The Canadian government has announced that starting November 1st 2018 Canadian businesses will have to report data breach to affected individuals and to the Office of the Privacy Commissioner of Canada. There are also new record-keeping requirements regarding data breach that organizations must follow. Although Alberta and Quebec are not covered under PIPEDA, it is expected they will both adopt similar requirements. As a board member, you should discuss whether you are impacted by these new requirements and if anything must be put in place to comply with them. Non-compliance could result in increasing reputation and financial risks to the organisation. Canadian businesses that collect data from European countries are also affected by changes to the GDPR enforced since May 2018 that include fines for non-compliant organisation of up to 4% of revenues. Data protection is definitely a topic to discuss at your next board meeting.
This discussion paper from NACD presents blockchain as a disruptive technology that could be as transformative to business as the internet. And I know the same arguments apply to Artificial Intelligence (AI). It highlights the new risks posed by introducing blockchain (or AI) to manage some of your data as a topic of interest to the board. It also argues that boards have to discuss blockchain regularly as part of their strategy session, conceding that expertise on this topic is scarce and that wider adoption will not happen before 2020. Directors of companies that are the closest to be impacted by these technologies, financial services and healthcare for example, have a responsibility to start educating themselves. Do you have good reading material adapted to directors to suggest on blockchain and AI?
The weaponization of Cyber-attacks has impact on cybersecurity governance. Board of directors of companies owning critical infrastructure or having world-wide subsidiaries are more at risk then ever.
Cyber-attacks became a geopolitical weapon on 2017, and this article explains in simple terms what changed in 2017 and shows the main attacks like WannaCry happened on a different level. It takes us through some of the major breaches of 2017 and shows how ransomware can now be used as a weapon, for example a possible Russian ransomware attack in Ukraine spread to companies with subsidiaries in that country.
I wrote this article based on an outstanding read from Deloitte, to highlight how rapidly changing environments lead to the need for new steps in the strategic planning process. I adopted some of the proposed elements in my reflections about the strategies of my different boards, (1) the need to develop a vision with management of what the market and industry will look like in 10 years; (2) and from that vision, identify the emerging edges that the company has that can be developed to position it better in this future reality.
Are you concerned about exponential changes and do you have other perspectives to share on the role of the board in changing environments?
While researching the trends in adoption of the NIST cybersecurity framework, I found this article that strongly supports the adoption of the NIST Framework. As a board member, I agree because the framework bridges the gap between security experts and corporate directors. It is simple, Identify, Protect, Detect, Respond and Recover—five elements only. It allows for people who are not cybersecurity specialists to participate in cybersecurity decisions, which is expected from directors to meet oversight duties. Interesting to note is the fact that the average amount of time it takes an organization to find malware on its system, for a non-bank, is about five months, a wake-up call for corporate directors. Have you discussed adopting a cybersecurity framework at the board level, do you know if your company has one? If you want to learn more about the NIST framework, read my article http://www.joseemorin.ca/en-articles/2017/7/3/cyber-risk-oversight-tips-for-corporate-directors-to-improve-understanding-and-involvement
This article presents an interesting compilation of the board skills matrix disclosed by 307 public American and Canadian companies. Not surprisingly, 99% of boards require financial expertise and 75% of all directors have that skill. Such strong financial skills representation in directors does not match the need for more board diversity. More troubling is the fact that only 36.8% of companies included the need for technology expertise in their board competencies, and that only 14.2% of directors qualified for that skills, the lowest of all ranking. The board has an essential role to play in the digital transformation of many businesses and in cybersecurity. This very low representation of technology skills at the board is a warning that change is required. Is the composition of your board what it should be? http://www.equilar.com/blogs/241-hundreds-of-companies-disclose-board-skills-matrices.html
The rapid pace of cyberattacks and extensive media coverage they receive can create confusion for corporate directors on their role with regards to cybersecurity. This article is a good refresher as to the role of the board. It proposes 5 key aspects of the board role: accept the responsibility, set expectations for management, understand your cyber-risks, assess current cyber-security practices and plan and rehearse. I would add to that, based on recent findings, discuss the adoption of a cybersecurity framework like NIST. To assist in the evaluation of current practices, I refer you to a list of questions on the state of cybersecurity I have published http://www.joseemorin.ca/en-tools/
Interesting to see the real-life consequences of a cyberattack. More than two months after a cyber-attack in Europe, some of FedEx processes still have to be handled manually and the annual earnings could be 4% to 7% lower because of this incident. Fedex said it didn’t have insurance in place that would cover the cyberattack. They were infected by the Wannacry ransomware, and the virus entered through a tax software used in the Ukraine. This demonstrates that board of directors of smaller companies also should be concerned with Cybersecurity, since their infrastructures can be used to penetrate a large partner.
I was trying to identify a few sources of relevant information to keep up to date with the rapid pace of evolution of cyber-risks, and found this list of experts. Most of the people proposed take a technical approach to cyber-risks as opposed to a governance approach. But if you take the time to read some of what they publish, you can identify a few that are a source of information adapted to your needs and that can help you stay current on cyber-threats and what is being discussed across industries. Important to support your oversight responsibilities. Do you have other sources to propose, maybe some Canadian ones?
As I was researching information on board expertise level for cyber-security, I found this report dating from 2016, but still so relevant. It shows that 40% of all directors surveyed admit they did not feel responsible for the repercussions of a cyberattack, reflecting a lack of cyber-risks understanding by directors. Moreover, independent director cybersecurity literacy lagged that of other groups of executives, which is not reassuring. Boards in general and independent directors in particular have work to do to meet their cyber-security oversight mandate. How do you feel about the cyber-literacy of your board?
Published June 2nd 2017 - Even with the increasing exposure cyberthreats are receiving in the media, most boards of directors are not ready to deal with cyber-risks. This HBR article highlights survey results showing that only 38% of directors have a high level of concern with cyber-risks, yet the average cost of a data breach is $4 million. Two reasons discussed for this disconnect are the lack of effective processes for cyber-risk oversight and the lack of expertise. Do you agree?
I just attended a Cybersecurity talk and wanted to share a few interesting insights for corporate directors.
Beware of the four basic types of people performing cyber-attack as each has different motivations influencing his mode of operation: Criminal looking for money, Spy looking for secrets, Hacktivist looking to make a statement and Internal looking to disrupt.
One way to check if your accounts have been breached in a major hack is to visit regularly the website www.haveibeenpwned.com to enter your email address.
According to CSO on-line, the threats to watch in 2017 are ransomware targeting more devices including mobile, manipulating IoT devices to wreak havoc, malware laden mobile phones, and politically motivated hacking that is on the rise and will now target a wide variety of businesses.
Thank you @BobZukis for sharing this interesting article that leverages interest in Trump tweets to remind boards of the increased security risks if social medias are not managed properly. Boards should make certain companies have and follow a social media process policy that includes quality control. A few relevant advices: Ensure all mission critical directives to employees or third-parties are properly authenticated; Make certain high visibility executives are engaging in cybersecurity conversations with family members ; Avoid file transfer via external devices such as USB drives given to you by third parties, at conferences for example. But most importantly, verify that when using social medias, your executives, including board members, are putting the company reputation first. Also, that they are adhering to policies and procedures, have had situational awareness training and remember it when opening emails or clicking on links when abroad.