Boardroom Priority or Pitfall? Tackling Data Risk from the Top Down
By Gráinne Bryan, Sonia Cheng, Dave Harvey, Jonathan Neilan, FTI Consulting
Cybersecurity and privacy have in recent years gained “buzzword” status in the boardroom. An ongoing groundswell of global data privacy enforcement and a perpetual upswing in the severity and frequency of data breaches have put nearly all corporate boards on high alert. So much so that in FTI Consulting’s recent Resilience Barometer survey of executives across the G20, board member respondents cited data privacy issues and/or cyber attacks as the top threats most likely to harm their organisation in the coming year. This is a view shared by institutional investors who in prior research also cited cyber risks as a top concern among the companies at which they are invested. In addition, organisations’ risk profiles are increasingly influenced by information governance issues. This, coupled with our view that companies have in the past lacked sufficient IT representation on their boards, highlights the importance of continuing to elevate the issue of cyber and information considerations at the board level.
The increase in cyber and privacy awareness that we’re seeing among boards is encouraging progress, especially for IT, security and legal teams who are urging investment in more cybersecurity and privacy compliance resources for their organisation. When board members understand the severity of data breaches and prioritise readiness programmes, the teams who deal with the risks day-to-day will be much more effective at implementing and maintaining prevention and mitigation strategies. Still, increased awareness and good intentions don’t always equate to all stakeholders seeing risk in the same light or agreeing to which steps should be prioritised.
To ensure organisations are effectively prepared to withstand the rapid pace and increasing severity of cyber and privacy incidents, board members must align with key stakeholders within their organisation. This requires creating a dialogue through which legal and security leaders can escalate data risks to the board in a way that is relevant, clear and aligned to the business. Board members can help facilitate this and ultimately improve their organisation’s readiness by asking department leaders key questions. These include:
Are we prepared for an attack and/or breach?
Readiness is essential to mitigating fallout from a cybersecurity or privacy breach incident. Organisations must have strong privacy and security policies in place, as well as a detailed incident response plan that accounts for actions across legal, cybersecurity, compliance, IT, leadership, crisis communications, business continuity and more. However, these alone are not sufficient—policies and plans must be stress tested much in the same way that organisations practice for emergency or natural disaster response. Board members should emphasise the importance of incident simulations across their organisation so that critical teams are prepared if and when a real incident occurs.
Who is currently at the table and who needs to be?
Preparedness also requires that the organisation has established a cross-functional working group involving key stakeholders (e.g., legal, privacy, security) alongside representatives from compliance, executive leadership, operational staff, insurance, marketing, communications and external advisors. For example, legal counsel and communications teams will provide key inputs into how internal and external messaging is handled, privacy and compliance leads will be responsible for overseeing how an incident may implicate requirements in various jurisdictions, while cybersecurity, IT and digital forensics teams must work together to investigate and contain an attack. The extent to which boards can also add a degree of IT expertise to the board will also support better position the board to manage and respond to a growing range of cyber and information governance considerations.
What is the cost-benefit analysis for investing more in compliance, prevention and incident response?
Risks are easier to understand when they are connected to something real. Executive leadership and board members may be reluctant to approve spending on prevention or robust data privacy programmes, often because the costs seem disproportionately high. However, implementing proactive, preventative programmes provides significant cost savings when compared to the average costs of responding to a cybersecurity or data breach incident in an ad-hoc manner. For example, an IBM study has estimated that preparedness can reduce the cost of a breach by 50%. These savings may actually be much higher when the value of upheld reputation and public trust are accounted for. Boards should ask their legal and cybersecurity leaders to provide detailed cost and risk analyses that illustrate the extent of financial and reputational fallout from an incident vs. the cost of strengthening readiness.
Do we have cyber insurance? What’s in the policy?
Cyber insurance is a critical and quickly changing factor in an organisation’s overall approach to data breach readiness. Cyber products are one of the fastest growing segments in insurance, but the frequency, scope, scale and threats in today’s cybersecurity landscape have caused the cyber insurance market to harden. Organisations currently holding policies or pursuing policies are now facing sharp increases in premiums and scrutiny from providers over the resilience of their cyber readiness programmes. Policies are longer, more complex and fraught with exceptions under which coverage for an attack or breach can be denied. Board members should maintain visibility into the guarantees and limitations in their cyber insurance policies and engage with key stakeholders to ensure the organisation is maintaining its cybersecurity obligations under the agreement.
Is the regulatory landscape shifting? What regulatory changes are happening now and what changes are on the horizon?
Global regulations impacting data privacy and cybersecurity obligations are in a near constant state of flux. While board members may not need to keep up to date on every change and every new law, it is important to keep a general pulse on regulatory trends and how sweeping laws are evolving.
For example, in March of this year, the U.S. Securities and Exchange Commission issued an announcement outlining proposed changes to its rules “to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” If approved, these new guidelines would place greater pressure on public companies operating in the U.S. to issue faster, more frequent and more detailed notifications regarding cybersecurity and incident response. In Europe, the Digital Markets Act, which has been called one of “the world’s most far-reaching laws to address the power of the biggest tech companies” gained traction, with the EU reaching an agreement on law this spring. If the law is voted into effect as expected, it will enable significant privacy and competition enforcement on organisations that collect and leverage data. Board members must keep abreast of developments like these to fully appreciate their organisation’s obligations and risk profile.
How does our current data landscape affect our risk?
While this consideration leans toward the technical realm, it’s important for boards to maintain a general awareness of their organisation’s culture and general practices regarding data risk. To help ensure the organisation is not overly exposed or accumulating data debt, board members can engage stakeholders in discussions about data retention philosophies, whether and how data “crown jewels” are protected and how the organisation weighs the tradeoffs between data risk and value.
Board members are ready to prioritise data privacy and cybersecurity and have identified these risks as top areas of concern for the coming year. By engaging in clear communication and knowing what questions to ask, the board can ensure it is addressing the most critical issues without technical details becoming lost in translation. Through targeted conversations with key, cross-functional stakeholders, the board can become a strategic contributor to strengthening the overall cyber and privacy resilience of its organisation.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Gráinne Bryan
+353 87 739 3089
grainne.bryan@fticonsulting.com
Sonia Cheng
+44 20 3727 1783
sonia.cheng@fticonsulting.com
Dave Harvey
+44 77 9098 2035
dave.harvey@fticonsulting.com
Jonathan Neilan
+353 1 765 0886
jonathan.neilan@fticonsulting.com