Over the last few years, there has been an increase in incidents of cybersecurity breaches with the increase in economic activities.
By Anand Venkatraman
The Kotak Committee Report on Corporate Governance requires organisations to enhance the scope and periodicity of their core board committees to specifically internalise the process of identifying cyber risks.
Additionally, it now requires the top 500 companies to look into this as a mandate, and calls for an emphasis on cybersecurity concerns as part of the risk management committee review. In its recent circular addressing the banks, the Reserve Bank of India (RBI) has mandated awareness training programmes for the top management and board of directors to familiarise them with relevant cybersecurity concepts.
regulators to ensure the management of cyber risks across business ecosystem, and underline the importance of cybersecurity in the board room discussions.
Over the last few years, there has been an increase in incidents of cybersecurity breaches with the increase in economic activities. The tangible impacts of a cybersecurity incident includes both financial and reputational damages such as stolen funds, data, damaged systems, regulatory fines and legal fees, loss of competitive edge, business partners and customer trusts.
Given that the stakes are high, strengthening Cyber Security capabilities has become the top most priority for many organizations and their stakeholders today.
Though everyone plays an important role in retaining the status of cybersecurity in the organisations, the members of the board have a critical role to play from a governance perspective.
The underlying question here is – What are the roles and responsibilities of the board members in ensuring effective management of cyber risks?
While the internal audit teams, and the statutory auditors work towards incorporating cybersecurity as one of key reporting areas, the board and the top management should be more proactive in identifying and managing the risks associated with cybersecurity.
The starting point for this is to incorporate cybersecurity as a key element of enterprise risk management framework.
To manage the cybersecurity risks, organizations (board and management) should ask themselves the following key questions:- Ownership: Is there a proper ownership for Cyber Security risks within the organisation?
- Right Talent: Have we built the right skills, experience and talent, accountable for Cyber
Security within the organization?
- Resources: Are we making the right investments in Cyber Security technologies and how
are we measuring the effectiveness?
- Organisational Culture: Do we have a cyber-focused mindset and cyber-conscious culture across the organisation?
- Third Party Risks: What have we done to protect the organisation against third-party cyber risks?
- Measurements: How efficient and effective is our cyber risk program?
- Strategic: Is our cyber risk program aligned with business, is agile and future ready?
There are multiple frameworks and standards available today that might help boards and management answer some of these questions.
However, it is responsibility of the board to ensure such framework or standard is adopted and implemented within the organisation. Boards should also look to identify the crown jewels of the organisation that is critical to the business and ensure those crown jewels are protected appropriately against cyber threats.
Amidst the fourth industrial revolution with technology breakthroughs in fields such as artificial intelligence, robotics, quantum computing, additive manufacturing etc., are leading to integration of physical, digital and biological realms.
This new integrated ecosystem is not only enriching human life but also increasing the cyber security risks. Organisations must upgrade their abilities to manage cybersecurity risks to ensure their transformation in this fourth industrial revolution is sustainable in the long-term.
Thus, it is imperative that the board and top management of organisations evaluate cyber risks strategically to ensure long-term sustainability.(The author is Partner, Deloitte India)