In the engine room of any company, new regulation tends to be experienced as a burden, not an opportunity. But the new EU data protection laws which take effect in May offer Boards the chance to bring about a fundamental shift in corporate attitudes to the use of data and to cyber security. The leadership of companies can use GDPR to understand their own business better, to the benefit of their own digitization projects, as well as their security and reputation. Nor is this shift stopping at the borders of Europe; it will have a significant impact on any company doing business in or with the EU, and affect much of its supply chain.
The headline changes are already well-known: the new regulations embed the rights of EU citizens to be informed about how their data is being used and protected, and to have a say in the process, even to the point of getting their personal data deleted from company servers. Failure to uphold these rights, including through poor cyber security, will attract large fines of up to Euro 20m or 4% of global turnover.
Some companies will be ready, but many more will not. The toughest challenge is for small and medium-sized businesses. They are constructing or buying new GDPR-compliant systems for the future while struggling with legacy problems and years of stored data. The frenzy of activity to hire staff, conduct reviews and buy software brings risks of its own.
Against this backdrop, the oversight role of boards is crucial. Rather than seeing GDPR as a nightmare of box-ticking, they have the opportunity to step back and help embed the perspective, practices and discipline needed to safeguard key company assets and shareholder value. By understanding the value of their company’s critical data, and how to protect it, by modeling the right behaviours, and by requesting the right kind of regular reporting, boards can act as a crucial backstop for management and investors. Here are three things a progressive Board might do.
First, Boards should show that both good cyber security and GDPR compliance start not with technology but with fundamental attitudes to personal and critical data. Board members are not always the best examples of this culture change, which is why, after system administrators, they are a favourite target of cyber criminals. They need to model the right behaviours, as they would for financial or health and safety compliance. That means acting like a cyber-aware and privacy-aware group, curbing the use of personal and unsecured email, avoiding the downloading of sensitive corporate materials on home devices. They should visibly demonstrate the care and discipline in handling data which they want to see rolled out across the company.
Second, they should not be too busy or too grand to take part in simulation exercises. Cyber attacks are novel and disorientating, precisely because they disable the familiar communication channels used for handling a major corporate incident. There will be a raft of decisions to be made, from technical remedies and business continuity to communicating with customers and regulators. The aftermath of an attack is the worst time for a company to be working out how to make these decisions, who is responsible and how the Board fits in.
Third, be prepared to change the tempo and quality of Board reporting to meet the new reality. The tight timescales imposed by GDPR are a reminder that strategic discussions with executives require a different rhythm, one that matches the quickening pace of disruption. A major cyberattack can erase a third of a company’s share value in a day. In this environment, meeting once or twice a year to review strategy no longer works.
Boards should look to their risk practice and expect it to provide structured risk management for cyber, not least to avoid the CSO function marking its own homework. They need help in framing the right questions to management which can establish whether they will spot the signals that data is at risk. Recent surveys suggest that only about one in five directors feels confident that the necessary controls, metrics, and reporting are in place to address incursions.
Leaders need to understand how their enterprise, with its myriad IP addresses, domains and servers stretched around the globe can look to a would-be attacker; how tools, techniques and procedures are changing.
But to do this effectively and to change corporate culture, boards themselves need to change, to close the knowledge gap. To do so, they should not be afraid to jump a generation internally and hire externally.
The lesson of the last year in cyber security is that those companies that suffered the most catastrophic reputational damage and business interruption through cyber attacks fell down in two areas. They failed to get the basics of cyber security best practice right, and their handling of incidents after the attack displayed systemic corporate weaknesses, starting at Board level. GDPR is an opportunity for the leadership of companies to make sure that they avoid these traps. Cyber is a manageable risk, but one that needs to be gripped at every level, starting at the top.
About the author: Robert Hannigan is Executive Chairman of BlueVoyant Europe and Head of Global Strategy.