Corporate board members can't afford to ignore the dangers of cyber-attacks, with an infected file capable of quickly stripping a company of valuable information.
It's not a matter of just slowing down operations; data theft could jeopardise pending mergers and acquisitions or create a public relations nightmare.
With money and reputation at stake, board members need to make cyber-security a company-wide priority if it isn't already, said Kim Chatani, CPA, CGMA, a California-based Khronicle Partners Inc. advisory partner with two decades of experience in audit consulting and information technology.
"The board must own it, and they must set the tone," said Chatani, who also serves on the board of two companies, including a bank.
It's important to know about the risks to help properly steer the company in the right direction, he said.
"Don't be afraid and shy away from learning about cyber-risks," Chatani said. "The board is ultimately responsible at the end of the day."
What's at stake
Awareness of lurking hackers and other online dangers has increased tremendously in recent years, said Robyn Bew, director of strategic content development for the National Association of Corporate Directors (NACD), a US not-for-profit focused on boardroom issues.
In 2014, less than 40% of corporate directors reported that cyber-security risks were routinely covered in board meetings, according to the NACD's Director's Handbook on Cyber-Risk Oversight. That number jumped to 90% last year, Bew said.
"Cyber-security has really become part of the board's regular agenda," she said.
The jump in awareness is in no small part because of news coverage of major events, from customers' data at companies such as US retailer Target being compromised to major geopolitical events such as the fallout from the WikiLeaks data trove. A teenage hacker exposed security weaknesses in 2015 at the UK's TalkTalk internet service company, a cyber-attack that cost the company more than 100,000 customers and £60 million ($73 million), according to The Guardian.
A breach can begin by an employee inadvertently downloading an infected file, or through a more targeted infiltration by capable hackers who can bypass basic security measures.
Cyber-security experts have seen an uptick in extortion-related events, Bew said, with hackers demanding money after stealing data from a company.
No businesses or industries are considered safe from attack.
"Cyber-security is a massive issue for all corporate entities, regardless of size," said Nigel Davies, FCMA, CGMA, a Wales-based accountant who also serves on the board of a financial services company. "Attackers have little feelings from where they find their ill-gotten gains, they simply target the most vulnerable."
Nearly half of all cyber-breaches stem from criminal or malicious attacks, with an average cost to victims of $4 million, according to an IBM study on data breaches.
No alarm bells generally sound when online thefts occur; an average of 146 days can pass before officials realise information was compromised, according to the NACD.
There are also considerable risks when third parties, such as law firms or consultants, hold sensitive information, as was the case when more than 11 million documents, known as the "Panama Papers", were leaked to journalists after hackers stole the data from a Panamanian law firm specialising in off-shore business dealings.
Known events are only the tip of the iceberg when it comes to cyber-security, Bew said. Even more concerning are situations in which companies have been breached but don't know it until they suddenly lose bids, or overseas competitors release products with striking similarities.
It can be impossible to determine what the losses are in those cases. "There's all this stuff that's under the water that we don't see," Bew said. "How do you calculate the value of lost intellectual property?"
With the widespread prevalence of cyber-theft in all types of industries, it's extremely unlikely that a sizable company would have no ongoing issues.
"A red flag for directors would be if management is reporting that the company is not experiencing any cyber incidents," Bew said. "No company is perfect at this."
Confidence not widespread
While awareness of cyber-security issues is up, not all board members are confident in their abilities to address them. The NACD survey found that nearly 60% reported that they were challenged when it comes to overseeing cyber-security issues.
Board members of smaller companies have a steep learning curve as well, according to a PwC survey. While 63% of directors at large companies report being very comfortable in their company's resistance to cyber-attacks, less than a third of directors at smaller companies had that same level of assurance.
Not making cyber-security a priority puts a company at unnecessary risk, said Anurag Chaturvedi, a senior director at the consulting firm Crowe Horwath International in the United Arab Emirates.
It's important that boards lead the discussions on cyber-security to look at the overall health of the company and determine how much an attack could disrupt operations, he said.
"Boards need to understand risk exposure and their risk appetite while developing their cyber-security priorities and strategies," said Chaturvedi, who specialises in information technology risk assessment.
He estimates that large companies in the UAE will spend 40% to 55% more this year compared with the previous year on cyber-security, a necessary uptick to meet rising threat levels.
What to do
Finance professionals, including those who head audit committees, can play key roles by pushing management to adopt policies that minimise the dangers of cyber-intrusion where possible, said Davies, the Wales-based accounting expert.
"These skills enable them to research, translate the sometimes complex IT issues, and balance the risks with the costs," Davies said.
He also recommended seeking cyber-security insurance. The process involves going through a detailed risk assessment and will help board members as well as company executives assess areas of weaknesses and adopt best practices.
Companies should not wait until an attack occurs to formulate a response plan, said Chaturvedi.
He suggested companies go through an inventory where they assess the cyber-security risks of IT systems, data stores, vendors, and suppliers. Then, at the board's urging, policies can be deployed to detect ongoing and future attacks.
"Attackers are constantly innovating, testing, and refining their tactics," he said. "This is a battle where inattention and complacency can have devastating consequences for an organisation."
While many board members may not have the technical knowledge to completely immerse themselves in cyber issues, Chatani said those with keen business skills don't need to. Rather, board members can concentrate on protecting the most valuable data, or "crown jewels" of the company, and authorise company officials to take steps to protect those data.
He also suggested developing sources on cyber-security outside the company that can offer insight into trends that in-house technology experts may not know about. It's important, however, to not depend on a consultant to do all of the work, he said.
"You can outsource the work," he said. "But you can't outsource the responsibility."
Sarah Ovaska-Few is a US-based freelance writer.
How to boost cyber-security
Evaluate board composition. If the board lacks tech expertise, consider bringing someone with that background on board.
Kim Chatani, CPA, CGMA, a Khronicle Partners Inc. advisory partner who serves on the boards of two companies, said the future board member needs to have the ability to look at how cyber issues affect business. "It doesn't mean the board should look to add members with a pure technical background," Chatani said. "These board members also have to have a business mind and see how the technology interacts with the business side."
If the board doesn't have the technical expertise to effectively govern cyber-security, it can bring in a third-party subject-matter expert to consult on the issue.
Find your crown jewels. The first thing board members need to find out is what and where the most valuable information in the company is, and what would happen if it were compromised.
The most valuable data set, or "crown jewels", will be different from company to company, and it's important to look at all levels of a business to figure out what vulnerabilities exist, said Robyn Bew, the director of strategic content development for the National Association of Corporate Directors in the US.
Also come up with a plan of what to do if the data are compromised, and how clients, authorities, and other stakeholders will be notified. Because no one is immune to cyber-attacks, everyone should have board-approved plans and policies for how to react and minimise the damage if they do get breached.
Get regular updates. The board needs to get regular updates from management on contextual indicators related to cyber-security. For example, board members can be updated on how many threats to the network were detected in a given month; whether any breaches occurred; the cost of those breaches; and how management has responded to threats and managed and maintained its networks.
"They don't necessarily need to be totally in the weeds," said Steven Ursillo Jr., CPA/CITP, CGMA, a partner and director of technology and assurance services for the US-based accounting and technology consulting firm Sparrow, Johnson & Ursillo. "But they need to know enough to be able to steer the ship in the right direction so they don't head for disaster."
Discourage risky cyber practices. Breaches can occur when employees are allowed to use their own technology and plug into company networks without scanning for viruses, said Anurag Chaturvedi, a senior director at Crowe Horwath International in the United Arab Emirates. Push for policies that also prevent staff from using unsecure Wi-Fi networks at places like coffee shops.
Employees who travel frequently, especially in nations known to be hot-beds of cyber-crime activity, need to maintain protections on their devices and avoid using unsecure Wi-Fi networks, Bew said.
Finally, require strong passwords. Do not tolerate the use of "password" or "12345" as the gateway to privileged information.
Make cyber-security a top priority. Companies should align their cyber-security policies with governance, overall risk management, and the company's business planning, Chatani said. Also consider looking at cyber-risk insurance as a part of the overall strategy.
"The effectiveness of cyber-security would be enhanced greatly by doing so," he said.
Cyber-security risk management reporting framework
The AICPA has developed a reporting framework intended to help organisations take a proactive approach to cyber-security risk management and to communicate the effectiveness of the cyber controls they have in place. Additional cyber-security resources are available at aicpa.org/cybersecurityriskmanagement.