Cyber risk to date has featured on many boardroom agendas. Sometimes as a regular item, sometimes buried deep within the overall risk reports. The board are charged with creating the strategy and accounting to the shareholders for company performance. Naturally, risk management features significantly in most companies. Large companies are usually more sophisticated at monitoring and mitigating for it than smaller ones.
Cyber risk has particular significance for today’s companies due to our electronically interconnected world. Often, it is one of those expensive, technically challenging, hard to “find someone to speak in plain English” challenges and is not really engaged with until there is a problem.
Research available on the topic points to various findings, and it’s difficult to get a clear picture of how, or if, the technical cyber risk experts are conveying the appropriate risk mitigation; and in a language that is clearly understood by the board; or indeed, if those mitigations are tempered with the organisation wide view of risks of similar impact value.
These challenges in the pre GDPR world were bad enough. If they materialised, a company may have faced operational disruption, loss of customer confidence and possible reputational loss. Costs per cyber incident could reach multi-million pounds in value.
Large companies are reported to have spent on average £15M in preparing their Policies, Guidelines, Processes, People and Technology for GDPR readiness. Smaller companies have spent much less depending on their size and complexity. For many companies, this is the first piece of regulation they have had to contend with. GDPR is applicable to all industries. Heavily regulated industries such as Pharma and Financial Services should be able to cope more easily, for them, it’s just more regulation.
In the post GDPR world, the cyber risk exposure value may have rocketed up to tens of millions of pounds. In many cyber incidents, there is likely to be a data breach incident. These breaches flag to the regulator possible non-compliance with GDPR: fines can reach €20M or 4% of global turnover. These breeches must now be reported to the Regulator (Data Protection Commissioner) and are likely to attract regulatory scrutiny to a company; which may be a totally new experience for the company.
So, what used to cost a few million could now cost tens or even hundreds of millions of Pounds. This makes the language and techniques used to report cyber risk at Board all the more important. Information security, cybersecurity and data protection all lead to cyber risk. The post GDPR world makes this a systemic risk and needs to be expressed to the Board in Business Risk Terms, so they can understand it and decide on it in the same way they would any business-driven risk.
In the longer term, as regulators become more sophisticated in their expectation from a company, there may be implications for the outcomes of IT audits. A (personal) data breach must be reported to the Data Protection Commissioner no later than 72 hours from the point of discovery. This has a direct impact on the post-incident strategy and plans that are in place.
My research aims to understand how the risk is being reported to the Board and are there any possible common frameworks that can demystify it and make it simple.
By Brian Bracken. Brian Bracken is a professor at Trinity College Dublin.
If not already done, you can become a NEDonBoard member by following this link.