Corporate directors would like to devote more time to IT strategy and cyber-security risk management, but many say they still are not receiving an adequate level of information from management in these areas to provide effective oversight.
As cyber-attacks on corporate networks, such as the recent attacks on Home Depot, EBay, and JP Morgan Chase, become more prevalent and more damaging, boards have become increasingly interested in obtaining a better understanding of their companies’ IT risks, including cyber-security. “I would describe it as a top priority,” says Don Keller, a partner in PwC’s Center for Board Governance.
A recent board governance survey of nearly 863 directors conducted by PwC signals how much emphasis directors are putting on IT strategy and IT risk. According to the report, 65 percent of respondents said they want at least some increased focus on cyber-security, and 47 percent want to devote more time and attention to IT strategy.
A separate board governance survey conducted by the Institute of Internal Auditors Research Foundation (IIARF) reached similar conclusions. According to the report, 68 percent of the nearly 2000 directors surveyed characterized the board’s perception of cyber-security risk at a high or increased level. “It is imperative that the board not relegate the cyber-security topic to the IT department,” Sajay Rai, founder of IT consulting firm Securely Yours and author of the report, said. “Directors need to take an active role in the organization’s cyber-security, or face the possibility of potential shareholder lawsuits.”
Even as directors are paying more attention to data security risk, they are less confident in their level of knowledge to adequately oversee those risks. Nearly half of directors surveyed by PwC stated that they only “moderately” believe that the company’s strategy and IT risk mitigation is supported by a sufficient understanding of IT at the board level, while another 27 percent said it needs improvement. Only 21 percent “agree strongly” that the board has a sufficient understanding of IT risks.
In a similar vein, the IIARF survey revealed that few boards are involved in cyber-security preparedness, with only 14 percent saying they are “actively involved.” More than one-third (36 percent) said they have minimal involvement.
Action Steps
Both surveys indicate that boards would like to be more strategically involved in cyber-security matters, but are still unsure as to how to go about doing that. To gain more clarity around IT risk, directors should ask themselves the following series of questions:
“It is imperative that the board not relegate the cyber-security topic to the IT department. Directors need to take an active role in the organization’s cyber-security, or face the possibility of potential shareholder lawsuits.”
Sajay Rai, Founder, Securely Yours
Do the company’s business and technology decisions align with the company’s risk profile and technology capabilities?
How much budget is allocated for cyber-security practices?
Are discussions about cyber-risk management given adequate time and attention on the board meeting agenda?
Is the company doing continuous scenario planning and testing to assess its level of resistance in the event of a breach? What were the results?
What is the company’s most sensitive and critical data that, if compromised, could lead to significant disruptions?
Does the company have cyber-insurance coverage, and is it enough to cover the risks?
What is the company’s response protocol in the event of a breach?
The good news is that the PwC survey results showed a year-over-year increase in directors’ satisfaction with their company’s IT strategy and IT risk mitigation approach. In the PwC study, 45 percent of directors now believe their company’s IT strategy and risk mitigation approach very much contributes to, and aligns with, setting the company’s overall strategy, compared to just 37 percent in the previous year’s study.
Emerging Technologies
The ways in which directors think about IT risk has also experienced a dramatic transformation over the last two years. While directors historically have indicated high levels of engagement with traditional IT areas—such as overseeing the annual IT budget, or the status of major IT implementation projects—they are now also increasingly focused on emerging technologies, such as social media and employee use of mobile technologies, Keller says.
According to the PwC report, 41 percent of directors said they are now at least moderately engaged in overseeing the company’s monitoring of social media for adverse publicity—compared to 31 percent in 2012. Similarly, almost half of directors are now at least somewhat engaged in overseeing employee use of mobile technologies—double that of two years ago.
IT STRATEGY & RISK MITIGATION
Based on results of its recent survey, PwC examines how satisfied corporate directors are with company IT strategy.
There was a noteworthy year-over-year increase in directors’ satisfaction with their company’s IT strategy and IT risk mitigation approach. More directors now believe their company’s approach very much contributes to, and is aligned with, setting overall company strategy as well as providing the board with adequate information for effective oversight. A greater percentage also believe that their company’s approach is supported by a sufficient understanding of IT at the board level. However, there was a decline in the percentage of directors who believe their company’s approach “very much” or “moderately” anticipates competitive advantages from emerging information technologies. This may be due to increased awareness of the potential opportunities afforded by using big data and cloud computing as tools. Directors with longer tenure are more likely to believe the company’s IT strategy and IT risk mitigation approach contributes to and is aligned with overall company strategy.
See chart at bottom of this article.
Source: PwC.
As further indication that boards are thinking more about IT risks, boards increasingly are engaging with outside consultants to help with IT strategy as it applies to both opportunities and risk, Keller says. According to the PwC report, 38 percent of directors said their boards now use external IT consultants, compared to 26 percent in 2012.
Directors acknowledge, however, that Big Data and cloud technologies are two areas which may demand more board attention moving forward. Over a quarter of respondents said they are not sufficiently engaged, and 53 percent said their company’s IT strategy and IT risk mitigation approach “at least moderately” take sufficient advantage of Big Data.
Many boards tend to be heavily focused on cyber-security risk right now and are not fully utilizing other aspects of IT—such as Big Data—from a strategy perspective, Keller says. “Companies that have the potential to leverage Big Data are those that have visibility into consumer-buying patterns,” he says.
As a retailer, for example, the ability to target product offerings based on consumer buying patterns is an inherent part of strategy that can drive pricing, advertising, and marketing opportunities, Keller says. Thus, the type of questions boards should be asking is, “Do we have structured data that we could be looking at? What is it telling us? Is there a way to leverage that data to drive revenue?”
Room for Improvement
Both the PwC survey and the IIARF survey indicate room for improvement. Fifty-two percent of respondents to the PwC survey, for example, reported that they have not discussed their company’s crisis response plan in the event of a security breach, and 67 percent have not discussed the company’s cyber-security insurance coverage, leaving companies vulnerable to new or additional risks.
“When it comes to cyber-security breach today, it’s not a question of if; it’s when,” Keller says. When a breach does occur, it’s imperative that a company have a strategy in place as to how to explore the potential damage; and what local and federal authorities need to be made aware of the breach, he says.
Companies will also need to determine what external consultants to involve in determining how soon to disclose the breach, and what level of detail to disclose. “When you do have a breach, it can be very difficult to get your arms around how much damage has been done,” Keller says. “Prudent boards are cautious in terms of making sure that they’re sending the right message in the event that have to disclose something to the outside world.”
If companies have learned anything about the relentless number of cyber-attacks that have occurred across industries over the last few months, it’s that cyber-security threats will only continue to become more prevalent. For boards today, IT risk can no longer be considered just a technology issue, but rather one that needs to be continuously monitored as part of a company’s overall risk mitigation strategy.
No comments yet