It is essential for directors to set the tone from the top for a strong cyber risk management culture, but a recent Diligent survey indicates that, when it comes to digital security, their own practices often aren’t keeping pace.

Directors guide the success of organisations with their management, governance and strategic insights. Yet there’s a deep disconnect between their perception of cyber risk and their day-to-day behaviour. A recent Diligent survey – The Silent Cyber Risk Threat in the Boardroom – of 118 directors, governance professionals and senior executives across the Asia Pacific region reveals the common communications practices that are inadvertently putting organisations’ profits and reputations at risk. Dozens of recent high-profile cybersecurity incidents underline the reality of the risk. Many organisations are playing catch-up as the rapid pace of technological change continues but time is running out. Diligent’s survey reveals why and also pinpoints areas where improvements are needed, including training, monitoring and support, if boards are to manage their exposure effectively.

• The survey explored practices at the highest levels of organisations to give a new perspective on boardroom cybersecurity culture, including:
• whether directors’ communication norms and digital behaviour provide adequate protection
• how much training and support directors receive on cyber issues
• the extent of boards’ cyber risk awareness and oversight responsibilities, and
• what impact technology has on the information management provides to boards.

We hope that organisations will use this report to inform their own boardroom cyber risk practices and to develop stronger defences.

Key findings

Five key themes emerged from responses to the survey:

1. directors’ email use is a common weak link in cybersecurity – but it’s not the only one
2. board communications often fall outside organisational policy and oversight
3. many directors agree that board communications need to be more secure
4. more information and support are needed for boards to oversee cyber risk effectively, and
5. technology is driving more communication between directors and management.

This report presents the detailed survey findings, as well as their implications and risks, accompanied by practical suggestions for how to strengthen boards’ cyber risk culture. ‘Cyber security is becoming a key strategic priority for boards of all shapes and sizes. Understanding where you, as a director, might be breaking the chain of cybersecurity to enable potential successful cyber attacks is both a governance and legal obligation,’ says Steven Bowman, Founder and Managing Director, Conscious Governance. Directors play a fundamental role in shaping organisational culture. The values and behaviours they demonstrate in the boardroom and beyond reverberate through offices and work sites. However, the survey reveals that from how they communicate to where they keep their board information, directors are inadvertently increasing their exposure to cyber risk. The majority of respondents (81%) use their personal email accounts to communicate with fellow directors and management ‘at least occasionally’, and half of respondents (49%) ‘regularly’ use personal email accounts for board business. Personal email ranks in the top-three communications channels, behind face-to-face meetings (98%) and on par with corporate email (82%). Three-quarters (75%) of respondents download board materials onto personal devices such as PCs, laptops, tablets or smartphones. Close to half (43%) say they download that information ‘always’ or ‘most of the time’. Company servers are the most popular location to save downloaded board materials (38%), but more than a quarter of respondents use file-hosting services such as Google Drive (28%) or personal or USB drives (also 28%). Some people routinely download documents to multiple locations for their ease of review and preparation. Every single respondent uses a PC, laptop or tablet for at least some of their board preparation (some use more than one device). Print is far from finished, though, with almost half of respondents (47%) needing paper copies of board information more often than not, even when it has already been provided electronically. Fewer than one in five people (17%) never need printed information.

How organisations can strengthen their practices

Establishing strong cybersecurity policies and protocols at an organisational level raises awareness and sets consistent expectations for individual responsibilities. The challenge is that non-executive directors often fall outside those policies and protocols. At a practical level, organisations may grapple with how to apply controls to the highest echelons of their leadership. Including them in board-approved corporate policies is one way to meet this challenge. ‘Organisations should review their security policies and ensure that non-executive directors are clearly included in the scope of policies where appropriate,’ says Bowman. ‘Those policies should be provided to new directors as part of their induction programme. In line with good governance practice, those policies should be approved by the board and reviewed annually to keep pace with external changes.’ Development of board communication policies should not only involve directors and senior management, but also experts from risk management, governance and IT. It is important to take an organisation-wide approach to cybersecurity. With a fragmented approach to sanctioning and administering board communications, it is little wonder that boards are often out of step with the rest of the organisation. Steven Bowman says that strong governance processes need to involve every level of an organisation. ‘Companies with continuous disclosure obligations have deep and broad processes to manage the identification and elevation of information that may require disclosure. Effectively managing cyber risk takes a similarly embedded approach across the organisation.’

Where do we go from here?

No organisation can afford to be complacent in this climate of growing cyber threats. Directors are talking about cybersecurity, but that isn’t enough to protect them and the organisations they serve. They need to ‘walk the talk’, otherwise they risk being the weak link that exposes critical business information. Board communication practices can leave organisations vulnerable to data breaches, leaks, litigation, regulatory fines, sanctions and financial or reputational losses. Directors have an obligation to increase their understanding of the risks involved and to embrace the fact that information security must take precedence over common practices. Directors should adhere to the same IT security protocols that apply to regular employees, including undergoing regular cybersecurity training, testing and audits. Organisations can help by giving their directors practical tools and support to make it easy for them to embrace strong digital security habits. That can include using governance software that pairs increased convenience with strong security. Boards and executive teams need to work together to ensure that enough time and resources are devoted to selecting, implementing and monitoring a company-supported infrastructure that features secure and convenient ways of communicating. Chris Lawley, Vice–President Diligent APAC

SIDEBAR: About the survey

Diligent’s survey of 118 directors, governance professionals and senior executives across the Asia Pacific region reveals the common communications practices that are inadvertently putting organisations’ profits and reputations at risk. This survey follows a 2017 Diligent report undertaken in the US, in partnership with New York Stock Exchange Governance Services, that looked at the practices of more than 350 listed companies. The survey is available online at: https://diligent.com/au/resources/the-silent-cyber-risk-threat-in-the-boardroom.