Governance
The Importance of Cyber-Competent Board Directors: Part Three
6 min read
As technology evolves and becomes even more integral in the operation of businesses of all sizes and types, ensuring that your business and your clients are protected from risks in the cyber space becomes a priority. This interview is the third in a series of four where we unpack the question of just how important it is to have board directors who are competent and knowledgeable in the cyber sphere.
To gain more insight on this pertinent topic, Felicity Kadi, Odgers Berndtson’s Board Practice Consultant spoke to Dr Mantsika Matooane, former Nedbank Group Ltd and JSE Group Ltd non-executive director. Dr Matooane was chairman of the Nedbank Group information technology committee and chaired the JSE board risk committee for many years. She shares operational experience as a former Chief Information Officer including experience at The Hollard Insurance Company. Dr Matooane holds an MBA from Henley Business School and a PhD from the University of Cambridge.
What is cybersecurity and data privacy?
Cyber security for me is about understanding the value of trust; for the companies that we lead trust is an essential element that is compromised when cybersecurity is not up to date. Directors want to protect the company's data, the company’s assets, and the clients.
I think it's important that cyber security be at the top of the board’s agenda. This importance increases as more companies become digital and more connected and integrated through the internet to their suppliers, their customers, and the rest of the supply chain.
Why do you think it is important for a board to have cyber competent directors?
A board needs a broad mix of skills. It needs a few directors that have competency in digital services and cyber security, but by and large the entire board should have cyber awareness. Directors need to understand the company’s activities in terms of building on cybersecurity for the company systems, as well as any measures that the management put in place to ensure that the company is resilient.
In my experience in the financial and healthcare sectors, companies need strong cyber security as it impacts customers lives and livelihoods. In healthcare, it is particularly important from a privacy perspective and to prevent cybercrimes.
Do you think cybersecurity and data privacy is treated as an enterprise-wide risk management issue, not just an IT or background issue?
Increasingly I am involved in trying to make sure that it's on the enterprise risk dashboard. This ensures that it's taken seriously and is something management works on. My experience as chairman of a board risk committee, is that Cyber-security has risen into the top 10 risks for companies.
Cybersecurity should be treated the same way as you would any of the other key risks that a company would face such as competition, environment and climate risks, as well as geopolitical risks that a company might be exposed to.
Are boards having the right conversations about cybersecurity and data privacy – should they focus on protection and or resilience?
In South Africa, I think it's a topic that has become more prominent on the board's agenda. Directors engage quite strongly with management around what plans are in place and where the big vulnerabilities lie. Many businesses conduct simulations of what would happen in the event of a cyber incident.
That way, everybody is aware of their role, the communication protocols, the risk level, and the threat that the company faces. I've seen a steady improvement in the awareness of both (cybersecurity and data privacy), and the activities of management, but also in the engagement on both sides.
How can boards progressively build up their cybersecurity knowledge?
Most boards have some kind of training program highlighting the areas for skills improvement for directors. Many directors plan their own training program to make sure they are keeping ahead of the trends in the industry — the key areas that they need to improve their own skills on.
I actually prefer the diversity of skill level on the board, and we don't bring on directors to get them to be specialists in a particular area. If there is a need for an expert to be brought in, that can be the case.
Companies want a diversity of directors who each bring their own skills and their own perspective. They do not need to all be cyber experts. So, I'm happy with each director making a call on whether they want to build more skills in a particular area, but you should demonstrate the importance of cybersecurity and data protection in the context of their particular company’s work.
What do you think are the legal implications of cyber risks as they relate to the company’s context? Also some reputational damages?
I'm not particularly versed in the legal risks, but I would say that the legal risk flows from how each director has consciously executed their duties. Depending on what the result is from any cyber incident there might be some legal risk for the company, perhaps less so for the directors.
What we are looking for from board members is that they have, to the best of their ability exercised their fiduciary duties and provided the right level of oversight, such that they feel confident that the management team is making the best effort to improve the cyber protection for the company.
So, there might be other legal risks, but I think that directors should really be looking at whether the company put all the right cyber security measures in place as well as having a keen focus on ensuring that (the company) is resilient and can recover and that customers have trust.
Partner with us
To stay ahead of changing cyber security demands, it's crucial to have the right leadership guiding your organisation. At Odgers Berndtson, we specialise in identifying and recruiting top-tier executives who can navigate these and other complex challenges to drive your strategy forward.
Contact us today to learn how we can help you find the leaders you need to secure your digital future.