to your business of systems being disrupted or information falling into the wrong hands could fall into the hundreds of thousands of dollars, and damage your company’s reputation irrevocably.
Directors are now becoming more aware of the significance of cyber risk. A 2015 survey by the NZ Institute of Directors ranked cyber security as the second most important key external risk by directors. In comparison, when the survey was first carried out in 2013 cyber security did not rank at all.
Heightened risk of attack
The numbers of professional hackers who are looking to profit from illegally-acquired information are growing. While increased connectivity empowers businesses, it also increases hackers’ ability to break into databases, systems and websites.
Most cyber crimes are carried out by individuals or small groups. However, large organised crime groups also take advantage of the internet. These professional criminals treat cyber crime as a business, sharing strategies and tools, and even combining forces to launch co-ordinated attacks.
Automated attacks make the hackers’ work much more efficient, using automated bots to crawl the internet 24/7 looking for vulnerabilities to exploit.
For directors and board members, it is your duty of care to ensure that when – not if – hackers target your business, your systems are ‘reasonably secured’.
What does ‘reasonably secured’ mean’?
According to New Zealand law firm Jackson Russell Lawyers, ‘reasonable’ means taking steps proportionate to the risk of harm to identify and manage risks to individuals, relative to their personal information.
In other words, requirements differ depending on the type of information held and the kinds of risks that might arise from misuse of that information.
Every organisation should assess the information they hold and identify the reasonable steps to take to secure it. Types of breaches could include identity theft, accidental release of information by staff, fraud, intentional employee leaks, through to cyber attacks by hackers that allow unauthorised access to systems, DoS attacks, and malware attacks.
And directors should also understand that when a third party provider is used for storage and management of information, the organisation is still legally liable for compliance with privacy laws.
While 100% mitigation is usually not legally required (or even possible), what is required is for directors to assess categories of data and determine how far to go with managing the risk. Under the Companies Act, board members have an obligation to exercise the care, diligence and skill of a ‘reasonable director’ in the circumstances.
Given the risk and impact of a breach, it is clear that cyber security should be the subject of regular board reviews.
What do directors need to do?
In order to be able to lead in a digital age, boards need to take responsibility for cyber security. Basic information risk management has been shown to prevent up to 85% of cyber attacks.
NZ government organisation Connect Smart offers the following tips for Boards and Executives:
- Confirm that you have identified your key information assets and the impact on your business if they were to be compromised.
- Confirm that you have clearly identified the key threats to your information assets and set an appetite for the associated risks.
- Confirm that you are appropriately managing the cyber risks to your information and have the necessary security policies in place.
Should we cyber insure?
A key part of the Board’s risk management strategy could also be to consider cyber insurance. While an insurance policy won’t stop a cyber breach, it can help you recover from one.
The strength of a cyber insurance policy is to fill the gaps in your traditional insurance, considering all aspects of loss as well as your liability to others as a result of the network breach. Your Abbott broker can give you more advice on this.
Educate, assess and revisit
Cyber security is no longer an operational issue, but has become a key strategic risk for all businesses. Directors need to understand the topic so they can determine what steps are required to mitigate the risk.
All directors should educate themselves on the legal issues and ask the right questions. Understand the value of the information your business holds, assess the risks of a cyber breach, and regularly review it.
Talk to your Abbott broker to find out more about cyber insurance options.