ICAEW.com works better with JavaScript enabled.

Cyber risk management – a board level responsibility

Author: Mitigo

Published: 22 Sep 2023

Sponsored by  Mitigo

Mitigo highlight why senior leaders must take responsibility for their cyber risk management to counter a growing threat.

Senior leaders must step up to counter a growing threat.

Cyber risk management is a critical senior leadership responsibility, due to the escalating cyber threat landscape and the profound impact of cyber incidents on business operations, reputation, and financial stability. A ransomware attack can bring a business to an abrupt halt and in some instances close it down.

It is no surprise that so many business victims feel forced into paying the ransom demand when so much is at stake. Obvious high risk sectors include professional services such as accountants, private equity, financial services businesses, law firms and any firm handling confidential data and transactional work. The reality, though, is that the healthcare sector, factories, car dealerships, retailers and so many others are at operational risk too.

All senior business leaders have a responsibility to manage their cyber risk to safeguard sensitive information, maintain operational continuity, and protect stakeholder interests. The Information Commissioner’s Office and regulators including ICAEW require this too. Leaving cyber risk management to their IT support simply does not cut it. Proper cyber risk management is a sophisticated stand alone, discipline, covering so much more than just technology. It requires a comprehensive programme, with formal risk assessments, policies and procedures, and staff training.

Good cyber governance should include obtaining independent assurance from a cybersecurity specialist – someone who will assess and provide visibility of your cyber risks, determine the measures appropriate to control those risks, and give you ongoing assurance that the controls you have in place continue to be effective.

There are two key aspects to ensuring success:

Independence – because having IT mark their own homework is a nonstarter when it comes to good risk management.

Expertise – because cybersecurity is complex and ever-changing, and you need a specialist who understands your business structure and the current methods of attack, as well as your legal and any regulatory obligations.

Cyber breaches do not result from bad luck. A serious breach means that someone at the most senior level has failed to understand what was required to protect their business and has not done their job properly. And if you haven’t yet assigned responsibility to someone at Board level, your business really is living on borrowed time.

Lindsay Hill, CEO at Mitigo Cybersecurity