The Government department for Business Innovation and Skills (BiS) has issued guidance for non-executive directors and bringing cyber security to the attention of management.
Deeming non-executive directors in particular, as the “independent conscience of the board” and as being well placed to challenge the status quo and ask probing questions in this area, the guidance seeks to help non-executive directors engage with board colleagues on the oversight of cyber risks.
Rona Fairhead, independent non executive director at HSBC, is quoted in the report as saying that cyber security matters because at a time when data is power, and when systems run through the heart of most businesses, no serious company director can afford to ignore cyber security.
“At a minimum, every board needs to understand the key areas of vulnerability, the mechanisms to block external attacks and the means of detecting and addressing any breached,” Fairhead said. “Almost all businesses, and their customers, are at risk – both financially and reputationally – and that risk is increasing. There’s no time to waste.”
The guidance offers questions for non-executive directors to ask themselves, to ask audit or risk committees and of board colleagues. These include knowing who is responsible for dealing with cyber risks, if the board is being offered options in relation to cyber risks and understanding threats to the business.
A source within UK Government told IT Security Guru that it was part of the effort to make the UK a safe and secure place to do business, about prosperity and about the boardroom connection with the right questions being asked.
“With a non-executive director, the responsibility sits in a number of places,” they said. “If we can reach significant parts of business, whether through professional trade bodies to spread awareness through the board, our role is about getting the message to the masses.”11