Board Risks: 10 steps to Cybersecurity

A very efficient and straightforward tool for corporate directors that want to evaluate the cyber-risk level of their organisation. How many of these 10 steps do you achieve, and do you discuss indicators of performance at the board level? #cybersecurity #board #risks

Participating to two governance events in Toronto on November 14thn2018

I will be a facilitator at the Women General Counsel event on November 14th 2018 in Toronto: Workshop for Creating your Personal Board-ready Plan. Come to think about your board career and meet me there.

I will attend the Women Get on Board event: “Disruption and Transformation – The Board’s Role in Overseeing Opportunities and #Risks” on November 14th 2018 in Toronto. Come to learn more about how #boards need to evolve in changing environments, network with other board members and meet me.

Why does the new legal obligation to disclose data breach in Canada matters to your board?

The Canadian government has announced that starting November 1st 2018 Canadian businesses will have to report data breach to affected individuals and to the Office of the Privacy Commissioner of Canada. There are also new record-keeping requirements regarding data breach that organizations must follow. Although Alberta and Quebec are not covered under PIPEDA, it is expected they will both adopt similar requirements. As a board member, you should discuss whether you are impacted by these new requirements and if anything must be put in place to comply with them. Non-compliance could result in increasing reputation and financial risks to the organisation. Canadian businesses that collect data from European countries are also affected by changes to the GDPR enforced since May 2018 that include fines for non-compliant organisation of up to 4% of revenues. Data protection is definitely a topic to discuss at your next board meeting.

Does blockchain and AI belong in the boardroom today?

This discussion paper from NACD presents blockchain as a disruptive technology that could be as transformative to business as the internet. And I know the same arguments apply to Artificial Intelligence (AI). It highlights the new risks posed by introducing blockchain (or AI) to manage some of your data as a topic of interest to the board. It also argues that boards have to discuss blockchain regularly as part of their strategy session, conceding that expertise on this topic is scarce and that wider adoption will not happen before 2020. Directors of companies that are the closest to be impacted by these technologies, financial services and healthcare for example, have a responsibility to start educating themselves. Do you have good reading material adapted to directors to suggest on blockchain and AI?

How cyber-attacks became a weapon in 2017 and what is at stake for boards in 2018

The weaponization of Cyber-attacks has impact on cybersecurity governance. Board of directors of companies owning critical infrastructure or having  world-wide subsidiaries are more at risk then ever.

Cyber-attacks became a geopolitical weapon on 2017, and this article explains in simple terms what changed in 2017 and shows the main attacks like WannaCry happened on a different level. It takes us through some of the major breaches of 2017 and shows how ransomware can now be used as a weapon, for example a possible Russian ransomware attack in Ukraine spread to companies with subsidiaries in that country.

Adapting the role of the board in an age of exponential change

I wrote this article based on an outstanding read from Deloitte, to highlight how rapidly changing environments lead to the need for new steps in the strategic planning process. I adopted some of the proposed elements in my reflections about the strategies of my different boards, (1) the need to develop a vision with management of what the market and industry will look like in 10 years; (2) and from that vision, identify the emerging edges that the company has that can be developed to position it better in this future reality.

Are you concerned about exponential changes and do you have other perspectives to share on the role of the board in changing environments?

NIST, a framework to support the board in cybersecurity oversight

While researching the trends in adoption of the NIST cybersecurity framework, I found this article that strongly supports the adoption of the NIST Framework. As a board member, I agree because the framework bridges the gap between security experts and corporate directors. It is simple, Identify, Protect, Detect, Respond and Recover—five elements only. It allows for people who are not cybersecurity specialists to participate in cybersecurity decisions, which is expected from directors to meet oversight duties. Interesting to note is the fact that the average amount of time it takes an organization to find malware on its system, for a non-bank, is about five months, a wake-up call for corporate directors. Have you discussed adopting a cybersecurity framework at the board level, do you know if your company has one? If you want to learn more about the NIST framework, read my article

Only 14.2% of directors from 307 public companies have technology skills

This article presents an interesting compilation of the board skills matrix disclosed by 307 public American and Canadian companies. Not surprisingly, 99% of boards require financial expertise and 75% of all directors have that skill. Such strong financial skills representation in directors does not match the need for more board diversity. More troubling is the fact that only 36.8% of companies included the need for technology expertise in their board competencies, and that only 14.2% of directors qualified for that skills, the lowest of all ranking. The board has an essential role to play in the digital transformation of many businesses and in cybersecurity. This very low representation of technology skills at the board is a warning that change is required. Is the composition of your board what it should be?

A good refresher: Cybersecurity, the role of the board

The rapid pace of cyberattacks and extensive media coverage they receive can create confusion for corporate directors on their role with regards to cybersecurity. This article is a good refresher as to the role of the board. It proposes 5 key aspects of the board role: accept the responsibility, set expectations for management, understand your cyber-risks, assess current cyber-security practices and plan and rehearse. I would add to that, based on recent findings, discuss the adoption of a cybersecurity framework like NIST. To assist in the evaluation of current practices, I refer you to a list of questions on the state of cybersecurity I have published

Why board of directors have to be concerned with cyberattack: Fedex still reels from June attack

Interesting to see the real-life consequences of a cyberattack. More than two months after a cyber-attack in Europe, some of FedEx processes still have to be handled manually and the annual earnings could be 4% to 7% lower because of this incident.  Fedex said it didn’t have insurance in place that would cover the cyberattack. They were infected by the Wannacry ransomware, and the virus entered through a tax software used in the Ukraine. This demonstrates that board of directors of smaller companies also should be concerned with Cybersecurity, since their infrastructures can be used to penetrate a large partner.

Which experts can corporate directors follow to stay current on cyber-risks

I was trying to identify a few sources of relevant information to keep up to date with the rapid pace of evolution of cyber-risks, and found this list of experts. Most of the people proposed take a technical approach to cyber-risks as opposed to a governance approach. But if you take the time to read some of what they publish, you can identify a few that are a source of information adapted to your needs and that can help you stay current on cyber-threats and what is being discussed across industries. Important to support your oversight responsibilities. Do you have other sources to propose, maybe some Canadian ones?

Lack of cyber-literacy at the board level?

As I was researching information on board expertise level for cyber-security, I found this report dating from 2016, but still so relevant. It shows that 40% of all directors surveyed admit they did not feel responsible for the repercussions of a cyberattack, reflecting a lack of cyber-risks understanding by directors. Moreover, independent director cybersecurity literacy lagged that of other groups of executives, which is not reassuring. Boards in general and independent directors in particular have work to do to meet their cyber-security oversight mandate. How do you feel about the cyber-literacy of your board?