The risks of cybersecurity lapses are well known, from flight cancellations to ransomware demands to run-of-the-mill ever-present (though still troubling) data breaches. In 2023, known ransomware payments hit a record $1.1 billion. IBM research found a 71% increase in cyberattacks that used stolen or compromised credentials. A survey by McKinsey and the Institute of International Finance found that even among financial service companies, which are well aware that they are prone to attack, their capabilities are often no match for the skills of well-organized and expert cyber criminals.
Launching a cyberattack is relatively easy, and attackers have the luxury of failure: they only need to succeed occasionally. The implication is that the defenses need to be at least as determined as the assaults. And for that to happen, boards are in a unique position to play an active oversight role. Here are three principles to keep in mind.
Ignorance is not an option
In 2023, the U.S. Securities and Exchange Commission required U.S. public companies and foreign private issuers to promptly report important cybersecurity incidents and describe their cyber-risk management processes….
