Cyber security from a board perspective - DAC Beachcroft

Cyber security from a board perspective's Tags

Tags related to this article

Cyber security from a board perspective

Published 1 June 2016

Cyber security is an issue for most individuals and all sizes of organisation, and within organisations it is now generally accepted that it should be a board-level matter, and not one for the IT department to tackle alone.

The risk of the threat is ever increasing for a plethora of reasons: More companies depending on their online offering, more companies depending on intellectual property held electronically, and more companies holding ever increasing levels of information on customers and employees electronically being just the tip of the iceberg.

On the other side, cyber criminals are becoming more sophisticated

Companies can undergo a cyber-breach without realising it has even taken place. As well as the general risk to an organisation’s reputation, there are legal obligations and financial exposures that may result from data/security breaches.

The fact that the taking of some small basic steps can significantly help reduce the risk prompted BIS, in collaboration with others, to publish its 10 Steps to Cyber Security suite of advice and its Cyber Essentials scheme. The role of the general counsel in helping to ensure that not only current regulations are followed, and new regulations foreseen, but also best practice is embraced by organisations is illustrated by the fact that the “Association of General Counsel and Company Secretaries working in FTSE 100 Companies (GC100)” thought fit to produce a guidance note on this topic for general counsels and company secretaries in February this year.

The general counsel can often help to ensure that cyber security gets the high level attention it deserves

In the Governance Advisory Practice at DAC Beachcroft we often work with boards on their role and, when advising on the content of their matters reserved, look to ensure that oversight of cyber security is given suitable prominence. Among a number of helpful resources for companies, perhaps most tellingly, BIS has issued a note aimed specifically at non-executive directors, drawing their attention to the kinds of questions they should be asking of themselves, their board colleagues, and board committees. Questions include:

  • Have we identified and understood the value of our company’s critical information and data assets?
  • What is that small percentage of information within our business that makes it competitive?
  • What assurances do we have that adequate technical controls and processes (e.g. the ‘basics’) are in place to protect these assets?
  • Do we have assurances that our staff, suppliers, cloud providers, contractors, overseas subsidiaries and partners can be trusted to safely access our critical information and data assets?
  • Do we have assurance that our software is up-to-date?

Clearly when looking to see if cyber risk is being appropriately managed internally, there is overlap with a general review of the management of risk: Does information on new risks flow up, down, and across the organisation? Is the risk register a meaningful document?

Cyber risk is after all just one of a number of risks on which boards will want to satisfy themselves that the appropriate risk identification and management processes are in place, and working effectively.


Bridget Salaman

Bridget Salaman


+44 (0)161 934 3272

< Back to articles