Cybersecurity is a top priority for many businesses. Cyber-risk management is generally overseen by the board of directors but, conventionally, isn’t the top priority. However, as the threat landscape continues to evolve, companies will have to rethink their approach to cybersecurity governance.
In this post, we explore some of the cyber governance issues that corporate boardrooms will be dealing with in 2023 and beyond.
5 Cyber Issues Facing Corporate Boardrooms in the Future
Cyber Governance Reform Cybersecurity is an evolving field, and it’s important to stay on top of it. Here’s what you need to know about cybersecurity trends for the boardroom in 2023.
According to the Global Cybersecurity Outlook 2022, ransomware is the number one risk to organizations. Over the past few years, the growing threat of cyber risk has developed faster than countermeasures, which regulators have taken note of. Earlier this year, the U.S. Securities and Exchange Commission proposed rules that would require companies under the Securities Exchange Act of 1934 to describe the cybersecurity expertise of their board of directors, if any. They will also be required to disclose the company’s cybersecurity risk management strategies and any other required information.
These reforms could push corporate boards to focus on foundational aspects of cybersecurity, such as cyber expertise in the boardroom, the material costs of cyber risk, cyber disclosure, the efficacy of cyber management policies and techniques, and more.
Shareholder Pressure Towards More Comprehensive Cyber Governance Policies
In 2022, the average cost of a ransomware breach was $4.54 million, according to a report by IBM. When it comes to intangible assets such as reputation, credibility, and trust, there will be much greater losses as companies continue to grapple with the ways their own cyber governance policies can be improved. Corporate boardrooms are under increasing pressure from both shareholders and regulators who want more stringent policies in place to protect their investments, while regulators are investigating a number of companies regarding their cybersecurity practices.
A key feature of cybersecurity management in 2023 will be ensuring that oversight structures are well established at the board level. Boards are increasingly being held accountable for the business continuity risks, equity risks, and financial losses that can follow a cyber attack.
While boards of directors are not expected to be cyber management experts—although having expertise on the board would be helpful—they are expected to both be able to challenge management as well as inform stakeholders on the measures being taken to mitigate the outcomes of any cyberattacks.
The Role of CFOs in Cybersecurity
Cybersecurity threats are business threats, meaning that the Chief Financial Officer (CFO) takes on a new level of importance in an ever-growing cyber risk landscape. The CFO, along with the CISO, can analyze the economic quantification of cyber threats, thereby measuring the ROI of any security programs. This will allow them to communicate the importance of spending on cybersecurity measures to the rest of the C-suite by placing cyber risk within the context of a specific environment.
The development of Cyber Risk Quantification (CRQ) practices showed that several boards are largely self-insured when it comes to the economic risks associated with cyber attacks, showcasing the importance of quantifying cyber risk exposure levels. Apart from this, however, the pressure of rising cybersecurity insurance premiums is another reason to understand cyber risks in economic terms and “speak the language” of cybersecurity from a business perspective.
Systemic Cyber Risk
The growth of information technology (IT) and operational technology (OT) has transformed our day-to-day digital infrastructure. Digital architecture is now a solid foundation for most organizations’ functions and processes, but this hyper-connected environment brings with it a new set of challenges.
Systemic risk is not a new concept, but with digital systems becoming the backbone of our world, systemic cyber risk creates a different dynamic. Cyber risk in the digital environment is inherent, but with the current hyper-connected networks of IT and OT, the levels of risk within an organization are greater than they’ve ever been. Simply put, it may be impossible to avoid the domino effect without adequate preparation.
As a result, corporate boardrooms will need to establish new ways of thinking and come up with innovative ways to manage and govern systemic cyber risk. On the bright side, due to the systemic financial crisis of 2008, there is a precedent to learn from.
Increased Enforcement from Regulatory Bodies
We’ve covered governance and regulation throughout this article, but one of the main issues, if not the main issue, that the corporate boardroom will face in 2023 is the arrival of regulatory reform in the boardroom.
While management teams have so far had to deal with cybersecurity reforms, there has been less regulatory reform in corporate governance. However, the SEC has stated that it intends to take a more active role in policing cyber governance policies going forward. While it only recently began investigating companies over these issues, there’s no reason to think this trend won’t continue or even accelerate as the years’ progress. As such, it seems likely that future cyber governance policies will need to be stricter than those currently used by many businesses if they want to meet regulatory standards.
There is no doubt that cyber threats are at an all-time high, and the stakes have never been higher. The increase in geopolitical tensions, insider threats, ransomware attacks, and systemic cyber risk has led to a risk environment that most organizations, as well as their boards, are not completely prepared to handle. From a business value perspective, boards of directors will have no choice but to critically address this risk as an important corporate governance issue.
The Bottom Line
Cyber regulation and reform are long overdue practices, but due to the rapid increase in sophistication and impact of cyber attacks, cyber security will place the boardroom right in the middle of the discussion—and consequently bring about a transformation in the way corporate boardrooms approach cyber risk.
At IP Consulting, we know the ins and outs of cybersecurity, from the risks you can face to the measures you need most. We consider every organization’s specific requirements and work closely with them to ensure long-term success. Interested? Contact us today to find out more.