INSIGHT The cyber security buck stops right at the top BY BASIE VO N SOLMS LAST YEAR PROVED NOT g a m in g sy ste m s b e c a u se o f a cyberattack. TO BE A GOOD YEAR FOR W ith experts p re d ic tin g more BIG CORPORATES, AS FAR serious cyber compromises in 2015, AS CYBERSECURITY WAS and clients and customers becoming more aggressive as far as taking action CONCERNED. against corporates who compromise their inform ation, it is prudent to reiterate the absolute accountability he Target retail group in the of the board of a company as far as cybersecurity governance (CSG) is US lo st th e c re d it card concerned. information of 40m clients, and fu rth e r the personal Some of the largest US companies information of 110m clients viaare cyber now moving to bring cybersecurity onto their boards, a clear sign that it hacking. Target now faces a class-action lawsuit claiming that the retailer was is becoming a pivotal issue on board negligent in its failure to implement and agendas and that the penny is dropping that for many companies, their survival maintain reasonable security procedures and practices - the C EO was ousted actually depends on the security of their IT systems. and the ch ief inform ation security officer resigned. At JP M organ the It is now accepted internationally in fo rm a tio n o f 80m clien ts was that CSG is an integral part of good compromised. At Sony and Apple more co rp o ra te go v ern an ce, and th a t accountability for CSG resides with th a n 110m p aid -u p clien ts were prevented from using the companies’ the board - that aspect is now also T 36 FINWEEK 12 FEBRUARY 2015 part of many countries’ laws as far as national company law is concerned. Traditionally, risk management was always one of the m ost im po rtan t oversight duties of a board, and that duty is increasing by the day. However, what many boards have not yet grasped is the immense risk of using computer-based systems in the company. W ith most companies to tally in teg ra tin g th e ir business processes and whole company strategy on computer systems using the internet, the com pany’s risks of cybercrime and cyberattacks are growing daily, as indicated by the examples above. You cannot have a significant internet presence and expect not to become a targ et for cyber crim inals. T h e risk related to using internet-based computer systems in a company is one of the most serious risks to be overseen by boards of directors. Luis A A guilar, C om m issioner of the US Securities and Exchange Com mission, sum m arised many of the related issues in this com m ent made in 2014: “Given the significant cyberattacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyberattacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” In SA, the K ing III R eport on Corporate Governance clearly states that the board is responsible to see that a proper information security system is in place to manage the security risk related to the use of IT. As stated, the board is accountable INSIGHT and responsible for C SG , as a part o f g o o d c o rp o ra te g o v ern an ce . W h ere negligence can be proved in compromising the financial and personal inform ation of customers, clients, patients etc, the board of a com pany can and w ill be held personally accountable by stakeholders - as the developing saga in the Target case will show. not p e rfo rm in g g o o d c o rp o ra te g o v e rn a n c e , and may t h e r e fo r e be seen as negligent. F o u rth ly , m a ke v e ry su re you understand the im p a ct of the coming P r o te c tio n o f Personal In fo rm a tio n Bill on yo u r company. CSG is not a nice to have, or something the board can delegate to technical staff and forget about it. It is crucial to the survival of the company, and very definitely also to the preservation of members’ seats on the board. ■ WHAT SHOULD BOARDS DO TO GET A HANDLE ON THE VERY SERIOUS ISSUE OF CYBERSECURITY? Basie von Solms - Director: Centre for Cyber Security, University of Johannesburg Firstly, g e t c y b e r and in fo r m a tio n editorial@finweek.co. security expertise on the board - not T h i r d l y , as s e c u r i t y only on a consultative basis fro m time p e r m a n e n t f i x t u r e on th e a g e n d a , i n s titu te r e p o r t i n g a n d m e a s u rin g m e t r ic s m e c h a n is m s t o b rin g and to tim e , b u t on a p e rm a n e n t basis. This is essential because all business issu e s , f r o m f i n a n c e t h r o u g h t o marketing and mergers, have serious security risks th a t must be taken into a cco u n t on a co n tin u o u s basis. is n o w a k eep th e b o a rd u p - t o - d a t e on th e c y b e r and in fo rm a tio n s e c u rity status o f th e co m p a n y . R emember, if you c a n n o t measure y o u r security s ta tu s , y o u c a n n o t m a n a g e y o u r S e c o n d ly , m a ke c y b e r and in fo rm a tio n se cu rity a p e rm a n en t s e c u r ity s ta tu s a n d th e r e f o r e you ca n n o t oversee y o u r security status. item on th e boa rd agenda. W i t h o u t su ch o v e r s i g h t y o u are AT SO NY A N D APPLE MORE THAN 110M P A ID -U P CLIENTS WERE PREVENTED FROM USING THE COMPANIES’ GAMING SYSTEMS BECAUSE OF A CYBERATTACK., FINWEEK 12 FEBRUARY 2015 3 7 Copyright of Finweek is the property of Media 24 and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
Purchase answer to see full attachment