Data-driven business models

Cybersecurity – Are you prepared? Some thoughts on cybersecurity governance

Published on 14th Jun 2022

For many European companies, a cyber attack is inevitable. The question is not if, but when and how the company will become a target. If company boards think that appointing a Chief Information Security Officer (CISO) is their sole responsibility, absolving them of legal, reputational and incident management responsibilities, nothing could be further from the truth. Cybersecurity has become the responsibility not only of the IT department, but more importantly of the company's board, which must coordinate the activities of individual managers and look at the issue of cybersecurity in a holistic way.

This is chapter 2.10 of Data-driven business models: The role of legal teams in delivering success

Key Takeaways

  • register interest hand checkbox
    Having a CISO does not relieve the board of its responsibility in managing cybersecurity and potential legal liability 
  • The demonstration of due diligence by management is key to minimising the financial, legal and reputational consequences in the event of an incident
  • Preparing your company for incident management means carefully selecting the composition of your cyber incident management team 

Cyber threat seems imminent

The FIREEYE website has a map that monitors live attacks and cyber threats. At any one moment, hundred of thousands of attacks are taking place around the world. 

The war in Ukraine, which is also taking place in cyberspace, is a new factor that is both important and dangerous. Many hacking activities are funded and commissioned by nation states – the North Korean regime has even made cybercrime a source of budgetary revenue. Companies operating in NATO countries will be particularly vulnerable to attacks. This is another reason why directors should consider creating a cybersecurity governance structure within their organisations. 

Pure formality or effective approach? 

For some companies operating within so-called critical infrastructure, legislation may mandate that cybersecurity be addressed. This means that there is a legal obligation to establish responsibilities and procedures related to cybersecurity risk management and business continuity planning. This legal reason has some pros and cons in terms of awareness of the importance of cybersecurity in an organisation. The benefits of the legal pressure are related to the mandatory preparation of procedures including governance, internal policies, minimum training requirements, and use of defensive technologies. The possible downside of legal requirements may manifest itself in a strict, formal approach to filling out policies without focusing on creating an internal cybersecurity culture that is shared by all employees and the entire company. In a very formal approach to regulatory compliance, the natural temptation is to shift all responsibility for cybersecurity onto the shoulders of IT staff and chief information security officers (CISOs). Understanding cyber threats and their implications for the company and its shareholders is key to board engagement. This must be the principal driver for engagement, not the legal obligation in itself. 

Therefore, properly established cybersecurity governance and training programmes should be a positive impetus to engage all levels of employees, including board members, which also means the implementation of a more holistic approach that could be supported by a clear definition of the CEO (Chief Executive Officer)'s role and the board's involvement in the cybersecurity process. The central role for cybersecurity should be placed in a Cybersecurity Committee led by the CEO with input from the CISO and other board members. This committee should meet quarterly to discuss all important processes and policies related to security, cybersecurity and business continuity of the company. In this way, companies can achieve 'management buy-in'. Some corporate practices are not consistent with the stated declaration of the importance of cyber threats. Management board members need to ensure that they have appropriate cybersecurity training and develop a channel of communication with the CISO. 

Role of management board 

The aim of actions taken by the management board in the field of ensuring information security, including information processed in connection with the provision of the key service, is to achieve an organisational and technical level that: 

  • Ensures full implementation of applicable legal requirements in the field of cybersecurity; 
  • Guarantees confidentiality of information constituting critical data for the enterprise;
  • Ensures the integrity of business data;
  • Mitigates threats, and if they occur, limits their impact;
  • Ensures readiness to take appropriate action in crisis situations; 
  • Enables learning and improvement of the information security management system; and 
  • Raises awareness of employees and users in information security.
3D copmuter

Data-driven business models

The role of legal teams in delivering success

Download the full report >

Cybersecurity governance and incident response management

Cybersecurity governance is also intimately connected with the organisation of incident response teams. Depending on the size and scope of an incident, the list of people on a corporate security incident response team (CSIRT) might need to include some or all of the following: 

  • CEO - the key person who takes responsibility for the critical, final decisions of the team based on reports and recommendations provided by the other CSIRT members. 
  • CSIRT Leader (CL) - Board member responsible for IT infrastructure and operational support. Should coordinate internal and external forces involved in the incident response process. Their role should also include the preparation phase, including training and simulation exercises, checklists, procedures, and CSIRT war room organisation. 
  • CISO - Cybersecurity team leader managing the entire process from an IT and cybersecurity perspective, responsible for threat analysis from detection systems, reporting to CSIRT, containment, eradication, recovery process, and development of lessons learned. 
  • Chief Operating Officer (COO) - The board member responsible for business and production operations who is responsible for analysing the business impact of emergency processes and communicating with operations managers and external business partners on operational details related to the business flow. 
  • Control System Engineer - responsible for analysing the potential impact of an attack on maintaining operations, as well as shutting down certain production processes. Their role should include reporting to the CSIRT on possible business and operational scenarios related to attacked critical assets and production systems. 
  • Data Protection Officer - a person responsible for monitoring compliance with data protection regulations. Their tasks include determining the impact of a cyber attack on data protection and making recommendations to the CEO and the board of directors on how to communicate the data protection breach to state authorities. 
  • IT cyber defence specialists, dedicated to the containment and elimination stages.  
  • Individuals in charge of the IT area business units who are responsible for the daily maintenance of operations and are involved in monitoring and detecting threats and recovery planning. These should be network and system administrators who should provide information to the CSIRT related to possible vulnerabilities, interconnections, and the impact of the incident on business continuity. 
  • IT Service Desk team, which collects all signals from employees regarding anomalies in the normal functioning of systems and is required to report them to the CISO.
  • General Counsel - responsible for legal assessment of the situation and advising on regulatory obligations. The key to the role of general counsel in CSIRT is a proper value matrix based on customer interest, regulatory obligation, and shareholder expectations. Short-term interests of the board (and self-interest) should be placed at a lower level: there should be no pressure to sweep problems under the carpet with the naive hope that they never materialise. Strong legal advice helps in proper prioritisation of actions, especially towards customers, government bodies, shareholders (especially in listed companies that also report serious incidents to meet European Market Abuse Regulation requirements). 
  • Head of Security - who, as the physical security officer, should take full responsibility for arranging access for CSIRT members to the affected infrastructure, as well as for securing critical assets and infrastructure from intrusion if some security systems are disabled. 
  • Public relations professional - who should have a communication scheme in place in advance for various threats and impacts. However, PR specialists should not act alone as their words are crucial for business, social and political reactions, and the share value of a company. It is crucial to get CSIRT approval before any public statements. Therefore, communication should be part of training based on cyber attack scenarios. 
  • HR director - should be the source of internal communication for employees. They have the best knowledge about the possible reception of the communication by the employees. It should be emphasised that internal communication must also be agreed within the CSIRT and be consistent with external communications, as journalists will immediately notice the discrepancy and contrast the official statements with the knowledge of the employees. 
  • Support staff - the list of additional support staff should include forensic experts, representatives from IT vendors and application developers, engineers responsible for critical manufacturing processes, sales managers with relationships with key customers, a management assistant who should be responsible for having and updating all contact information and assisting in organising a 'war room' meeting physically or virtually. 

What needs to be added to the discussion of cybersecurity in organisations is real engagement of leaders and periodic training based on case studies, especially in the area of phishing and spear phishing-based social engineering techniques. This training and education programme should also be dedicated to the external contractors and vendors, especially to the franchisees who operate within part of the common network. It is a common perception within businesses that cybersecurity is solely a priority for the IT security staff, not an issue which should be tackled by everyone. And this should be changed by training. Cybersecurity should be spread beyond the IT community to all employees, through the greater awareness of the business, operational and legal managers. 


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?