GLOBAL CYBER attacks increased in volume by 38% in 2022 when compared to 2021, but six in every ten directors suggest that their company is ineffective in understanding the risks. That’s one key finding of ‘Effective Board Governance of Cyber Security: A Source of Competitive Advantage’, the latest report published by Savanti, itself one of the UK’s leading cyber security consultancies.
The report finds that those businesses who are ‘cyber-engaged’ have increased revenue growth, a greater success rate in attracting clients and higher investor confidence.
Increasing numbers of UK businesses are struggling to understand how to combat cyber crime, which puts them at increased risk of cyber attacks resulting in crippling costs such as multi-million pound ransoms, litigation and reputational damage.
In terms of numbers, across all UK businesses, there were 2.4 million instances of cyber crime in the last 12 months. According to Cyber Security Ventures, the cost of cyber crime to business could reach £8.4 trillion annually by 2025. If it was measured as a country, cyber crime would be the world’s third largest economy after the US and China.
Recent high-profile incidents include the cyber attack on The Electoral Commission in which a breach undetected for 14 months resulted in access to voters’ personal data including home addresses, images, e-mail addresses, names and telephone numbers. There were also the cyber attacks on British Airways and Boots.
Drivers and impacts
Savanti’s report suggests that, although Boards of Directors are increasingly concerned about cyber security (ranking it as one of their top priorities), many struggle to understand what to do, with the majority (ie 59%) of directors saying their Board is not very effective in understanding the drivers and impacts of cyber risks for their organisation.
The report states that large enterprises with ‘digitally-savvy’, ‘cyber-engaged’ executive teams have significantly higher revenue growth, valuations and net margins.
Effective cyber security also brings many top line benefits, including greater success rates when tendering for new clients, improved data insights, heightened investor confidence and the maintenance of share-holder value during mergers and acquisitions.
The report makes a number of recommendations for Boards to consider, including having at least one Board member with direct experience of cyber security issues, making sure cyber security as a topic is discussed at least on a quarterly basis at Board meetings and understanding how long it would take to recover from a disruptive cyber attack such as a ransomware episode.
Canary in the coalmine
Richard Brinson, CEO of Savanti, informed Security Matters: “Many investors view cyber as the canary in the coalmine for the health and resilience of a business. If a company can demonstrate effective cyber preparedness, it’s a sign of the strength of its overall leadership, operations and governance. However, while there has undoubtedly been progress in recent years on Board governance of cyber security, many Boards struggle to dispense their responsibilities.”
Brinson continued: “We found many Board members don’t understand their unique role on cyber security, lack the right level of cyber awareness and are scared to turn to their Chief Information Security Officer to bridge this gap for fear of exposing their lack of understanding.”
Further, Brinson noted: “Our report makes several recommendations as to how Boards can address this issue. For example, it’s second nature to have finance and HR representation at Board level, yet despite the growing risk of cyber attack episodes, knowledge of cyber issues is at best under-represented and, at worst, ignored. Having at least one director with experience in cyber and capable of speaking at Board level on the subject of cyber security would make a huge difference. More regular discussion of cyber issues at Board meetings is also vital. For too many it’s just an add-on that’s discussed briefly once a year.”
The Savanti report also recommends Boards of Directors take action to make sure they’re ahead of the game on cyber regulation.
Brinson concluded: “Many Boards have their heads in the sand on cyber regulation. In the US, the Securities and Exchange Commission adopted rules in July requiring public companies to disclose within four days all cyber security breaches that could affect their bottom line. It seems likely more cyber regulation will emerge in the coming years in the UK and Europe that will eclipse the current General Data Protection Regulation reporting rules.”
Ahead of the curve
The message is clear: businesses need to be ahead of the curve. This means requirements for Boards to report on relevant expertise at Board and senior management level on cyber security, report on risk management arrangements and disclose all material incidents to the relevant public authority in order to build a more comprehensive shared picture of the emerging threat.
64 High Street, RH19 3DE
04478 18 574309