Cybersecurity: A Strategic Imperative rather than a mere IT-problem

A company can be exposed to various kinds of cybersecurity risks. 

First, there is the risk of an attack against the IT systems or a data breach that might lead to administrative or even criminal sanctions.
Second, there is the risk of an interruption of production, sales and daily business, resulting in a decrease in turnover and a reduction in profits. 

Finally, the resilience of the company may be called into question with all the consequences that this entails: a cybersecurity breach jeopardizes its reputation, but also the confidence regarding the competence of the Board. 

Shareholders have indeed already demanded the removal of directors or taken legal action against them for cyberattacks.

Since a cyberattack or data breach may affect every department of a company, cybersecurity cannot be reduced to a mere IT issue. Like any other risk affecting the company, cybersecurity requires a clear strategy by the Board of Directors. 

The Board does not have to understand all the technical aspects, but it is responsible for cybersecurity risk governance. Awareness of the risks is not enough; every Board needs a cybersecurity policy in order to achieve a secure data environment.

Often, the subject of cybersecurity is not addressed until a company has become the victim of a cyberattack or a data breach. 

Companies must indeed be able to deal with the consequences of an attack, but the aspect of risk prevention is even more important. 

It is the responsibility of the directors firstly to raise awareness about cybersecurity risks among their staff.

Secondly, they must determine what level of risk the company is willing to take in light of its strategic objectives. To do this, directors should classify risks according to their magnitude or impact, and subsequently determine which risks should be prioritised. 

Thirdly, the Board must decide on a suitable budget for technical and organisational measures and, where appropriate, on the conclusion of a cyber insurance policy.

In short, it is clear that cybersecurity is more than an IT department issue and that the Board of Directors can no longer deny its role in the cybersecurity risk management of a company.

Increasingly, the key role that the Board of Directors plays in cybersecurity is also enshrined in legislation, regulation and standards. For example, under the GDPR’s accountability principle, the responsibility for overall compliance lies with the Board of Directors. Article 38 (3) GDPR also states that “the data protection officer shall directly report to the highest management level of the controller or the processor”. The upcoming Digital Operational Resilience Act (DORA) for financial institutions (incl. banks and (re)insurers) also allocates responsibility for ICT risk management with the highest management level of the organisation. Standards on ICT security such as ISO 27001 also entrust the Board of Directors with overall responsibility for IT security.

Hence, if you are a board member, we advise you to add the topic of ‘cybersecurity’ to the agenda of your next board meeting. This will be the occasion to check where your company or organisation stands with its cybersecurity strategy and to determine if needed an action plan.

We are of course at your disposal to assist you in such exercise.