Boards are increasingly recruiting new directors with digital or cyber security expertise, as the Financial Times has recently reported (subscription needed). This reflects the growing need, as digital transformation moves across all sectors, for understanding of digital risk at the top tier of the business and the expectations of good corporate governance that directors have the right skills to address such challenges.
Digital transformation is a universal commercial trend. There is no area of industry where new technologies such as blockchain, artificial intelligence, data analytics or the Internet of Things are not being used to develop disruptive or transformative tech tools. These new technologies can make processes and interactions better, cheaper and faster, creating new forms of competition and even completely new products and services. But alongside the opportunities, businesses face two broad categories of risk: those associated with a major business change, and cyber security risks.
Major business change
Vodafone's recent "Digital, ready?" report found that 79% of businesses surveyed considered digital transformation to be a strategic priority. Moreover, greater interest in digital transformation correlated with greater optimism about future growth of the business. Our own report on Next Generation Connectivity – one of the enabling technologies for digital transformation – found that 82 %of executives surveyed saw opportunities arising from Internet of Things technology, 78 % in virtual and augmented reality and 76 % in artificial intelligence.
There is clearly a strong appetite amongst businesses to leverage the benefits which transformative technology can offer.
Such strategies, however, are often played for high stakes. Past Harvard Business Review reports have found that "The bolder the digital strategy, the more likely the company is to have a successful digital transformation", but have observed that where a business has significant capital investment in assets specific to the traditional business model, and is facing intense competition from disruption, the adjustment costs to self-disrupt and fight back will be high.
The first major category of "digital risk" which boards may need to deal with is therefore the corporate risks associated with major change programmes. The challenges include:
- financial risks – boards will need to strike a balance between the meaningful investment required for a bold digital strategy and the prudent deployment of capital into potentially untested waters;
- legal and regulatory risks, where compliance requirements or constraints need to be effectively built into digital transformation outcomes;
- business continuity risks, linked to developing and implementing new systems and processes;
- potential workforce and talent risks, including both securing the necessary skills for the project and addressing the need to retrain or redeploy staff to new roles;
- cultural risks, where the new products, systems or processes are not fully adopted by, or encounter resistance from, the workforce; and
- reputational risks, if the new strategy runs into difficulties.
Cyber security is the second broad area of corporate digital risk. Even if a business is not pursuing a digital strategy itself, our digitised and connected world means that no business can ignore the risk of hacking, data leaks and other breaches of data security. As the UK's National Cyber Security Centre (NCSC) noted in its April 2019 "Cyber Security Toolkit for Boards", "The vast majority of organisations in the UK rely on digital technology to function".
The GDPR data privacy regime has heightened awareness of the need for effective security around databases of customer and other contacts. But there are a host of other cyber security risks, including: protecting the business against financial fraud, protecting intellectual property and trade secrets, and managing cyber security in the supply chain.
The Department for Digital, Culture, Media and Sport (DCMS)'s annual Cyber Security Breaches Survey for 2019 found that 61 % of large businesses (those with more than 250 employees) had experienced an attempted cyber breach in the preceding 12 months, with 20% of those who had experienced breaches or attacks facing them at least once a week – a striking statistic. On average, the financial cost to large businesses of a cybersecurity attack with a negative outcome is £22,700, but this does not include the costs of loss of business continuity or reputational damage.
As commerce digitises and connectivity gets ever wider, as more corporate value exists in digital form and as ever more valuable data is stored, the number of potential areas or entry points for cyber attack increases correspondingly.
Cyber security is … central to an organisation's health and resilience, and this places it firmly within the responsibility of the Board"
– NCSC's Cyber Security Toolkit
The expectations of good corporate governance
The principal legal duty: exercising reasonable care, skill and diligence
Directors of UK companies are required by statute to exercise reasonable care, skill and diligence under section 174 Companies Act 2006. Under this duty, directors are judged against two standards:
Directors can face a range of sanctions for breach of duty, capable of enforcement by shareholders through bringing a "derivative action" in the name of the company. The most obvious remedy for a technology failure causing the company loss would be financial recourse against a director whose conduct fell below the required standard in taking appropriate steps to identify and mitigate the chance of the underlying risk materialising.
The two-part legal duty of directors has a fairly clear subjective element – a director must draw on their actual knowledge, skills and experience in acting on behalf of the company. But what might reasonably be expected of a director under the objective element of the duty? How far do directors need to go to assess and develop strategies to address technology risks?
There is extensive guidance on good corporate governance (see here for details), for both listed and unlisted companies. The requirements of the objective standard are driven by the particular circumstances of the company, and critically, the extent to which it is exposed to particular risks. So, the directors of a company whose business model makes extensive use of customer data would be expected to be more expert in identifying and addressing the risks of a data breach than the directors of, say, a construction firm, because the potential consequences of mishandling of the data or a hacking incident would be that much more severe. Within the board itself, a director with specific responsibility for technology matters will be held to a higher standard than his/her colleagues less expert in that area, because under the statutory duty, regard is had to the functions carried out by the relevant director.
Delegation to appropriately qualified board committees and wider management is expected as part of the proper functioning of a board. But directors cannot abdicate responsibility for addressing digital risks. For example, cyber security risk is not just "a problem for the IT team". All directors (including non-executive directors) will be expected to display a reasonable understanding of the scope, severity and likelihood of risks facing a company, in order to be able to critically evaluate and challenge management on the steps that are being taken to identify and address those risks and/or seek appropriate external assurance on the robustness of those steps.
It is clear that awareness of cyber security as a board-level issue is increasing strongly, in line with the speed of digital transformation generally. The DCMS Cyber Security Breaches Survey 2019 found that 59% of large businesses have a board member with responsibility for cyber security – increased from 40% in 2017; while 40% have undertaken all ten recommended steps in the Government's "10 Steps to Cyber Security" guidance – increased from 22% in 2017.
Where a transformational digital strategy is being considered, the board will need to be actively engaged in appraising that strategy – all the more so if the strategy is core to future success. The board will need to understand the technology, appreciate the issues around implementation, anticipate the internal disruption which might follow, and appraise and test the financial business case. It may well be that the board might need to be strengthened (perhaps with a new non-executive appointment) with someone with a skillset and experience well matched to the new strategy.
Ultimately, the law does not require directors to insulate their company from risk. But directors must be able to justify their approach in to risk in the annual report (see here for more detail). The ultimate litmus test is whether the board would be able to show, in the unflattering clarity of hindsight following an adverse event, that appropriate steps had been taken to identify the underlying risk, reduce the chance of it materialising and develop appropriate impact mitigation strategies in the event that it did materialise.
An earlier version of this article was published in Governance (March 2018, issue 283) titled: "Boards and digital risk".