The Board’s role in Cyber Resilience

Webinar with Katja Severin Danielsson and Dimitri Chichlo – 9 June 2020

On 9 June 2020, IDN members discussed the board’s role in Cyber Resilience with guest speakers, Katja Severin Danielsson, IDP-C, NED and Dimitri Chichlo, IDP-C, NED in a webinar facilitated by Liselotte Engstam, IDN Board Member, and with Q&A support by Hagen Schweinitz, IDN Board Member.

Cyber damage is accelerating

Katja shared that cyber damage has been increasing as companies are becoming more digital and has accelerated dramatically during the COVID-19 crisis. However, according to PwC’s 22nd Annual Global CEO survey, only 15% of CEOs strongly agree that their company can withstand cyberattacks and recover quickly.  Unfortunately, many boards are not engaged enough with cyber resilience, and need to increase their focus on it, and make it a key part of their agendas.  Further, Dimitri added that 76% of security professions are focused on detection and containment and not prevention.  For companies, it is not a case of whether they will be hacked, but when it will be hacked, and how much the magnitude of the impact of attack will be.  Dimitri notes that the 15% from the PwC survey is rather a grim figure, taking into consideration by how much senior managers are prone to overestimate their capacities.

Katja highlighted key messages on current status and what needs to be done of the World Economic Forum on cyber risk, and specifically emphasised that leaders need to create a culture of cybersecurity from entry level to top level of an organisation.

Source – World Economic Forum

Dimitri further noted that leveraging technology is an opportunity, however many companies were not prepared for the pandemic.

Five cyber risk governance principles

Katja shared the five cyber risk governance principles mentioned in the revised 2020 Cyber-Risk Handbook which was released out by the Internet Security Alliance, ecoDA, and AIG and which was supported by PwC Sweden.  This guide was developed for Europe, however, can be used by a global audience.  There are also specific handbooks developed for other markets for example the US and the UK market.

The first three principles are the responsibilities of the board, with principles 4 and 5 noting how the board should work with and expect from management.

The principles are:

  • Principle 1 – Directors need to understand and approach cybersecurity as an enterprise-wide risk management and strategy issue, not just an IT issue. Katja mentioned that cybersecurity should be integrated with business decisions, its assessment should be comprehensive, and it should consider the ecosystem of organisations (including third parties such as vendors and customers) which the company deals with.  Directors not only need to understand the technical IT matters but also operational matters which impact critical components of the business.
  • Principle 2 – Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances. Katja noted that directors need to consider the industry that the company operates in and the type of company they have. They should note that the type of company impacts the standards which the company needs to comply with; some types of companies may need to maintain certain levels of security and comply with more transparency requirements, else face sanctions if they don’t comply with regulations.
  • Principle 3 – Boards should ensure adequate access to cybersecurity expertise, with appropriate reporting, at both Board and Committee level. Board members should be fully engaged, make enquiries and challenge management.  They also ensure that they have access to the right reporting, at an appropriate level of detail, in plain English which is understandable and easy to use.  Dashboards are often useful to follow trends.  They should integrate experts/competence into the board room for training.
  • Principle 4 – Board directors should ensure that management establishes an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective, and response capabilities, monitoring and communication at all levels.  Resources should be adequate and allocated appropriately by the strategies adopted. Katja stated that the cyber-risk management framework should be aligned to the organisation’s strategy.  Further, the risk management of cyber is an iterative process, whereby companies need to continuously update understand and act on the  changes in their threat profile and current risk position.  She highlighted the importance of understanding the company’s crown jewel assets, understand the current security posture – capture strengths and deal with the vulnerabilities, and ensuring that the controls and investment plans protect the right assets.
  • Principle 5 – Board-management discussions about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, acceptance, etc). Katja highlighted the importance of good reporting to allow directors to challenge management, and of the need to understand strategies that management plans to use to reduce/mitigate or avoid risk, considering the cost/benefit of the strategies. This to ensure investments in cyber security targets the company’s threat profile and contributes to the company being more secure. Ask the question to management “are we spending our money wisely”?

The guide has five tool kits which directors/management can use to benchmark their cyber risk governance.

Participants then engaged in a lively Q&A session which covered a broad number of topics including aligning the cyber strategy to the broader company strategy and day to day operations; how directors and their companies can improve their cyber resilience; whether boards should participate in crisis exercises; the benefits of having a cyber resilience committee; that cyber resilience is as much a HR/people and process issue than a technical risk; the importance of focusing on all stakeholders and dimensions when looking at the risks of a cyber attack (including financial, customer, reputational/media, shareholders, third parties/ecosystem partners); understanding the crown jewels of the company; and how to have the right knowledge of cyber at the board level, and across the three lines of defence.

Summary

In her closing comments, Katja noted that cyber resilience is a board responsibility, and

  • Cybersecurity is one of the fastest growing threats to organisations
  • Cybersecurity is an enterprise wide risk management topic not an IT issue
  • The board needs to increase insights and guide their organisation
  • Boards need to ensure the investments are targeted to company context
  • Boards are responsible to address these threats

Finally, Dimitri concluded by stressing the necessity to have technology and cybersecurity experts in boards, and not only business experts and leaders.

 

Recommended reading

Cyber Risk-Oversight 2020 Handbook – https://ecoda.org/wp-content/uploads/2019/08/ecoDa-cyber-handbook-Final-15.4.20.pdf

Impact of COVID-19 on Cybersecurity (PwC) – https://www.pwc.co.uk/cyber-security/pdf/impact-of-covid-19-on-cyber-security.pdf

CEOs face test of resilience in 2019 (PwC) – https://www.pwc.com/us/en/services/consulting/cybersecurity/PwC_CEOs-face-test-of-resilience-in-2019.pdf

Cyber Handbook 2020 (NACD ISA) – http://isalliance.org/wp-content/uploads/2020/02/RD-3-2020_NACD_Cyber_Handbook__WEB_022020.pdf

WEF Cybersecurity Platform – https://www.weforum.org/platforms/shaping-the-future-of-cybersecurity-and-digital-trust

Cyberattack Map – https://cybermap.kaspersky.com

Talent on the Board Agenda, before and during the crisis

Webinar with Helen Pitcher OBE, IDP-C and Mary Sue Rogers IDP-C on 18 May 2020

Talent has never been a more important topic for the Board.  The focus on talent at the Board level is evolving, and many Boards demonstrate best practice while others still see it as more of a reporting and compliance activity.

At its heart, it cuts to the sustainability of the business.  Gone are the days when the Board examined a Nine Box matrix once a year to review the succession pipeline and rarely did these processes yield talent fit for the future as they were looking at replacing “like for like” in many instances not looking at the changing landscape of skills requirements.  Often people were placed in these boxes because they were good “Number 2’s” and made their bosses life easy!

The Financial Reporting Council – whilst a UK Code – covers many international businesses and is usually regarded as best practice governance throughout the world now requires Boards to know the talent in their organisation and the skills required for the Board to be fit for purpose.

COVID-19 has thrown up its own challenges with talent both for the future and for the immediate if sadly a key member of the team falls victim to the virus has led to emergency measures to identify who can step into these roles.  It is also highlighting a need for different skills and the leadership capability to steer the organisation through a remote and distributed leadership lens.

The webinar held on 18 May 2020, facilitated by Liselotte Engstam and Hagen Schweinitz, IDN Board members, and delivered by Helen Pitcher OBE, IDN President and Mary Sue Rogers explored the issue of Talent, the Board’s focus and the myriad of challenge it creates.  Practical guidance was given as to how to approach this and excellent questions were posed by the 80 plus people signed up for this lively and interactive session.

Topics discussed included:

  • The type of company and size of the Board will drive how the talent agenda is addressed. For those of us that are passionate about this topic, we will have achieved success when the HR Committee, Nominations Committee, Remuneration committee, or whatever it might be called,  has a level of standardisation and focus equal to the Audit and Risk Committee.
  • Every company’s governance process should have oversight into key talent topics beyond just executive remuneration and CEO recruitment.
  • Having an annual Board cadence around topics such as strategic talent needs, succession, employee development, engagement, culture, and specific workforce challenges such as recruitment and retention is best practice.
  • Boards should also have a way to educate themselves on the key talent trends – topics such as “gig workers”, robotics and AI, career development, and performance management.

By Helen Pitcher OBE, IDP-C, IDN President, Non-Executive Director, Chair Board Committees, and Mary Sue Rogers, Non-Executive Board Director, Committee Chair, IDP-C.

The impact of technology on​ Strategy & Business Models

This blogpost is shared as part of a series of insights from INSEAD Directors Network, based on roundtable discussions held during INSEAD Directors Forum October 2018. The Directors Forum Round Table Discussions were held with IDN members led by IDN board members or IDN Ambassadors. Other blog posts shared. 

________________________________

(Photo: Pixabay)

How to breathe with the marketplace to stay stable or grow, how to stay consistent and be able to incorporate a change that enables the company to stay healthy.

I was happy to lead a discussion for INSEAD International Directors Forum 2018 in Fontainebleau: “Understanding and managing how technology impacts strategy and business models”    Does it require a closer board oversight?

For the past 20 years, companies have spent a good % of budgets and CAPEX in the process of  1) “Digitization,” converting data to digital and implementing the ability to manage data.  Also, 2) Launching and applying business models that exploit digitization, setting up digital platforms to capture consumer data, technology platforms to reach consumers and aligning offerings to that of consumers need.

As we reach now  Digital Transformation, the restructuring of economies and institutions along with society – the need to understand its impact to our industry’s business model, to our companies structures, their strategies are ever so crucial not only for executives but for its boards.   As board members, our direction on  “How to breathe with the marketplace to stay stable or grow, how to stay consistent and be able to incorporate a change that enables the company to stay healthy.”

With representation of Investment Banking, Commercial Banking, Energy, HR Services, Transportation, Mining, and some family boards,  We reflected and discussed as a team on what are the concerns of our boards today and what areas are critical to understand  what it means—impact wise – disruption wise—to harness that power of digitalization and help our companies navigate and extend or renew their relevancy in the market.

Some concerns raised included AI in consumer data and technology platforms – optimizing consumer knowledge in real time to product portfolio, and consumer offerings and how or companies are dealing with Operational Risk (Physical and Cyberinfrastructure interdependencies not only of owned sites but with clients and partners), Labor and Regulations (where complex task automation in manufacturing, transportation and logistics impact our workforce.) Lastly, Innovation (Promoting and protecting the creation of new products and offerings.

We concluded that for our boards today to be effective and efficient,  we need to

  • Review Strategy more – build a committee if not existent.
    Communicate more with stakeholders, internal and external.
  • Expand perspectives on the impact of technology on our industries and regulators.
  • Listen to a more significant sample in our companies employees to N-2
    Encourage a culture of change and innovation – call for  “Failure Presentations.”
  • Bring diversity to the board – expand the perspective to match the markets served.
  • Expand the need to understand the impact of technology not only of our companies but of our companies clients, our companies partners.

Remember that to what we transform to – might not exist yet:  Our boards need to be diverse to help us navigate with the impact of technology on strategy and business models.  The actions we can help develop today should bring humanity to the business of the future.

_4820454214  Mary Francia is a Management Consultant in Strategy, Technology & Operational Risk.  She is a Certified Director from INSEAD International Directors Programme and Board Member of its IDN Alumni Club.

_____________________

 

Other blogpost in this series: 

Governance in a Disruptive World by IDN Board Member Liselotte Engstam

From Board oversight of Strategy, to creating a Sustainable Business, by Helen Pitcher OBE, IDP-C, Vice President IDN

Anticipate and manage for geopolitical trade, corporate governance codes and regulatory changes by Cleopatra Kitty, IDN Cyprus Ambassador 

The impact of technology on​ Strategy & Business Models by Mary Francia, IDN Board Member

Align Risk Management with Strategy and Operating Performance, Reward and Remuneration by Susana Gomez- Smith, IDN Portugal Ambassador

Accelerate Board Effectiveness by IDN Board Member Thomas Seale

 

More insight from INSEAD Directors Network, will be shared based on INSEAD Directors Forum 2018, Round Table Discussions – Look out for more upcoming blogposts!

INSEAD Directors’ Network Members on 37 new International Board positions

IDN Members Board Position Announcement 2Q – 2018 

INSEADs Director Network, IDN,  proudly share the recent appointments of board and corporate governance positions of our members, underlining the recognition of our members and the strength of our IDN network.

IDN members were appointed to 37 new board positions in 14 different countries, adding to the 58 previously shared, summing up to 95 position announcements since 2017.

IDN is a network of International Board Directors, where full membership is automatic for Certified Directors (IDP-C) from INSEADs International Directors Program (IDP) and is open to all INSEAD Alumni with appropriate directorship experience. The aim of the IDN network is to facilitate contacts, share insights and experiences on international board topics and promote excellence in corporate governance. 

To date, IDP has been completed by 938 participants, with 555 certified IDP-C directors from 58 countries. (Some few members announced today have IDP-C pending, planned for October 2018).

IDN works closely with INSEAD Corporate Governance Centre,which undertakes cutting-edge research and teachingtailored to the needs of boards and international directors. It fosters a global dialogue on the challenges of corporate governance and leadership in an international context.

INSEAD Directors’ Network – Members New Board & Corporate Governance Positions

Carole Ackerman – May 2018 – Supervisory Board Director at BKW AG (Public, HQ Switzerland)

Abdullah AIMutrif  – Dec 2017 – March 2018) – Board Director at “Eastern Yields Investment Co.” (Private, HQ Saudi Arabia) and “JEEVES of BELGRAVIA” (Private, HQ Saudi Arabia)

Natalisio Almeida – June 2018 – Supervisory Board Director at DATAPREV (State Owned, HQ Brazil)

Mary Antenen – April 2018 – Board Director at Caixa Geral de Depósitos (State owned, HQ Portugal) 

Livia Amidani Aliberti – April 2018 – Supervisory Board Director at Unicredit Bank (Private, HQ Austria 

William Blomme – May 2018 – Supervisory Board Director & Chair Audit Committee at Fiat Chrysler – Finance Europe and Case New Holland (both Private, HQ Luxembourg) 

Michel Darnaud – April2018 – Supervisory Board Director at Aditlys (Private, HQ Switzerland)  

Denise D’Elia – April 2018 – Chairwoman at Carers of Lewisham (Charity, HQ UK)

Rutger Groot – October 2016 – May 2018– Chairman East-West Seed Knowledge Transfer Foundation and Chairman HR Committee & Supervisory Board Member at East- West Seed (both Private, HQ Thailand) 

Victoria Hingre- April 2018 – Board Director at Hu-Man (Private, HQ Belgium)

Thomas Hürlimann– May 2018 – Board Director at WiseKey (Public, HQ Switzerland)

Caroline Jellink – 2016 – Vice Chair and Chair Governance Committee at Social Venture Partners (Not for Profit, HQ Canada)

Francis Kint – December 2016 – Supervisory Board member at ARDO NV (Private, HQ Belgium)

Johan, Kördel – March 2018 – Supervisory Board Director at Acacia Pharmaceuticals Ltd (Public, HQ UK)

Virginie Lagrange – March – June 2018 – Board Director & Chair Audit Committee at Société Générale Bank and Trust (Private, HQ France) and Board Director & Audit Committee member at Banque de Patrimoines Privés (Private, HQ Andorra) 

Christopher de Mattos –March 2018 – Non-Executive Board Director at Fintech Innovation AS (Private, HQ Norway)

Hansruedi Müller – April 2017- June 2018 – Chairman of Energie Zürichsee-Linth AG (Public, HQ Switzerland/CH) & Erdgas Obersee-Linth Transport AG (Private, HQ CH), Vice-Chairman of A. Aegerter & Dr. O Bosshardt AG (Private, HQ CH) & AeBo Holding AG (Private, HQ CH) & Supervisory Board Member of NSNW AG (Public, HQ CH) & AAGL AG (Public, HQ CH)

Louise Nicolin – May 2018 – Non-Executive Board Director at Simris Alg AB (Public – HQ Sweden)

Mario Paterlini – April 2018- Board Director at ERG Spa (Public, HQ Italy)

Mary Sue Rogers – January 2018 – Non-Executive Director and Chair HR Committee at Save the Children Australia (NGO, HQ Australia)

Philip Spriet – May 2018 – Chairman at Pure Value (Private, HQ Belgium)

Steen Stavnsbo – May 2018 – Board Member at FOF, Aarhus (Private, HQ Denmark)

Aude Thibaut de Maisieres – January 2018 – Chairwoman at Medical Aid Films (Charity, HQ UK)

Anders Tullgren– Oct 2017- April 2018 – Chairman at Xbrane AB (Public, HQ Sweden) and at Trialbee AB (Private , HQ Sweden), Non-Exectuive Director at Branding Science LTD(Private, HQ UK) and at Symphogen AS, Chairman at Trialbee AB (Private , HQ Sweden) 

Isabelle de Wismes – April 2018 – Non Executive Board Director Unicredit Group (Public, HQ Italy)

Previous board position announcements by shared by IDN;
April 2018  January 2018   October 2017

For more information about: 

INSEAD Directors’ Network: https://blogs.insead.edu/idpn-globalclub
INSEADs Corporate Governance Programmes: https://www.insead.edu/executive-education/corporate-governance

For members of IDN, please ensure that you share your new appointments via idp.network@insead.edu or l.engstam@insead.edu

For head hunters interested in finding international board members focused on staying up to date with latest board and governance insights, please contact Mary Francia via mary.francia@insead.edu

For organisations interested in partnering with IDN, please contact IDN President, Helen Pitcher OBE, at helen.pitcher@insead.edu

 

On behalf of the INSEAD Directors’ Network Board,

Liselotte Engstam,
IDN Board Member, Chair Communication Committee
l.enstam@insead.edu

13 New International Board Appointments of Members from INSEAD Directors’ Network

Fontainebleau, January 12, 2018

13 New International Board Appointments of members from INSEAD Directors’ Network

Members Board & Corporate Governance Position Announcements 4Q – 2017 

 

The INSEAD Corporate Governance Centre was launched in 2010 and undertakes cutting-edge research and teaching tailored to the needs of boards and international directors. It fosters a global dialogue on the challenges of corporate governance and leadership in an international context.

The International Directors Programme has been, to date, completed by 812 international participants and the active alumni group has formed the INSEAD Directors’ Network for continuous sharing, networking and learning.

We are proud to share the recent appointments of board and corporate governance positions for the members of our INSEAD Directors’ Network.

 

INSEAD Directors’ Network – Members New Board & Corporate Governance Positions

Thomas Burkhalter – October 2017 – Board Director at Overgaard Ltd (Private, HQ HK)

Francois Davy – December 2017 – Supervisory Board Vice Chairman Foncia Group (Private, HQ FRA)

Denise Koopmans – January 2017 – Chairman at United Digital Group (Private, HQ GE) and Supervisory Board Director at Jansen de Jong Group (Private, NL) and February 2017 – Supervisory Board Director at VGZ (Public, NL)

Steffen Haber – 2017 – Board Director at Critical Elements Corp (Public, HQ CAN)

Fabio Mondini de Focatiis – December 2017 – Board Director at Cross Border (Private, IT)

Gerard Paulides – December 2017 – Board Director at Vopak (Public, HQ NL)

Alex Price – January 2017 – Board Director at Sunfert International Fertility Centre (Private, MY) and March 2017 Supervisory Board Director at Shorecare Urgent Care (Private, NZ)

Mark Shmulevich – October 2017 – Board Director at SGTech (Ind Association, HQ SL)

Steen Stavnsbo – November 2017 – Supervisory Board Director at Business Network Aarhus (Non profit, HQ DK) and December 2017 Supervisory Board Director at Start-up House/Iverksetterhuset (Non Profit, HQ DK)

 

Previous board position announcements by IDN.

 

For more information about : 

INSEAD Directors’ Network : https://blogs.insead.edu/idpn-globalclub

INSEADs Corporate Governance Programmes : https://www.insead.edu/executive-education/corporate-governance

 

For members of the IDN, please ensure that you share your new appointments via :  idp.network@insead.edu or l.engstam@insead.edu

For head hunters interested in finding international board members focused on staying up to date with latest board and governance insights, please contact Mary Francia via mary.francia@insead.edu

For organisations interested in partnering with IDN, please contact IDN President, Helen Pitcher OBE, at helen.pitcher@insead.edu

 

On behalf of the INSEAD Directors’ Network Board,

Liselotte Engstam,
IDN Board Member
l.enstam@insead.edu