Cybersecurity: A Technical Issue or Crucial Responsibility for Corporate Boards?
Cybersecurity: A Technical Issue or Crucial Responsibility for Corporate Boards?
The increasing frequency and sophistication of cyber threats demand that board members are not only aware but actively involved in managing these risks.
In today's digital landscape, cybersecurity has become a critical concern for corporate boards. So say the new law. However, the way the company tackles security issues will affect its growth.
In our recent session at the d. executive board summit, Åsa Schwarz and Camilla Lundahl shared their expertise on how boards can effectively handle growing cyber threats and navigate the latest developments in cybersecurity. Read our learnings from the event in this blogpost.
Meet the Experts
Åsa Schwarz has over 25 years of experience in cybersecurity and is the Head of Business Development at Knowit Cybersecurity & Law, one of Sweden's largest consulting firms in the field.
She is also a board member of Enea and Precise Biometrics, and an author of thrillers that often explore cybersecurity themes.
Camilla Lundahl is the CEO and a cybersecurity consultant at her own company, Cyrenity. With a background as the IT Security Manager at Avanza and an active role in national cybersecurity projects, Camilla brings extensive experience in protecting organizations and advocating for robust cybersecurity measures.
Does Cybersecurity Influence Growth?
Cyber risks become a top concern for companies. According to recent surveys, 49% of CEOs view cyber risks as the most significant threat to their organization's growth. It means that executive boards need cybersecurity competencies. Analysis of 40,000 companies in the USA showed that having more than three board members with digital competence significantly improves profitability and return on assets. However, even having more than one knowledgeable member can make a difference in cybersecurity, and as a result - business growth.
What New Legislation Board Members Need to Know?
NIS2 Directive entered into force on 16 January 2023, and the Member States have time until 17 October 2024, to adjust their national laws. The EU's Network and Information Security Directive 2 mandates that boards of directors undergo training to manage and analyse cybersecurity risks, and analyse the impact of their governance on the cybersecurity of services delivered.
Furthermore, the directive includes more stringent sanctions and personal accountability for board members. The board shall:
Approve the security measures chosen by the organisation
Monitor the implementation of the security measures and
Be accountable in case of non-compliance with security measures adopted
DORA Regulation entered into force on 16 January 2023 and will apply as of 17 January 2025. The EU's Digital Operational Resilience Act, applicable without modifications in Sweden, emphasizes maintaining operational continuity in the financial sector during cyberattacks, with detailed responsibilities for the board.
How to Deal with Operational Risk Management:
Boards should regularly review their organisation's cybersecurity posture, ask if the company adheres to standards like ISO 31000 or ISO 27001, and ensure that the cybersecurity team has adequate resources and support.
ISO 31000 standard provides guidelines for risk management, including assessing the threat landscape, vulnerabilities, and the likelihood of various cyber threats such as phishing, ransomware, and insider attacks.
ISO 27001 standard outlines the requirements for creating, implementing, maintaining, and continuously enhancing an information security management system.
Cybersecurity Challenges for Board Members
Competence Shortage: There is a significant need for skilled cybersecurity professionals. Boards must prioritize securing talent and providing continuous education and support for cybersecurity teams.
Third-Party Risks: Managing cybersecurity risks across the entire supply chain and ensuring third-party vendors comply with security standards is crucial.
Integration into Business Processes: Cybersecurity should be integrated into all aspects of business operations, from due diligence in acquisitions to daily operational practices.
New legislation: Board members must update their knowledge on the most recent laws and regulations on national and international levels.
Reporting: Cybersecurity issues need to be included in the board's annual cycle.
3 Practical Steps for Enhancing Cybersecurity
Considering all the issues and challenges mentioned above, what steps do Åsa Schwarz and Camilla Lundahl suggest that board members should take?
Structured Approach: Boards must ensure that their organizations adopt a systematic and structured approach to cybersecurity. This includes regular risk assessments, implementing robust security measures, and continuous monitoring and improvement.
Team Collaboration: Effective cybersecurity requires collaboration across the organization. Board members should work closely with cybersecurity teams and support a culture of security awareness and proactive risk management.
Investment in Data and AI: Leveraging data and AI technologies can significantly enhance cybersecurity capabilities. Investing in these areas can help organizations predict, detect, and respond to cyber threats more effectively.
Cybersecurity - a Task for Executive Boards?
Cybersecurity is no longer a technical issue confined to IT departments, but a strategic concern that requires active involvement from corporate boards. By understanding their responsibilities, staying informed about regulatory requirements, and fostering a culture of security, board members can play a crucial role in safeguarding their organizations against cyber threats.
The insights shared by Åsa Schwarz and Camilla Lundahl highlight the importance of a proactive and informed approach to cybersecurity. Boards must embrace their role in this critical area to ensure the long-term resilience and success of their organizations.
Thank you Åsa & Camilla for sharing your expertise and developing Swedish board work together with us.