Article
Redefining the board's role in cyber risk oversight
Author: Dr. Suphamit Techamontrikul
Chairman of Audit & Assurance
Deloitte Thailand
Cyber incidents have increased in both frequency and magnitude over recent years. As techniques become more sophisticated, threats have become more complex in nature. The financial risks from the loss of confidentiality, integrity, critical business processes, and information assets are substantial. In the ASEAN region alone, the average cost of a data breach hit an all-time high of US$2.87 million in 2022, 8% higher than the previous year.1
Over the past few years, Thailand has faced several major data leaks and the sale of personal data to scammers. The healthcare industry is one of the most targeted sectors in recent years as it contains sensitive personal information with several high-profile hospital data leaks taking place during 2020-2021, involving over 39 million patient records. Moreover, in 2021, personal data of 106 million international travelers to Thailand was exposed online including full names and passport numbers. Supply chain attacks are another trend as attackers explore vulnerabilities in third parties.
A company's brand, one of its greatest assets, can be significantly damaged from the loss of consumer trust that can occur as a result of cyber incidents. Studies have shown that around 81% of consumers lose trust in a brand after a breach, and 25% may completely stop interacting with it altogether.2 Active board oversight is essential to cyber risk management. Cyber threats increase the need for more strategic dialogue among management and directors to help improve the understanding of risk. The board is key in promoting a cyber-focused mindset and cyber-conscious culture throughout the organization.
Cyber risk awareness in the boardroom
Recurring cyber breaches have prompted the board and senior leadership to pay more attention to this risk area. Cybersecurity has since gained importance on the agenda, but there still needs to be more emphasis on understanding the exact nature of the board's role. Board members should ensure that they are broadly educated, and understanding threats, actors, risks, and business impacts. Even if the board is already knowledgeable on these issues, members should be open to having regular refresher training to stay up to date with new threats and strategies in cyberspace. Working with executives and Chief Information Security Officer (CISO), board members must understand the severity of the cyber threat landscape and how cyber-attacks could impact the organization’s finances, business mode, customers, and reputation.
Cyber risk as a key component in strategic decision making
Board members can further translate their education and awareness into company-specific cyber risk exposures and capabilities. This means not only having a thorough understanding of the company’s degree of potential exposure, vulnerabilities, current controls and roadmap for implementation, but also ensuring these aspects are embedded into the strategic decision making process. Corporate boards can and should gain improved visibility into management's cyber risk management practices and strategies by taking a more active role in helping management improve performance in this increasingly critical area. Cyber risks should be elevated as a principal business risk, collectedly owned, and managed by the organization, and not simply technical risk delegated to the IT department.
Establishing governance over cyber risk
Boardrooms must establish governance over cyber risk to ensure that it is accurately reported to them. This ensures that they can effectively direct risk management plans. Boards can work directly with management to develop board-level metrics and benchmarking tools that can enable them to ascertain the state of cyber security within the company quickly. Many companies are increasingly using cyber risk simulations to help them better visualize how their response strategies would play out during an actual incident. These exercises can provide much-needed context and education around the subject and shed light on the resilience of an organization's plans.
In recent years, boards have effectively elevated the importance of cyber risk management. Forward-looking boards can make an effort to increase their collective understanding by pursuing greater visibility into management’s cyber risk management practices, processes, and involvement. Education and action must be ongoing, as cyber threats are evolving daily. The enforcement of the Thailand Personal Data Protection Act came into effect as of June 2022 and sub-regulations have been periodically released throughout the year, meaning that board members must keep track of what ramifications they may have for the organization and cyber security. Moreover, the board should monitor for further enactments of subordinate laws of the country’s Cybersecurity Act to ensure compliance. Increased board involvement in cyber security doesn't mean that everyone must be a specialist. By using their risk management experiences, they can help push management to answer tough questions and identify potential weaknesses in their organization's cybersecurity strategy and capabilities.