The Cyber Readiness for Boards project will also develop interventions to provide guidance and support, working initially with six multinational companies that are at particular risk due to their high profiles, before rolling out to involve more businesses, including small and medium-sized enterprises (SMEs) and larger enterprises in 2020.
The project will focus on evaluating board-level training interventions; assessing how boards evaluate cyber risks; investigating the significance of board composition, accountability and responsibility; and the impact of investor pressure on board decision-making on cyber risk.
First year results are expected to be delivered from September 2019, and the project will conclude in September 2020.
The project is a collaboration between researchers at University College London (UCL), the University of Reading and Coventry University.
They are joined by the NCSC, the Lloyd’s Register Foundation, the Research Institute in Science of Cyber Security (RISCS) and cyber security training provider Resilia, part of Axelos Global Best Practice.
Madeline Carr, project lead and RISCS director, said the role of boards is central to cyber security, especially in light of the fact that the UK is the largest digital economy in the G20 and 83% of UK critical infrastructure is in private hands.
“Understanding the decision-making process and the way that boards assess cyber risk will be fundamental to addressing some of the ongoing challenges we face – both here in the UK and globally,” she said.
Managing cyber risk requires changes from board
A survey by PricewaterhouseCoopers (PwC) in 2018 revealed that cyber threats are among the top concerns for company CEOs and investors, but only 11% believe their boards possess a high level of understanding of cyber security risk. A March 2019 government Cyber Governance Health Check found that many top UK boards still do not understand the impact of a cyber attack on their business.
Commenting on the findings of the Cyber Governance Health Check, Richard Horne, cyber security partner at PwC, said boards need to recognise that they have a responsibility to drive changes to business and IT operating models to enable their organisations to be securable. “Managing cyber risk is about far more than just building security controls and requires board-driven business change,” he said.
NCSC research conducted in 2018 found that the boards of private sector organisations, who tend to have positive attitudes towards risk, are instrumental in how protected the business is against cyber crime. Key to protecting companies is ensuring that boards understand the nature and importance of cyber security, the research showed.
JP Cavanna, group head of cyber security at Lloyd’s Register, said: “With the ever-increasing complexity and expansion of cyber threats, it is vitally important that boards feel sufficiently knowledgeable and supported. Lloyd’s Register Foundation is supporting the Cyber Readiness for Boards research to provide boards with the tools and information they need to understand and manage their cyber risk effectively.”
Sarah Lyons, deputy director at the NCSC, said cyber security is now a mainstream business risk. “Corporate leaders need to understand what threats are out there and what the most effective ways are of managing the risks,” she said.
“We have taken an evidence-based approach to developing our own board toolkit, and welcome new research into how UK boards make decisions around cyber risk. This research will help us refine and develop targeted guidance for business leaders, helping to make the UK the safest place to live and work online.”
Nick Wilding, general manager of cyber resilience at Axelos, who leads Resilia best practice, said that using evidence-based research is critical. “Not only in developing appropriate tools and interventions that can help boards to manage their cyber risks, but also for designing them in ways that actively engage with and effectively integrate into existing risk management oversight and governance. I look forward to helping to engage and inform boards during the research through Resilia’s focus on culture and behaviour change,” he said.
Ashley Hurst, international head of digital business at law firm Osborne Clarke, said: “Never before has there been such an urgent need for boards and executive teams to be ready for cyber attacks. The NCSC has a bird’s eye view on the most serious attacks taking place across the country, so it’s great to see it feeding back this knowledge and experience.”
Jake Moore, cyber security specialist at security firm ESET, said any investment to help defend against cyber threats is an investment to better protect the future.
“However, it is not always about how much money is available in budgets to help with the support, so seeing University College London team up to align their resources can only be fortuitous,” he said. “With estimates of cyber crime costing up to as much as £30bn a year, we are on the brink of an epidemic when it comes to protecting ourselves.
“Cyber criminals are fast paced and quick to react to new defences. Plus, there is no quick fix that will keep new threats out, so with the ever-changing goalposts, the NCSC’s research and training could be an extremely valuable tool in the cyber security toolkit of businesses.”