Monday 24 April 2017

UK: cyber security, non-executive directors and investors

Nausicaa Delfas, Acting Chief Operating Officer at the Financial Conduct Authority, today delivered a speech titled "Expect the unexpected - cyber security - 2017 and beyond" at the Financial Information Security Network: see here. Of interest is what was said about the role of non-executive directors and investors. To quote directly from the speech:

Then there is also the role of the Non Executive Directors (NEDs) – using them to help to share experiences from other businesses, and to ask challenging questions of their board colleagues, and of the senior leaders within an organisation. In 2014 the UK Government released guidance for NEDs on the types of questions that should be asked, and we very much support this advice. NEDs should be able to satisfy themselves that an organisation is managing cyber risk effectively; the Institute of Directors specifically calls for NEDs to satisfy themselves 'that systems of risk management are robust and defensible'.

Another development we are seeing is security being taken beyond the boardroom, and becoming an investor led conversation. We are seeing the emergence of a number of institutional investors now questioning boards as to how they effectively manage this risk, which in turn is driving increased focus in the Board room. We would encourage investors to ask questions about cyber defences, to use a firm’s cyber maturity as a key indicator of resilience, and to push firms to improve in this space. We have seen how cyber can have an impact on a firm beyond the operational disruption caused, extending into equities pricing, and harming the balance sheet. It’s a key consideration and we will be considering how investors can be better equipped to ask the right questions."

No comments: