BOARD-LEVEL CYBER SECURITY AND IT RISKS IN THE ASIA-PACIFIC MARKET
RC: To what extent do you see boards undertaking key oversight activities related to cyber risks, such as reviewing IT budgets, assessing security programs and implementing top-level policies? Are board members sufficiently aware of their role in improving cyber security?
Osgood: Many board members are currently in the process of getting to grips with their unique exposures and are engaging with key stakeholders to assist them but whilst awareness of cyber risk appears to be growing there is a feeling that board level ownership of this issue is lagging, with many continuing to rely upon their IT Department to address these issues. A research paper by Marsh found that 57 percent of the board members surveyed stated that the overall responsibility for the assessment and management of cyber risk lies with their IT department. High profile data breaches involving Sony, Adobe and Target show the potential for board members to be held accountable for IT Security breaches – this being the case, boards need to take a more active role in ensuring cyber security.
Christie: Directors and boards of companies in the US, where the issue is significantly more advanced than the Asia-Pacific region, are only now beginning to become aware of their role in improving cyber security and, unfortunately, we in the Asia-Pacific region are significantly behind them. It is, of course, essential that boards and individual directors undertake key oversight activities related to cyber risk management. It is impossible for any company to adequately plan for and, to the extent it can, protect against cyber risk unless it is done enterprise-wide and top down – that is, from the board down. For listed companies, it is clear from the growing shareholder and class actions against directors for failure to adequately plan for cyber risks, and the proven impact on share price that a major cyber event has, that this is a board level issue. In addition in countries in the region, such as Australia, it is becoming clearer that cyber risk is another risk that must be dealt with at board level and that failure to consider and oversee implementation of plans with respect to cyber risk management will likely be a breach of one’s duties as a director. Also, on a more pragmatic level, numerous studies have shown over the years that in order for any policy to be adopted enterprise-wide, there must be buy-in and support from the board.
Oct-Dec 2014 Issue
DLA Piper Australia