Cybersecurity & Governance: Navigating the Challenges

Uncover the link between cybersecurity risks and corporate governance, learn about threats, proactive measures, and safeguarding data. Stay protected with expert advice and best practices.

Dear Legal Ops!
Welcome to this week’s Let’s talk about Legal Ops, offered by Newton. We tackle corporate legal departments, speed up processes, and career growth. Please send us your questions; in return, we come back with real insights and actionable tips.
If you find this post valuable, don’t miss the chance to check out our latest posts.

• Maximizing Transparency and Compliance with Legal Entity Management: The Power of Automated Visual Charts
• Getting SOC2 and ISO27001 ready
• How to build a culture of compliance

Businesses today face a critical issue that cannot be ignored: the dual importance of corporate governance and cybersecurity.

The projected cost of cybercrime worldwide is expected to exceed $8 trillion annually in 2023, and the United Kingdom government’s 2022 Cyber Security Breaches Survey found that 39% of businesses had identified a cyberattack in the previous twelve months.

Indeed, as the alarming rate of cyber threats rises along with the potential of successful hacking attempts on businesses, you must remain alert and consistently proactive to secure your business data and ensure the wholesale safety of your operations. At the same time, it is important, both as a legal requirement and for the safety of your business, that you have full and effective corporate governance in place.  

By combining these two key focus areas, cybersecurity together with corporate governance, you will be able to help your clients achieve their desired long-term success whilst building trust with your stakeholders and safeguarding their reputation. Here, we explore the close relationship between cybersecurity and corporate governance and stress the importance of prioritizing both. So, let’s delve into how paying close attention to these two areas will benefit your business.  

In this article, we will cover the following:

Cybersecurity: Protecting Your Business from Digital Threats

Cybersecurity is a huge concern for governments, businesses, and individuals alike. Over the past couple of years, it has received significant political attention in both the US and the UK and is a prominent discussion topic amongst the business community. The UK government has released numerous reports on the issue, such as the FTSE 350 Cyber Governance Health Check Report in 2018, which examined how the FTSE 350 – that is, the 350 largest companies as defined by their market capitalization share on the London Stock Market – were managing their security risks. Now, in 2023, the European Union Agency for Cybersecurity is seeking to standardize EU cybersecurity legislation as a matter of urgency. This matter is being taken seriously across the board, and,  as the prestigious international law firm Slaughter and May has noted, the UK government has categorized cybersecurity as a “Tier 1 threat” that ranks alongside terrorism.  As this has become such a significant issue on the world political stage, it is essential to grant it the same level of attention in the boardroom.

With more sensitive data being stored via technological means, the risk of cyber-attacks and data breaches has increased substantially. In an attempt to mitigate these risks, companies are, by necessity, firming up their cybersecurity governance framework and best practices to ensure the safety of their digital assets. We’re sure we don’t need to tell you how the implementation of robust cybersecurity policies and procedures will help to protect your business from potential threats, as well as safeguard the valuable information you hold. However, staying ahead of the ever-changing nature of cybersecurity threats can be extremely challenging. That’s why it is so vital that you embed a fundamental cybersecurity governance strategy in your business..  

Have you considered whether your company is taking sufficient measures to ensure its cyber security? There is an ongoing danger of complacency on the part of companies, and it is crucial that directors acknowledge that cyber security is not just a trendy term or a technical issue relevant to IT teams, but an aspect that warrants attention at the board level for continued business growth and success.  

As Luis Aguilar, Commissioner at the United States Securities and Exchange Commission (SEC) warned as far back as 2014, the failure to implement strong risk and crisis management protocols could expose directors and companies to significant legal risks, including the accusation of breaches of corporate governance, directors’ duties, and disclosure obligations.

Securing the Board: Awareness of Cybersecurity Risks

As the multinational professional service firm, Price Waterhouse Coopers reported in 2022,  

“Cyber is a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have an obligation to understand and oversee this significant risk. They need active engagement with leadership, access to expertise, and robust information and reporting from management.”

The ever-evolving nature of cyber threats and the unpredictable motives and actions of malicious actors make it difficult to anticipate risks. Traditional risk governance models that have previously proven successful for physical and financial assets are mostly ineffective in tackling cyber risks – and the risks are multiple.

One of the most significant risks by which cybersecurity problems can harm an organization and its reputation occurs in the event that a hacker is able to obtain confidential information, such as bank account or credit card details, which can be sold on the “dark web”. This may result in a company’s loss of its banking or credit card privileges and the breach of privacy laws. Each month, high-profile security breaches affecting personal data are reported globally.

Recently, ransomware has become a major concern, with reports of commercially focused campaigns dating back to 2012. You also need to be aware of the many problems related to hacking. A hacker who gains access to sensitive information then achieves the ability to damage an organization’s reputation – an especially devastating risk for small companies that may struggle to recover from the loss of goodwill. That’s not to mention the risk of legal or regulatory action if customer data is lost or if a third-party files a lawsuit. A single breach of privacy laws has the potential to result in significant penalties and legal action. As the types of risks constantly evolve, companies are best advised to consult specialists to identify their most notable risks. The non-profit Bipartisan Policy Center in the United States has identified the cyber hazards that companies are most likely to face in 2023, along with the advised critical actions that directors and their company boards can take.

Corporate Governance and Effective Cyber Risk Management

The results of a study conducted by a top 200 UK law firm are very concerning. The study found that over 80% of firms had at least one vulnerable service that hackers could exploit.

It isn’t only hacking from outsiders that’s the problem. There is also the risk of insider threats, from employees who knowingly or unknowingly reveal sensitive information, not to mention the threat of disgruntled employees who may purposefully disclose information in exchange for compensation. Threats abound, from malware as a service, the lowered price of which has effectively democratized the hacking landscape. Then there are phishing links, the compromising of business emails, and the security vulnerability of cloud networks, to mention merely a few.  

All this means that it is necessary that businesses and law firms are acutely aware of any vulnerabilities and chinks in their armor and take steps to plug them. This is such a serious issue that in 2021 the Ninth Circuit Court of the United States reminded public companies of the vital importance of updating their risk factors in regard to cybersecurity, whilst the US Securities and Exchange Commission has long focused on cybersecurity risks.

Solving Common Governance Issues in Cybersecurity

The cyber risk landscape constantly evolves, and bad actors pose a constant threat. One problem with cyber risk is that it’s difficult to quantify. This means that governance boards are grappling with emerging risks and how to best exercise their duty of care to the highest standards. Companies must also be aware of the downfalls they face in the Inaccurate mapping of existing and potential risks that can lead to the underestimation of risk, as well as confirmation bias, and any overconfidence on the part of management and company directors. As a 2020 study on cybersecurity and challenges in corporate governance quoted one company director,

“Boards are illiterate about cybersecurity and the company’s reliance on information technology. But enterprise access to the internet is fundamental to delivering value, and all those transactions that rely on access to the internet are inherently unsafe”.

Yet the Corporate Governance Institute has noted that despite the increased attention firms now devote to cyber-risk. 95% of board committees only discuss both cyber and tech risks only circa four times a year.  

Many company directors have admitted the inadequacy of their board oversight processes for cyber risk, blaming its constantly changing nature. Even the boards proficient in managing intricate financial risks, like those of major banks, are still trying to determine the most effective way to oversee cybersecurity, especially in light of the never-ending demand for technology and connectivity from customers and managers. This means that thought must be paid to the creation of new, specific cybersecurity governance roles and responsibilities, as companies have discovered that they cannot simply delegate the management of cyber risk to their IT department. As one director has acknowledged, there is an ongoing blurring between operational technology and IT, so

“if we limit cybersecurity to just IT, we’re leaving ourselves vulnerable”.

Building a Strong Cyber Shield: The Art of Board Composition

As board governance is commonly expressed through the establishment of principles, a fixed set of rules may not be the best way to regulate cyber security. Instead, a principles-based method will enable every board to define and evaluate their individual direction while working within an established framework. The World Economic Forum has provided a significant reference study for companies that seek to formulate their organization’s cybersecurity strategy and engage with stakeholders on cyber risk, and is particularly helpful for its provision of six consensus principles for cybersecurity board governance.

Boards need to fully understand their exposure to cyber risk whilst taking proper ownership of company security, with full orientation on detail. Then, a wholesale holistic approach is necessary that reduces the complexity of the technology and fully addresses processes as well as company culture and human vulnerabilities within the organization. Boards must ensure that cyber security provisions are independently validated and tested, just like any other important matter, and that a careful approach is taken to the legal and regulatory environment regarding cyber security as it becomes ever-more more intricate worldwide. This includes aspects such as industry-specific regulations, data protection laws, national security policies, and reporting obligations.  

Cybersecurity Risk in ESG Oversight and Disclosures

Companies need to develop and sustain a well-thought-out global approach. It’s a tough challenge, and that’s not to mention the real risk of personal liability for company directors and officers. In fact, it’s quite possible that European authorities, including the UK, may follow the lead of US counterparts and hold directors personally liable if management failings lead to a cybersecurity breach or mishandling of one. This approach is similar to the current stance taken by authorities and regulators in various jurisdictions on environmental, social, and governance (ESG) disclosure requirements & examples. In fact, this issue is so important that the SEC has emphasized its focus on cybersecurity in recent years. In 2022, the SEC Chair Gary Gensler announced plans to request staff recommendations for disclosing cybersecurity practices, risk disclosures, and public disclosure of cyber events, with the aim of providing consistent, comparable, and decision-useful information.  

The Crucial Safeguarding Role of the Executive Committee

If you are to ensure the role of transparency in your board governance, then you need to ensure that you have put a robust corporate governance system in place. For many firms, this may mean a total recalibration of the executive committee structure. Companies should now regularly evaluate their risk response and question whether it is keeping up with the pace of development. This includes the careful consideration of executive committee roles & responsibilities, and challenging executive management to ensure that the response is sufficient and evolving as required. Another major issue concerns the need to note vulnerabilities and envisage and prepare for incidents well in advance. Companies would be best served by considering the roles allocated to the executive committee versus the board of directors, considering the suppliers and service providers instead of solely focusing on the organization, and implementing appropriate response strategies across all levels of the organization.

Summary

Ultimately, it is vital to emphasize the importance of good corporate governance in protecting your company, shareholders, and clients. Whilst many companies and their boards are taking on this challenging role and performing it well by being active, informed, independent, involved, and focused on shareholder interests, there’s still a long way to go – and it isn’t helped by the way cyber-risks are evolving, with the constant emergence of malicious software.  Boards, therefore, have no choice but to adapt and oversee cyber-risk management to prevent and prepare for potential harm. Proper preparation, deliberation, and engagement are essential.

---

About this article

Sources

Aguilar, L. (2014) Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus.  US Securities and Exchange Commission.
Romanoff, T.; Neschke, S.; Draper, D.; Farschi, J.; Lord, B.; Douglas, A.(2023) “Top Risks in Cybersecurity 2023” Bipartisan Policy Center  
Caisley, L. (2023) “Directors face personal liability over cybersecurity” White & Case Tech Newsflash    
Crowe. (2018) “Fraud and cybercrime vulnerabilities in the legal sector: Research into the risks impacting the top 200 law firms”
Esentire (2022)   “Official Cybercrime Report”  
European Union Agency for Cybersecurity (2023) “How Cybersecurity Standards Support the EU Evolving Legislative Landscape”
Gensler, G. (2022). “Remarks on Cybersecurity and Securities Laws at the Northwestern University Pritzker School of Law” US Securities and Exchange Commission.  
Ivory, I.; F Pittman, F.P.; Timmons, J.; Caisley, L.; Burke, A.; Hahn, A.A.; Turgel, D (2023) “Cybersecurity Developments and Legal Issues” White & Case.  
Phelps, B.; Cleaveland, A.; Weber, S. (2020) “Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk”. Berkeley, CA, and McLean, VA: Center for Long-Term Cybersecurity and Booz Allen Hamilton.
Price Waterhouse Coopers (2022) Overseeing Cyber Risk: The Board’s Role.  
Slaughter and May (2017) “Cyber Security: Corporate insights for companies and their directors”.
Stark, T.; Pittman, F.P.; Diamond, C. J.; Gez, M. (2021) “Time to Revisit Risk Factors in Periodic Reports” White & Case.  
Summer, P.; Day, J.; Mahoney, M. (2020) “Cybersecurity: An Evolving Governance Challenge” Harvard Law School.  
The Corporate Governance Institute (2020) @CorpGovInst. “Cyber risk massively important at boardroom level”
The World Economic Forum. (2021). “Principles for Board Governance of Cyber Risk”
UK Government. (2018) FTSE 350 Cyber Governance Health Check Report 2018  
UK Government (2022) Official Statistics: Cyber Security Breaches Survey 2022
Ursillo, S. and Arnold, C. (2023) “Cybersecurity Is Critical for all Organizations – Large and Small” International Federation of Accountants.

Images

Featured Image: Photo by Arif Riyanto on Unsplash
Featured CTA blog post: Photo by Jurica Koletić on Unsplash / Photo by Christina @ wocintechchat.com on Unsplash