The second biennial Directors’ Risk Survey by Marsh and the Institute of Directors (IoD), finds technological disruption and cybersecurity are now top issues across New Zealand boardrooms.
Cyber was ranked number two this year, which clearly shows how much things have changed on the technology front over the last 24 months,the report states. In 2013, cyber was ranked as the number two emerging risk and did not feature as a key external risk.
“Directors need to approach cybersecurity as a whole of business issue,” says IoD CEO Simon Arcus.
“The board’s role in technology governance is about leadership in this new era – put cybersecurity on the agenda before it becomes the agenda,” he tells CIO New Zealand. “It is also important for directors to ensure its board has the skills and experience to ask management, CIOs, CDO or technology teams the right questions to ensure confidence in the organisation’s resilience.”
The survey, designed to gauge directors’ views on a wide range of risk issues, was conducted in November 2015 with 526 IoD members as respondents
Arcus says cybersecurity and digital strategy were on the minds of directors in an unprecedented way. “Most businesses use or rely on technology to operate – cyber risk is a reality of our times – so the ability of boards to consider it as part of enterprise risk is critical in ensuring directors are confident about business resilience.”
The report notes how the recent Ashley Madison data breach and the attack on Sony in the US prove that these risks are real.
“Cyber risk does not have borders and does not discriminate. Whether it is a business, from SMEs to large corporates, or a government department all have felt the wrath of cyber attacks.”
Cyber risk is a reality of our times – so the ability of boards to consider it as part of enterprise risk is critical in ensuring directors are confident about business resilience.
Over a quarter - 27.8 per cent - of directors said that they did not have a procedure in place to manage this risk. With the prevalence of cyber attacks both locally and across the globe it is imperative to have plans in place to manage this risk and the consequences.
Directors not only need to consider the risks to their own business but also that of their business partners and suppliers, the report stresses. Suppliers can be used as a “back door” to get into a larger, more high profile organisation.
“Attackers often identify smaller business partners that are typically less well protected to get to a bigger target.”
Arcus says it is encouraging going into a New Year that risk remains a common conversation at the board table.
“Management of risk – is critical to a board providing strategic leadership and creating value. Risks change and evolve and the need to stay current is emphasised by this report,” says Arcus. “Technology is an integral part of business capability and boards need to take responsibility to be able to lead in this new era.”
Technological disruption continues to be a prominent business risk, with cyber-risk emerging as a key external risk for the first time.
Most directors (56.1 per cent ) believe risk is increasing in today’s business environment, with 74.5 per cent of directors saying their boards are spending more time discussing risk management than they were two years ago.
Most directors are confident that they could handle a major IT disruption with 90.6 per cent saying they have a procedure in place to manage, although just 19.4 per cent can manage data loss and even more 35.2 per cent are not able to keep up with technological advances.
Read more: How ‘secure digitisers’ compete to win
Steve Walsh, Marsh executive director, says the ranking of cyber risk in this year’s survey to the second highest organisational risk, shows how things have changed in 24 months.
“Technology is such a critical part of any organisation’s operation that it can be very detrimental if it fails or if you can’t keep up with the competition.”
He says boards must address technology issues as part of their regular risk reviews. “Any organisation that doesn’t have strategies in place to deal with these issues, such as cyber, is leaving themselves hugely exposed.”
Related: We must be cognisant that the bad guy is agnostic of any hierarchy. Information security is a cultural and organisational issue – not a technical one. Every major breach in the world has confirmed this. - Victor Vae'au, NZ Defence Force CIO
Read more: St John searching for a CIO
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Click here to read digital editions of CIO New Zealand
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, CDOs, COOs, CTOs and senior IT managers.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.