Originally published in Board Agenda

Data protection, cyber attacks and social media misinformation: why the stakes are too high to leave data governance to IT and legal.

Is your password a fiendishly complex array of letters, digits and symbols, containing no birthdays or names of pets? Of course it is. But when did you last change it? And do you use it for more than one system?

Now think about your organisation’s data. Helle Bank Jørgensen, CEO of Competent Boards, suggests board members ask whether the board’s “policies pass the so-called ‘sunshine test’, in other words, whether the board would feel comfortable if it saw a media report describing the company’s technology and its approach to cybersecurity”.

In her book, Stewards of the Future: A Guide for Competent Boards, Bank Jørgensen highlights that every competent board needs to “pay as close attention to the organisation’s data policies as to its financial statements or sustainability goals”. There are, she points out, some serious and far-reaching risks and ethical dilemmas—as well as an opportunity for an organisation to improve its standing by handling data well.

‘Never get tired of this, because it’s just not going to go away.’
—Bojana Bellamy, president, Centre for Information Policy Leadership

The book quotes Dottie Schindlinger, executive director of the Diligent Institute, a governance think tank. “Cyber-risk plays a huge role in board conversations,” she says. “It has become one of the top topics happening around board tables over the last couple of years. We are watching so many companies—that really pride themselves on having this impenetrable architecture—being brought to their knees by cyber attackers.

“We’re not judging companies so harshly on whether or not they have been breached, but on how well they respond afterwards. How quickly they react. Are they prepared? Have they had drills? Have they had tabletop exercises at the leadership level? What level of prowess does the board and leadership have in terms of understanding the full scope of the breach, and how to respond and react to it? Those are the things that actually matter now,” Schindlinger adds.

Are you ready for AI?

Another topic at the forefront of society’s attention is artificial intelligence. Because regulatory and legal frameworks cannot keep pace with rapidly changing technologies, writes Bank Jørgensen, “the onus falls on the board and management to weigh the risks and consequences of using technologies such as AI and machine learning. Data privacy, transparency, interpretability, integrity, control, and accountability should all be part of such assessments.”

Directors will already by familiar with GDPR (General Data Protection Regulation), the EU’s far-reaching law relating to data protection, privacy and human rights. In addition, Bank Jørgensen suggests reading the 2017 Montreal Declaration for a Responsible Development of Artificial Intelligence, which aims to spark public debate and encourage the progressive and inclusive development of AI.

Wouldn’t these matters be best left to the IT and legal departments? Nothing could be further from the truth, says Bank Jørgensen. She quotes Chris Crummey of IBM’s centre for government cybersecurity: “Mature customers look at cybersecurity as a business challenge, and not just about technology. You can see it in their ‘security culture’ and how they are organised internally.”

‘If you think compliance is expensive, I suggest you try non-compliance. That is really going to be expensive when it comes to money and reputation.’
—Kersi Porbunderwalla, CEO of the e-Compliance Academy

Clearly, though, IT and legal departments are key to discussions of cyber risk. They need to have an effective communication channel with board members, who need to understand how the company plans to adapt to the next generation of data management or digitisation. The spread of 5G technology is set to revolutionise data communication in terms of speed, quantity, and capability. And, writes Bank Jørgensen, it will enable companies to make far greater use of AI, data profiling, and general digitisation.

The Financial Times, in an article on 2 August 2023, reports that “5G could be worth as much as £173bn to the UK economy over the next decade”. In the same piece, Andrea Dona, Vodafone UK’s chief network officer, says of UK business: “We were early adopters of 5G but now we are falling behind.” So there is little time to lose.

Bank Jørgensen advises that digitisation does not come cheap. Cutting corners could mean boards “end up paying dearly in the form of data breaches, penalties, and lost business opportunities”. She also promotes investing in the long-term in the most up-to-date technology, avoiding trying to layer new systems on top of old.

She quotes advice from Kersi Porbunderwalla, president and CEO of the e-Compliance Academy: “Make sure that even though you are small, you think big. Think big data, think data transformation, think data structures so that you don’t get hit by cybercriminals or the oversight authorities because you are non-compliant.”

If anything catastrophic were to happen, Bank Jørgensen points out, insurance companies may be unwilling to pay up in cases where data was not being managed appropriately.

Six digitisation tips

⇒ Identify three key vulnerabilities in the company’s current systems, address those, and then move on to others.

⇒ Make sure you have the right people, the right systems, and the right structure to implement proper cybersecurity systems.

⇒ Get legal advice on the board’s liability for IT and cybersecurity.

⇒ Ensure that your organisation’s culture is geared to discipline, appropriate controls, and accountability.

⇒ Focus on three words: integration, embedding, and automation. Controls can be automated only if every IT component is integrated into the overall system.

⇒ Ensure that digitisation projects comply with official policies and regulations from the start, and that this compliance is thoroughly documented. (Tips reproduced from Stewards of the Future with permission.)

Social media and misinformation

A competent board, writes Bank Jørgensen, would be wise to view misinformation as a significant risk and to put protective countermeasures in place, just as it would for any other risk. As well as ensuring that social media is monitored by the organisation, the board must decide what to do when potentially harmful misinformation strikes.

Given the speed at which information spreads, the traditional response of threatening legal action may have little impact.

‘Don’t collect data you don’t need. And don’t keep it too long. If the data is obsolete, destroy it, don’t keep it in your backup. This is one way to start adopting the principles of “privacy by design”.’
—Josée Morin, HR and governance committee chair, CIMA+

Bank Jørgensen promotes a longer view: “If the company has been able to win stakeholders’ trust in the past through effective communication and engagement, that reputation should shield it from the worst excesses of misinformation. A high level of trust means that employees, shareholders, customers, and suppliers will give the company the benefit of the doubt.”

Corporate policies that take account of privacy, security, and transparency issues can go a long way towards building trust with stakeholders and regulators.

Stewards of the Future lists guidelines for boards on the issue of data, together with ten questions that directors might like to ask themselves or use as the basis for board discussion. With Helle Bank Jørgensen’s permission, we’ve reproduced these below:

Guidelines for boards

⇒ Emphasise that cybersecurity and responsible use of data are everyone’s duty. Policies, procedures, and controls should be integrated across the entire company.

⇒ Be sure that the company can immediately detect a cybersecurity breach and has processes and detailed plans in place to ensure minimal disruption of day-to-day business.

⇒ Don’t collect data you don’t need. And don’t keep it for too long. If the data is obsolete after a year, destroy it.

⇒ Use the resources of trade and industry associations (especially small companies).

⇒ Include due diligence on data privacy and data security in any mergers or acquisitions.

⇒ Always bear in mind the ethical issues associated with big data, collection of personal information, and artificial intelligence.

⇒ Keep asking whether your company can use its data to unlock new business opportunities.

10 key questions

1. Does the company have overarching cybersecurity and data privacy policies? Who oversees, enforces, and is accountable for them?

2. When did board members last read the policies that the company asks its digital users to approve? Did you fully understand them? Do you think your customers fully understand them?

3. Are all board members familiar with terms such as ransomwareDDOS, and phishing attacks? More generally, which board members have the expertise to exercise oversight on cybersecurity and data issues?

4. How often does the board receive training and adequate updates on cybersecurity, IT, responsible use of data, and digital trends?

5. Do the company’s cybersecurity and data use policies align with its business priorities, including its ESG strategy?

6. Who is responsible for overseeing the ethical aspects of data management?

7. Is the company able to document its compliance with regulatory requirements regarding data management and privacy?

8. Can the company ensure timely detection of a cyber attack or data breach? Have detailed plans been drawn up to deal with such a catastrophic event?

9. Does the company have sufficient insurance to cover the full damage from a cyber attack?

10. Does the board understand the ways in which 5G technology may impact the business, employees, customers, and other stakeholders?

Back To News & Views