Does cybersecurity only become a priority once you’ve been attacked?

Cyberattacks are one of the biggest risks that private businesses face in the digital age. The EY 2019 CEO Imperative Survey found that CEOs from the world’s largest companies ranked national and corporate cybersecurity as the top challenge to the global economy and business growth. Stakeholders are increasingly demanding that private companies are preparing for and overseeing critical risk management efforts.

As part of the 2019 EY Center for Board Matters investor outreach, we asked investors about the top risk issues they see in their engagements with companies. Regardless of sector, 61% of respondents said cybersecurity was their top concern. Some of the main themes we heard from those conversations were around how management is addressing cyber risk, how management stays up to speed on cyber issues and who in management is responsible for reporting cyber to the board.

How management is addressing cyber risk

Many private companies underinvest in basic cybersecurity precautions. Your private company should start with an assessment of its unique cyber risk profile and environment to effectively implement a cybersecurity framework. Ensure that management asks questions about cybersecurity impacts when contemplating any new product, initiative, partnership or business deal and that they oversee that cyber resiliency is embedded into the foundation of your company’s practices and process.

One of the biggest potential risks to cybersecurity is your own employees. Management should mitigate this threat by properly training users and placing more emphasis on identity and access management to prevent your people from clicking on suspicious URLs. The increased use of multiple devices and the work from home environment represent networks that are becoming increasingly difficult to secure. Management can address cyber risk by implementing measures to track and manage corporate data across these devices.

How management stays up to speed on cyber issues

There’s increasing pressure for leadership to better understand cybersecurity and they often face scrutiny and liability in relation to cyber risk and data privacy. Management should stay in the loop about cyber risks by including cybersecurity in board and executive discussions. It may also be helpful to have a third party periodically evaluate the design and effectiveness of your private company’s cybersecurity risk management program to help challenge internal bias.

Management can ensure cybersecurity preparedness by running simulations, tabletop exercises, response readiness tests and independent assessments. Simulations are a critical risk preparedness practice that EY and others believe boards should prioritize. Among other critical benefits, such exercises help private companies develop and practice action plans related to data privacy issues and they should be part of your private company’s cybersecurity incident response and recovery planning.

Who in management is reporting to the board?

How can management better bridge the communications gap to help your board gain proper oversight of cybersecurity? Most board members rely on feedback from their IT teams to understand what their security measures look like. However, cyber risk can often be mitigated if it’s approached as a company-wide risk management issue rather than a department issue. Your private company should consider assigning a point person whose role it is to include cybersecurity on the agenda at full board meetings. Board members should set expectations about the content and frequency of that content that they would like to receive.

Regularly infusing cyber in boardroom conversations with all C-suite executives and division leaders can help create accountability for their role in supporting the cybersecurity environment. Your private company’s board should have a high-level understanding of the cybersecurity risks your private company faces to help to oversee the policies and procedures that management has in place to identify and manage risks.

Cybersecurity affects all levels of a private company’s activities. Your stakeholders want to understand how your private company is planning for and responding to cybersecurity incidents – and how the board conducts oversight of these activities. This understanding is increasingly critical for building stakeholder confidence and trust as the cybersecurity risk landscape evolves and as technological innovations raise the stakes for data privacy and protections.

Does cybersecurity only become a priority once you’ve been attacked? To learn more, contact me today, or find your local business advisor at ey.com/ca/private.