Rethinking the role of boards in the cyber age

February 07, 2017 12:02
While IoT devices are leading a revolution in industrial efficiency and operational insight, these devices offer multiple entry points for a potentially malicious hacker.  Photo:

In a world where everything is trackable and quantifiable, will director and officer find themselves navigating new liabilities sooner than expected?

Company directors could be easily forgiven for feeling lost when it comes to managing cybersecurity risks.

With seemingly daily headlines on cyber breaches at some of the world’s largest companies, the threat of cybercrime or a breach is real, but navigating the market for solutions often feels like a meandering path without a destination.

Unfortunately, for those same directors, their fiduciary duty to shareholders and the personal liability they face as board members require them to take informed steps to protect the company against cyber risks and cybercrime.

Indeed, AIG sees cybercrime as one of the most pressing threats facing boards today.

Nowhere does cybercrime represent more of a risk than in Asia, particularly in China.

A November 2016 survey by PricewaterhouseCoopers revealed that Chinese companies had seen cybersecurity incidents increase by more than 900 per cent since 2014. But in spite of this, cybersecurity budgets for Chinese companies actually dropped in 2016 by 7.6 per cent from the prior year.

The liabilities for companies and their directors that are arising from cyber risks are nearly unlimited. A cyber breach can destroy a company’s reputation overnight, taking its stock price down with it.

Incredible sums of money are at stake, and while today’s attacks are sophisticated, easy to execute and oftentimes anonymous, cybercrime is only in its infancy and set to rapidly evolve.

As companies continue to seek efficiencies and optimise their business practices, we expect to see greater use of technology aimed at streamlining expenses, boosting productivity and gathering data.

The use of cloud computing is expected to accelerate over the next several years as is the development and implementation of Internet of Things (IoT) devices.

While IoT devices represent a vast expansion of data-gathering capability and are leading a revolution in industrial efficiency and operational insight, these devices offer multiple entry points for a potentially malicious hacker. These devices often lack basic cybersecurity measures and are easily hackable.

Directors and officers in the spotlight

Corporate officers and boards are thus faced with complex decisions around how to implement technology.

If they choose not to modernise their operations, they run the risk of becoming an inefficient and outdated organisation that cannot keep up with technological benefits of the times.

Conversely, by modernising their infrastructure, new risks are created, particularly in the form of cyber attacks and fraud.

Directors and officers must perform this delicate balance while under the microscope from external stakeholders, most notably shareholders and regulators who will carefully scrutinise their decisions.

Did management properly disclose the degree to which their systems could withstand a complex distributed denial of service (DDoS) attack? How is the board liable when a data breach occurs, revealing confidential data that sends the stock price plummeting?

Unpacking solutions

Company boards and management must commit time and resources to educate themselves on the ongoing and dynamic cyber threats posed in our digital and connected age.

To fully capture the benefits of a technology-enhanced business, leaders must carefully assess and mitigate the risks that inherently arise.

Global insurance firms and consultants have a wide range of online resources available, including sophisticated yet practical advice for company directors.

Staff trainings and robust internal confirmation processes are critical to identifying cybercrime and fraud. Yet, even with the most modern available technology, the most prepared companies may easily find themselves falling victim to cybercrime.

Company directors and officers may have some provisions in their current D&O insurance policy providing professional indemnity against claims arising from a security breach or cybercrime.

Companies may further consider cyber insurance and crime policies that capture broader risks and liabilities related to cybercrime.

Such commercial policies exist to help companies recover monies lost not only to issues like cyber extortion or “fake presidents” fraud, but also the cybercrimes and frauds of the future yet to emerge.

-- Contact us at [email protected]


Head of Asia Pacific Financial Lines at AIG Asia Pacific