Boards have made gains in recent years by recognising cyber as an enterprise risk, but greater resilience is needed

Boards of directors need to play a more active role in protecting their organisation from cyber risks, according to a new study released today by the World Economic Forum. Cybersecurity failure is a “clear and present danger” and critical global threat, yet responses from board directors has been fragmented, risks not fully understood and collaboration between industries limited.

The Principles for Board Governance of Cyber Risk Report provides a solution to this fragmentation and it is backed by leaders in digital risk and cybersecurity. Created by the WEF, the National Association of Corporate Directors, the Internet Security Alliance and PwC, the report is the result of a year-long collaboration to find a cohesive, global and cross-border approach to cyber risk.

The expert-led team found there are six principles that apply to a wider audience of boards and management teams. The report shows how directors can increase their understanding of cyber risks and act quickly, incorporating cyber-risk planning into overall company strategy.

“Without a principled foundation for understanding and governing cyber risk at the board level, risk responses have been piecemeal and security gaps have risen,” said Daniel Dobrygowski, head of Governance and Trust at the World Economic Forum Centre for Cybersecurity. “These principles provide much needed foundations for directors in any industry or geography. Cybersecurity is not just a technology problem; it is an economic and strategy issue crucial for boards to address given the current environment.”

The six principles are

  • Cybersecurity is a strategic business enabler;
  • Understand the economic drivers and impact of cyber risk;
  • Align cyber-risk management with business needs;
  • Ensure organizational design supports cybersecurity;
  • Incorporate cybersecurity expertise into board governance;
  • Encourage systemic resilience and collaboration.

These practices and approaches were further validated by members of the boards of some of the most advanced companies in the world.  

“Digital transformation is a business imperative,” said Larry Clinton, president, Internet Security Alliance (ISA). “Organisations can’t compete unless they leverage modern cyber tools. But, the downside of digital transformation is increased cyber risk. Balancing the need to use modern technological tools and while managing cyber risk is one of the most difficult issues a modern board faces. These consensus principles provide the guidance boards need to properly supervise and direct their management teams.”

“Boards have made gains in the last few years by recognising cyber as an enterprise risk, but the challenges posed by rapidly changing cybersecurity threats require every company and every board to ensure cybersecurity programs are resilient,” said Peter Gleason, CEO, National Association of Corporate Directors (NACD). “This new resource, drawing on NACD and ISA guidance, offers corporate directors across the globe an effective blueprint to advance their cyber-risk oversight.”