The Institute of Chartered Secretaries and Administrators (ICSA), in association with the UK Dept of Business Innovation and Skills (BIS), has published a Guidance Note on cyber risk for boards.

The Guidance Note highlights the dangers to business of cybercrime and aims to place the issue at the topic of the boardroom agenda.

The Guidance Note encourages boards to focus on the following points:

  • Understanding their company's cyber risk;

  • Making an active decision as to the balance between the risk the organisation is prepared to take and the costs to be incurred in targeted spending to protect the organisation from cyber-attack;

  • Planning for resilience – rather than trying to prevent all cyber-attacks; and

  • Being clear about who is responsible for owning the risk, allowing for the dynamic and sometimes targeted nature of a cyber-threat. Boards may consider giving one director specific responsibility for oversight of cyber risk.

The Guidance sets out clear steps on how to assess the risk including ensuring that the risks identified are communicated and understood by all areas of the organisation that could be affected by the risks, and that the board's priorities for mitigating cyber risks are communicated to all business areas.

The Guidance Note highlights the fact that this cannot simply be regarded as an IT issue and it sets out actions for the board and the audit committee, including focussing on the consequences of a cyber-attack when reviewing the risk assessment. The Guidance Note recommends that boards challenge management to consider the following issues:

  • Protection of key information assets – this includes consideration of the fact that the board's directors could be key targets and the impact on the company's reputation share price or survival if sensitive information were lost or stolen;

  • Exploring who might compromise the company's information - this could include receiving regular updates from the Chief Risk Officer on who might be targeting the company, their methods and motivation;

  • Pro-active management of the cyber risk – this includes identifying key information, assessing its vulnerability to attack, having a written security policy in place and regular staff training etc; and

  • Understanding the consequences of failure on the company's financial stability, the company's brand and reputation, the company's future strategy and the potential for corporate failure.