Advice for boards (and practitioners) on cyber

Brian Barnier recently reminded me of a paper that he helped develop for the International Corporate Governance Network (ICGN) in 2016. Cyber Risk: ICGN Viewpoint is a good read.

I like these points:

• Companies and their investors are increasingly concerned about risks associated with misuse of information and communication technology, whether as a result of poor implementation of data systems, missed opportunities to adopt key innovations or failure to protect a business from malicious acts (which are often labelled “hacking” and “cyber” attacks).

Notwithstanding their technical complexities the broad scope and potential gravity of cyber risks are such that these risks must be understood and proactively overseen by company directors as a matter of good corporate governance…. Cyber related risks are defined as the range of risks related to information and communication technology that can impede the achievement of company objectives and investor returns.

• It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets. Oversight of cyber…