Why cyber risk should be a priority for every boardroom


A common mistake many organisations make is to leave responsibility for managing cyber risk to the IT department. In reality, improving cyber security and cyber resilience is an enterprise-wide challenge, which requires buy-in from every employee.

Organisations’ potential exposure to cyber risk has increased significantly over the last 18 months. The COVID-19 pandemic has seen many organisations accelerate the digitalisation of their processes so that they can connect with their employees, consumers, suppliers and other stakeholders digitally. Not only does this mean they are becoming more reliant on digital connectivity, they are also processing ever larger quantities of data, much of which could be attractive to cyber criminals.

Arunava Banerjee, Senior Cyber Risk Consultant, Zurich, says: “Cyber risk is not just about malicious intent. It can also include technical failures or inadvertent data breaches by employees. A cyber risk mitigation strategy needs to consider all the cyber threats your organisation could face.”

Board members should understand their own exposure to cyber risk

Authorities and regulators are now making it increasingly clear that they expect cyber risk to be a board level priority for organisations large and small. Directors and officers should also be aware of their individual exposure to cyber risk. This could include claims relating to breaches of fiduciary duty to shareholders, if it is alleged individual board members should have done more to prevent a cyber attack or data breach, or taken swifter action to mitigate the resulting damage.

Compounding this risk, some forms of cyber attack involve social engineering techniques that specifically target or imitate senior managers and leaders. Such techniques include whaling, a highly targeted form of phishing, whereby a message purporting to be from a senior figure within an organisation aims to trick the recipient into performing an action, such as transferring money.

While there have not been significant numbers of cyber-related D&O claims to date in the UK, organisations’ increasing exposure to cyber risk is expected to give rise to greater numbers of claims in the years ahead.

5 ways to build and improve cyber resilience

  • Treat cyber risk like other financial and operational risks. Ensure it is high on the boardroom agenda, and that it is budgeted for and appropriately resourced
  • Carry out regular, systematic assessments of cyber risk across all critical processes, in order to understand your exposures and the potential impacts of different cyber incidents
  • Be clear on roles and responsibilities, and establish clear channels for managing and escalating cyber incidents
  • Ensure senior managers and board members are appropriately trained in cyber security and cyber risk
  • Don’t treat cyber insurance as a silver bullet. Insurance can be invaluable in helping organisations recover quickly after a cyber incident, but it will not stop incidents happening in the first place, nor will it address the root causes of such incidents. Organisations should focus on improving their cyber maturity, rather than relying solely on cyber insurance

The role of senior leaders in managing cyber risk

Senior leaders and managers play a crucial role in ensuring cyber risk is understood and managed throughout an organisation. It cannot simply be a case of allocating a budget for cyber security and then leaving it to one department or one individual to take ownership of the problem.

Arunava says: “Senior leaders must ensure responsibility for cyber risk is not siloed within IT. It should be treated as an enterprise-wide challenge.

“Organisations will often say ‘cyber is on my corporate risk register’ but how are they actually mitigating it? Cyber risk needs to be an active part of your enterprise risk management programme and understood, managed and evaluated at every stage – change management, new projects and so on.”

Above all, Arun concludes: “Organisations must have the mindset that a cyber incident could happen tomorrow and they need to be ready for it. It’s time to stop reacting and start anticipating.”

This article is adapted from an original post by Zurich which can be found here.