Guidelines on the Corporate Governance of Cybersecurity

Purpose

The Guidelines on the Corporate Governance of Cybersecurity provide the Board of Directors (BoD) with guidance on how to improve the governance of cybersecurity, and how to weigh the opportunities that digitalization and technology may bring to companies against the risks involved.

Scope

The guidelines are written for larger companies with professional and independent boards but can be applied by any organization and their oversight body. The guidelines include rules for the BoD and oversight process itself, as well as practical guidance for the organization that is overseen.

Development

The guidelines were developed by Dr. Maya Bundt and Prof. Dr. Laura Georg Schaffner and went through an extensive reviewing and feedback process. Thus, the guidelines represent a collaborative and global effort. Given the fast-paced developments both in the cyber threat landscape as well as in cybersecurity and technology, the guidelines will be reviewed and updated on a regular basis.

Core Guidelines

1. The board should increase its cyber literacy: Each board member should become familiar with the risks of the digital age in general, and with cyber risks affecting their company specifically. This can be achieved through focused training, individual study or exchanges with internal or external specialists. The board as a body can ensure cyber expertise either through deeply knowledgeable board members, or they may ‘buy in’ that knowledge from internal or external experts.
2. The board should be familiar with the managers responsible for cyber security within the organization: The board should consider meeting with the executives responsible for cyber security in a regular and timely manner.. This could be yearly or even on an ad-hoc basis, depending on the nature of the company and its organization. Pull and push factors of communicating with the responsible should be defined in the organization’s governance.
3. The board should ensure the segregation of duties within the organization between the strategy for cybersecurity and its execution: In any organization, the executive and legislative should not be unified in one function. Hence, the executive function of the CIO should not be combined with the more legislative tasks of the CISO function.
4. The board should request that all employees receive cybersecurity training at regular intervals; Oversight of corporate talent is part of the board’s responsibility and the board should thus ensure sufficient cybersecurity and awareness training for all employees. The objective is to bring the overall organization to a required level of maturity and hence to prevent potential future incidents. This is specifically important since most of the reported cyber incidents have an insider (involve either maliciously or by accident) at their heart.
5. The board should ensure they have adequate time in their agenda to discuss the opportunities and risks of digitalization and the companies’ resilience in that respect: Cyber risk and cyber security should have adequate priority, room, and discussion time on the board’s meeting agenda, thus becoming a topic that the whole board focuses on regularly.
6. The board should set the risk management framework in a way that ensures adequate controls against cyber risks and which prepares for the worst-case scenarios: The board is typically responsible for the oversight of the organization’s internal control environment. Boards need to inform themselves of specific operational, reporting, and compliance aspects of cybersecurity (including legal and regulatory requirements), using and adapting or supplementing as needed at least one recognized framework to do so. Any oversight process should include both defense and response, to ensure business continuity and resilience.
7. The board should ask for the appropriate metrics that will allow them to understand the company’s overall cyber maturity and resilience as well as the level of threat: Frameworks and standards assist the board in assuring completeness of relevant security metrics reported. However, boards should be mindful of two potential failures according to the old – but still valid – motto: Do the right things and do things right. The business model and operations of a company define the focus areas for risk-adequate reporting. Boards must ensure they report on the riskiest areas of operations and do not select simply the metrics that are readily available or easy to collect.
8. The board should define the role that digitalization and technology play in their organization’s current and future business model, including the identification of opportunities and risks: The company’s technology strategy and the role of technology and digitalization in future business models must be an area of strategic focus and oversight by the board, including both the review of future opportunities and of potential risks. In this context, it is important to note that security may even be an asset and potential positioning point for the company.
9. The board should allocate adequate resources to managing technology and cyber risks: It is important that adequate funding and organizational capabilities are made available for cyber security, and thus the board should ensure that sufficient budgets for technology and security investments and operations are made available. Note that the funding does not only need to cover the technology itself (e.g., software, hardware), but that investments in people and skills, security and resilience processes, and data management are equally important.
10. The board needs to be aware of the laws and regulations regarding data and cybersecurity in all jurisdictions where the company has operations or customers: The board needs to be knowledgeable about laws and regulations that apply to the operations of their company. This relates for example, but not exclusively, to data protection laws. These laws are very specific for different jurisdictions and impact both technology and business strategy. Also, particular sectors (e.g., financial services, critical infrastructure) often have specific data and cyber security regulations that must be adhered to. Additional data-related regulations may be purely country-specific, for example, data localization laws.
11. The board should ask for a sensible data management framework that classifies data, measures its value, and allows for risk-adequate handling of those assets: The value of data increases the more organizations rely on it during value creation. Boards must apply special emphasis to overseeing the categorization and safeguarding of these assets and should request the implementation of a practical data management framework, following the GNDI Guidelines on the Corporate Governance of Data, listing and classifying any data assets that the organization either owns or processes. This data classification can then be used to guide specific protection measures for sensitive data and to set up the appropriate processes to be performed in order to comply with- for example- data protection laws and regulations.

Application

The guidelines provide a global cross-sectoral perspective and serve as a basis for adaptation based on industry, organization type, and jurisdiction.

Glossary

Board of Directors (BoD): Group of individuals, appointed or/and elected by shareholders and mandated to direct and oversee the company, establish policies for corporate management, appoint and oversee the executive management, and make decisions on major company issues.

Cyber maturity: An organization’s capabilities with respect to cybersecurity vs. others and/or self-stated targets.

Cyber resilience: An organization’s ability to sustainably deliver intended business outcomes despite adverse cyber events.  Organizational practices to achieve and maintain cyber resilience must be comprehensive and customized to the whole organization (i.e. including the supply chain). They need to include a formal and properly resourced information security program, team, and governance that are effectively integrated with the organization’s risk, crisis, business continuity, and education programs.

Cyber security: Preservation of confidentiality, integrity, and availability of information in Cyberspace.

Digitalization: Process of moving from an analog to a digital business approach. This guideline also includes ‘digital transformation’, the proactive change of business and organizational activities, processes, competencies, and models to fully address and leverage the changes and opportunities of relevant digital technologies.