
The Brief is an online news portal and going source with a focus on the Namibian business sector, current affairs, companies and financial markets.
+264814612969
Cybersecurity is quickly becoming an area of focus for many audit committees and boards today.
We are seeing large-scale innovation and automation creating both opportunities and risks against the backdrop of an ever-evolving cyber threat landscape and a critical shortage of cybersecurity skills. Naturally, this has made cybersecurity a hot topic for those leading and governing organisations in this age.
According to InterPol’s 2021 African Cyber threat Assessment Report, cybercrime reduced African GDP by more than 10%, at an estimated cost of US$4.12 billion (N$70.6 billion). The cyberattacks assessed were primarily targeted to (and suffered by) government institutions, critical national infrastructure and small to medium-sized enterprises.
A cyberattack can cripple business operations, cost millions to recover from and result in directors’ personal liability. The need for boards to understand their responsibility in governing this area has never been more pressing.
However, with the average board director not necessarily being tech-savvy, how does an organisation present cybersecurity risk to its board in a way that allows a director to provide effective oversight over it?
Given the relative newness of this evolving risk on many board’s agendas, an important topic to initially cover with a board is their responsibility over the governance of the organisation’s cybersecurity programme.
It is also important to remember that corporate executives and directors are the typical victims of cybercrime such as business email compromise (BEC) or cyber-based corporate espionage. Directors must be aware of the threats targeted to them, and by extension the organisations they lead. Training them how to identify and respond to common targeted cybercrime is non-negotiable.
Locally, there is no formal guidance on a board’s responsibility over cyber risk in governance standards such as the NamCode, which has not caught up to recent shifts in the world of commerce. Boards are nonetheless ultimately accountable for the effectiveness of the risk management programs of the organisations they govern, and cyber risk is an inherent part of any such programme. The USA National Association of
Corporate Directors’ Handbook on Cyber Risk Oversight is a good authority in this niche area.
Aside from knowing their responsibilities and threats to themselves, what any board member ultimately wants is an answer to each of these three questions:
In answering these questions, it is important to select and present key cyber risk and programme performance metrics aligned to the organisation’s strategy and situational context. Holistically, these indicators should provide the board insight into the maturity of the organisation’s cybersecurity programme. Because not all board members will necessarily be technical cybersecurity experts, it is even more so important to present these metrics to them in languages they already know: programme maturity ratings, risk heat-maps and cost.
A board’s understanding of cybersecurity should be strong enough to provide effective oversight over a company’s cybersecurity programme, and to provide its directors confidence that the organisation can effectively respond to a materially significant cyber breach. This will allow them to continue to effectively discharge their fiduciary duty of due care, as they steer the organisations they lead to success.
*Thomas Paavo Hamata is a technology governance, risk and compliance professional.
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.