How to address cybersecurity governance at Board level

March 1, 2023

Victoria Hernandez, Board Member (NED) at CaixaBank Payments & Consumer

Boards have a particularly important role in ensuring appropriate management of cyber risk as part of their fiduciary and oversight roles. But to fulfill these responsibilities, they need to fully understand the difference between cyber security and cyber resilience.

Many companies still talk about cyber security and may focus their attention on all the cyber technologies to help mitigate and avoid security risks – including firewalls and other security tools. However, they may overlook the need for an audit of the organization’s ability to recover operational control and limit downtime, reputational damage, and customer impact.

A simplified definition of the two would describe cybersecurity as a collection of technologies and actions undertaken with the goal of mitigating security risks, while cyber resilience refers to the organization’s ability to recover data, avoid service disruption, and mitigate overall damages while ensuring a successfully recover from adverse cyber events.

Cyber risks are increasing exponentially

Digital transformation has resulted in incredible gains in innovation and efficiency in the way we live, work and play, it has also brought with it a whole new type of risk to businesses and consumers alike. Covid lockdowns resulted in a dramatic surge in demand for data at home. Video conferencing platform Zoom, for example, was used in May 2020 by 200 million daily meeting participants, compared to about 10 million in December 2019. The following month this figure had risen to 300 million. The rapid evolution of our working and leisure environment has brought with it ever more sophisticated methods of data hacks, ransom demands, phishing, spoofing, and all other types of malicious intrusions into our data. The perpetrators are no longer lonely teenagers in their bedrooms. In many cases, they are well organized and resourced by state actors or their proxies, which means that the hackers are protected from detection and prosecution.

New regulations on data security and privacy

Countries are now being benchmarked in terms of their approach to cyber risks, which in turn influences investor confidence and trust1. Many governments are introducing ever more stringent data security and privacy regulations to try to deal with this new level of cyber threat.

  • The EU Cybersecurity Act strengthened the EU Agency for cybersecurity (ENISA) and established a cybersecurity certification framework for products and services. ENISA will play a key role in setting up and maintaining the European cybersecurity certification framework and in informing the public on the certification schemes and the issued certificates through a dedicated website. Different assurance levels conferred by the certificates will be designed to inform users of the cybersecurity risk of using that particular product or service.
  • Further measures were proposed on 15 September 2022 in a new Cyber Resilience Act, with rules to protect digital products that are not covered by any previous regulation. This way, it will be the first Internet of Things (IoT) legislation in the world. The aim is full transparency to enable consumers to consider key security criteria when making purchasing decisions, Industry groups expressed concerns about the implications and costs of the new regime.2
  • In early 2022, the US Securities and Exchange Commission (SEC) published a new set of proposed cybersecurity disclosure rules for public companies. The proposed rules would significantly increase SEC scrutiny of public companies’ cybersecurity-related business activities, decision-making processes, and the Board’s new role in overseeing cybersecurity. According to the SEC, the new changes are intended “to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”
  • There is growing coordination between the US and EU through an ongoing Cyber Dialogue process, and both have underlined the need for enhanced transatlantic cooperation and coordination to prevent, detect and respond to malicious cyber activities. A key focus of this effort is to ensure that critical infrastructure is secure and resilient.

While it is unknown at the time of writing when these rules will come into effect, there will certainly be a much greater expectation on Boards in the future in relation to dealing with cyber security incidents.

We need a much broader definition of critical infrastructure

These new regulations focus in particular on protecting critical infrastructure from cyber-attack. Utilities, banks, other financial institutions, government agencies, and defence facilities are usually defined as critical infrastructures. But as all industries and organizations are now going online and storing their data in the cloud, we need to review our definition of critical risk areas and work out how they can be protected.

For example, healthcare systems linking hospitals, private practice, and ancillary health services are areas that are very sensitive and also very vulnerable as they contain highly personal and identification information. And what about chemical plants, which produce vital medicines, not just for the pandemic, but in general, to keep many with serious health conditions alive? Control of these plants or a ransomware attack could lead to many deaths.

As agriculture is transformed through the introduction of agritech to make crop production and distribution much more efficient, it means that our food supply is also open to cyber threats. How many agribusinesses have measures in place to protect their data and their supply chains? Do the farmers at the end of the supply chain have either the skills or the funding available to put cyber resilience measures in place? And if not, whose responsibility is it to ensure that this is done, to safeguard food supplies? How do we educate everyone to think in terms of cyber safety and resilience? These examples show that the challenge of managing cyber threats and their response is now a very broad, global problem.

Developing a cyber resilient organization

Resiliency is more than just protection; it’s a plan for recovery and business continuation. The ultimate goal of a cyber-resilient organization should be zero disruption.

Few Boards have the requisite experience to undertake this task effectively. And many lack the experience of complex technology-related issues, to be able to provide effective oversight of cyber risks. A board of directors must understand that cyber resilience is a dynamic discipline that requires unending monitoring and innovation. Laying the groundwork for reduced risk is essential but so is the knowledge that risk will always be there. While boards may have cyber security at the top of their priority list, the rapidly changing threat environment means that their approach needs to be constantly reviewed and updated.

A cyber incident is not the time to have difficult conversations about why and how a breach has occurred and who is responsible. Organizations need to have clear incident response plans and PR strategies in place to ensure there is strong business continuity, and to preserve reputation and consumer trust.

Here are some actionable insights to begin today so the board meets (or exceeds) the new regulatory guidelines, and provides the right level of oversight of the organization’s cybersecurity plans:

  • Develop a common language for discussing complex issues of cyber risk and resilience to shift the discussion from a highly technical one to one that businesses can understand. Focus on an economic analysis that shows how cyberattacks endanger the organization financially in the short and long term.
  • Maintain a zero-trust environment and mentality. Any data access point is a potential threat to the integrity of the data you hold. Multiple checks and balances need to be put in place so that if something goes wrong, you have the best chance of discovering this at the earliest possible point.
  • Public companies should disclose whether their boards have members with cybersecurity expertise. Investors will consider this to be important in considering their investment as well as in voting for the election of directors.
  • Risk assessment is an ongoing process with new threats emerging daily. Keep it on the board’s agenda at least twice a year to review strategies in line with changing threat levels. Make someone on the board (either an individual or a committee) responsible for learning the details of the organization’s security needs and status. These individuals can provide ongoing updates and present larger issues for the broader board to assess and vote on.
  • Get expert advice as needed. Rely on internal specialists, third-party consultants, vendors, and technology solutions to plan ahead and better understand the cyber security landscape.
  • Test and re-test your plans in simulated attacks, to discover what data could still be compromised. Any weaknesses discovered should not be hidden or covered up but used to inform management where extra effort needs to be made to plug those gaps.
  • Review existing insurance policies to see if they are adequate in the event of a data breach, or if dedicated cyber insurance may help further mitigate the risk.
  • Educate consumers about the latest threats and scams and advise them never to divulge their personal data except for official government purposes.
  • Businesses and government should work together to identify where security weaknesses occur and how they can be addressed to prevent customers from becoming victims of cybercrime.

1 The ITU publishes a Global Cybersecurity Index that measures the com- mitment to cybersecurity of countries at a global level. ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx
2 Feedback on the proposed law was left open until 23 January 2023.

Victoria Hernandez is non-executive Director (NED) at CaixaBank Payments & Consumer, the top bank in Spain and one of the largest banks in Europe. She is also a Jury expert at the European Commission, in charge of approving EU proposals for the European Innovation Council (EIC) Horizon Europe funding applications. Likewise, she represents the interests of the EIC €10,2bn fund as NED in the Belgian telecommunications company, Tessares. She is also NED of TeamEQ, an AI & ML powered service that offers solutions in the field of human resources, and a member of the advisory board of Cashway, a financial technology company based in Paris. Previously, she was President and CEO of Orange Spain, Director of Alliances (M&A) Europe of British Telecom; President of Proximus Spain, CEO in France, and Vice President of International Operations. She is President Europe of the Global Telecom Women Network. She has a Bachelor of Engineering in Computing Sciences from UPC, an EMBA from INSEAD, a Master in Digital Marketing from Columbia Business School, and a Master in Financial Technology from Harvard University. Victoria lives in Paris and speaks 5 languages fluently. She has one lovely daughter (Rita).