Most companies believe that because they are small in size, they will never have to face a cyberattack. Hackers and cybersecurity criminals target every kind of business, as long as there is something of value, which includes assets, such as business plans, contracts, employee log in details, equipment designs, new product information and clients.
Once an attack has occurred most directors find themselves faced with difficult questions from insurance companies and shareholders, including questions regarding the measures they took to protect the company against the complex and evolving beast. An inadequate answer could lead to claims not being honoured. Not only do companies have to repair their reputational damage, they also need to deal with the financial impact of a cyberattack as well.
Guiding principles to strengthen cyber risk oversight
A director needs to –
Suggestions a board member could make to lead senior management in the right direction
One of the first things an auditor or an insurance claims assessor would ask for – to check if a director has taken their fiduciary duty into account when the cyberattack occurs – is the historical board meeting minutes. Approved minutes reflect matters that the board members raise and help to protect directors against liability.
A few questions that a director could raise during a meeting include:
The feedback given to the board members needs to be relevant to the audience, management is encouraged to use summaries, visuals, and less technical jargon. The aim should not be to overload the audience with information but rather to convey meaning and highlight changes. Management could also show performance against competitors and indicate the impact on the business with regards to costs and market share. Conversations in the boardroom should be based on the theme of enabling discussions and dialogue even when the topic is tricky.
Complete protection is an unrealistic target, cybersecurity is a serious business level risk, which needs to be continuously monitored. Directors need to consider their fiduciary responsibility and communicate regularly with management about any new cybersecurity developments in the company and the industry they operate in.
Tshepang Motaung LLB (Unisa) PLT (LEAD) Compliance Management Certificate (UCT) is a Consultant: Compliance Risk and Ethics at Fluidrock Governance (Pty) Ltd in Johannesburg.
This article was first published in De Rebus in 2022 (Oct) DR 40.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|