EY - How boards can get ahead of cybersecurity risk

Taking charge

How boards can get ahead of cybersecurity risk

  • Share

Even the best-run companies will face a crisis. In today’s technology-driven environment, that crisis will likely be a cyber attack.

Whether the situation has a severe impact on a company often depends on the board’s preparedness. Smart boards know that the best offense is a strong defense. An organization’s value and reputation can hinge on how well it responds to an unforeseen event.

Keeping cyber “top of mind” and part of overall governance

A cyber attack can erode a company’s competitive advantage and shareholder value and severely damage its reputation. The advent of new technologies and an ecosystem of digital interconnectedness significantly increase a company’s exposure to theft of its “crown jewels,” which may include confidential customer data, intellectual property or information about corporate strategy.

Cybersecurity threats are not simply an information technology (IT) challenge given the significant impact a breach can have on the overall business. Boards can start by taking cybersecurity out of the silo of the IT department.

Because cyber risk is ubiquitous in the digital age, boards should lead the effort by redefining cybersecurity governance and shifting the mindset in the entire organization.

It is about transforming the culture so that cybersecurity is viewed as a business risk that is both managed and integrated into the overall business strategy.

Cybersecurity should be viewed in the context of an enterprise-wide risk that should be managed on an ongoing basis and given the requisite visibility by the full board.

It is ensuring that cyber risk considerations are interwoven into all major discussions and decisions at the board level (e.g., a merger, acquisition, introduction of a new product, entrance to new markets, implementation of new technologies or software).

For example, during an acquisition, companies will perform financial due diligence on the acquiree to understand the associated business risks. If cyber risks aren’t considered, a company and its board won’t fully understand the associated vulnerabilities and hazards they are likely to inherit.

As organizations adapt to changes in the external business environment and their business strategy and operations, boards need to ensure that the related cybersecurity measures and related risks are adapted to accordingly.