8 March 2023

Why cybersecurity should be top of the agenda at your next board meeting  

For three good reasons. One, to avoid a breach that could result in significant financial costs, loss of sensitive data and reputational damage. Two, to ensure you comply with forthcoming cybersecurity regulations that more organisations will be subject to. Three, investing in cybersecurity upfront is cheaper than repairing later, and quick fixes might not align with your overall business strategy. 

To help you and your board keep your key assets protected, we’ve answered seven vital questions about cybersecurity for you.  

1. Why do we need to take cybersecurity seriously?  

  • Violating cybersecurity regulations can lead to huge fines and massive liabilities. Under the new NIS2 Directive management bodies can be held liable in the case of a failure to implement the required security measures.
  • Failing to implement appropriate security measures in compliance with the NIS2 Directive or the GDPR may lead to fines up to EUR 10 million or up to 2% of the total worldwide annual turnover (NIS2) or up to EUR 20 million or up to 4% of the total worldwide annual turnover (GDPR) . 
  • Data subjects who have suffered damage because of a GDPR violation are entitled to compensation. Additionally, contracting parties may claim damages for non-compliance with contractual confidentiality provisions. 

2. How can we close the gap between the boardroom and cybersecurity? 

Get to know your Chief Information Security Officer (CISO) better – or if you don’t have one, hire one. Learn from each other, so that the board has a better grasp of cybersecurity, and the CISO has a clear understanding of your business strategy and goals. It’s also a good idea for the whole board to become more cyber aware by taking a course in cybersecurity – especially as under the NIS2 Directive (management) board members will be legally required to approve cybersecurity risk-management measures and oversee their implementation 

3. How can we find out how secure our company is?  

Ask your CISO to conduct a (or provide a recent) high-level risk assessment. This will highlight potential security threats and enable you to prioritize security investments to mitigate threats based on their potential impact on the organization. 

4. Are we already compliant with cybersecurity laws?

Given the increasingly complex cybersecurity regulatory environment in the EU, it’s hard for non-legal experts to know. We can provide a high-level overview of the laws relevant to your company and advise on what action may need to be taken to ensure compliance, now and in the future.  

5. Why should we boost our cybersecurity level? 

 To achieve:  

  • More effective protection of key assets through a structured risk-based prioritization of  key controls.
  • Heightened customer and partner trust.
  • Reduced risk of enforcement by supervisory authorities or moderation of fines in case of violation.

6. How can we find out our current cybersecurity maturity level? 

Perform a broad self-assessment with a team of subject matter experts (e.g. legal, compliance, risk, IT). Make sure you include your suppliers and chain partners in your self-assessment, as outages in your ecosystem may impact your business and adversaries may gain access to your systems via a vulnerability in a system of one of your suppliers. 

7. What’s the best way to keep our key assets protected? 

Stay informed on developments inside and outside your company. Internally, ask your CISO to provide regular metrics reports that measure, assess, and improve the performance and maturity of your security program. Combine these reports with context by CISO and subject matter experts on incidents inside the company’s ecosystem. Externally, stay up to date with substantial changes in threats and updates on regulatory developments.