Cyber security governance: The reality of board member liability in cyber attacks, data breaches

Board members play a key role in ensuring their organisations are protected against cyber threats. They are responsible for setting the tone at the top and ensuring that cyber security is prioritised at the highest levels of the organisation. Legal and ethical responsibilities demand that board members stay informed about the cyber security landscape and the specific risks facing their organisations.

Failure to comply with cyber security regulations can lead to severe consequences, including substantial financial penalties, legal action and irreparable damage to the organisation's reputation. Recent incidents have demonstrated that board members can be held personally accountable for lapses in cyber security, facing both legal and reputational risks.

A devastating example would be the case of Uber's former security chief, Joe Sullivan, who was convicted for concealing a data breach. According to a testimony reported by Courthouse News Service (2022), Craig Clark, an in-house attorney at Uber, testified that this secrecy was approved by the "A-Team", which included ex-CEO of Uber, Travis Kalanick, who knew and approved the payment of a ransom to the hackers, which ultimately led to Uber being fined $148 million by the state as stated by the Federal Trade Commission (2018). This case highlights the serious implications of neglecting cyber security responsibilities. It is essential for board members to champion robust cyber security practices and ensure sufficient resources are allocated to safeguard their organisations. The potential repercussions of non-compliance should serve as a stark warning to those who underestimate the importance of cyber security.

Cyber threats are no longer a distant possibility but an imminent and constant reality. With each passing day, these threats grow more sophisticated and damaging, forcing organisations to urgently strengthen their defences and governance structures to survive in an increasingly risky digital environment. High-profile breaches, such as those experienced by the Government Employees Pension Fund and TransUnion, underscore the damaging impact of cyber attacks, which result in substantial financial losses, erode customer trust and damage reputations. In 2021, the Council for Scientific and Industrial Research (CSIR) estimated the impact of cyber crime on South Africa's economy at R2.2 billion per annum. South African firms, among the top eight targets for ransomware attacks, have seen incidents affecting credit bureaus, healthcare, retail groups, government departments and banks. The complexity of cyber threats necessitates a proactive, multilayered defence strategy that incorporates the latest technologies and best practices, alongside fostering a culture of security awareness to minimise the risk of human error.

Data privacy has emerged as a central theme in many recent high-profile cyber security attacks, pushing governance officers to the forefront of political, economic and technological discussions. This wave has highlighted the crucial role of cyber professionals who can effectively engage in the international security dialogue.

The National Institute of Standards and Technology (NIST) has updated its framework to version 2.0, now incorporating governance, which underscores the need for robust governance and compliance practices.

In South Africa, the Financial Sector Conduct Authority (FSCA) and the South African Reserve Bank (SARB) have issued a Joint Standard requiring financial institutions to comply with cyber resilience measures by November 2024.

By the end of next year, three-quarters of the world’s population will be covered by data privacy laws, reflecting the global shift towards stringent data protection measures (ISC2, 2024). These global and local developments are driving the firming of cyber security governance, making it a critical area for organisations to focus on.

Effective cyber security governance involves a combination of risk management, compliance adherence and strategic oversight. Organisations must implement robust risk management strategies to identify, assess and mitigate potential threats. This includes regular risk assessments, incident response planning and continuous monitoring of the threat landscape.

A major enhancement to the NIST Cybersecurity Framework (CSF) is the addition of the new Govern Function, which underscores the importance of governance in managing cyber security risks. This Govern Function is now central to the framework and informs the implementation of the other five functions. It highlights that cyber security should be considered a significant enterprise risk, alongside financial and reputational risks.

NIST framework.

---

The updated framework is structured around six key functions:

• Govern: Establish and oversee the organisation’s cyber security risk management strategy, expectations and policies.
• Identify: Determine the current cyber security risks to the business.
• Protect: Implement safeguards to prevent or mitigate cyber security risks.
• Detect: Identify and analyse potential cyber security threats and breaches.
• Respond: Take action in response to detected cyber security incidents.
• Recover: Restore any assets and operations affected by a cyber security incident.

Additionally, the new Govern Function ensures that the implementation of CSF 2.0 is sustainable for organisations by focusing on governance categories such as:

• Organisational context (GV.OC): Addresses the organisation’s risk management decisions.
• Oversight (GV.OV): Encourages continuous improvement and adjustments to the organisation’s risk management strategy.
• Risk management strategy (GV.RM): Supports operational risk decisions based on the organisation’s risk tolerance, appetite statements, assumptions and other factors.
• Roles, responsibilities and authorities (GV.RR): Defines roles and responsibilities to foster continuous improvement and consistent performance assessments (NIST, 2024).

Strong governance structures ensure that cyber security is integrated into the organisation's overall strategy. This involves defining clear roles and responsibilities, fostering a culture of accountability and ensuring that cyber security considerations are embedded in all business decisions.

In response to these challenges, NIL Africa has partnered with ISC2 to launch a Cyber Security Governance programme. This comprehensive programme takes professionals from zero to CGRC certified with CC certification and CGRC certification. It also includes extra modules covering international and South African cyber law content.

The programme is aimed at:

• Information security teams
• Risk management teams
• Compliance teams
• IT governance teams
• Internal audit teams
• Data governance teams
• Business continuity/disaster recovery teams
• Legal and regulatory teams
• Corporate governance teams
• Third-party risk management teams

The first cohort begins this year in 2024.

NIL Africa, known for its innovative solutions and commitment to IT training excellence, and ISC2, a globally recognised leader in cyber security certification, bring together their expertise to create a comprehensive programme aimed at enhancing cyber security governance skills in organisations. This partnership seeks to equip organisations with the tools and knowledge needed to navigate the changing landscape of governance, risk and compliance in cyber security. By combining NIL Africa's practical experience with renowned facilitators and instructors with ISC2's educational resources, this initiative aims to make a significant impact in the war against cyber crime and compliance.

Prospective participants and organisations interested in enrolling in the Cyber Security Governance Programme or seeking additional information are encouraged to contact a NIL Africa sales representative or e-mail sales@nil.co.za for further details.

References

Courthouse News Service, 2022. Fired Uber attorney testifies against ex-security chief in trial over 2016 data breach cover-up. [online] Available at: https://www.courthousenews.com/fired-uber-attorney-testifies-against-ex-security-chief-in-trial-over-2016-data-breach-cover-up/ [Accessed 20 May 2024].

Federal Trade Commission, 2018. Federal Trade Commission Gives Final Approval to Settlement with Uber. [online] Available at: https://www.ftc.gov/news-events/news/press-releases/2018/10/federal-trade-commission-gives-final-approval-settlement-uber [Accessed 20 May 2024].

Government Pensions Administration Agency. (n.d.). Home. Available at: https://www.gpaa.gov.za/ (Accessed: 23 May 2024).

International Telecommunication Union (ITU), 2021. Global Cybersecurity Index (GCI) 2020. [online] Available at: https://www.itu.int/hub/publication/d-str-gci-01-2021/ [Accessed 20 May 2024].

ITWeb, 2022. Inforeg slaps TransUnion with enforcement notice. [online] Available at: https://www.itweb.co.za/article/inforeg-slaps-transunion-with-enforcement-notice [Accessed 20 May 2024].

ITWeb, 2023a. Cyber crimes annual impact on SA estimated at R22bn. [online] Available at: https://www.itweb.co.za/article/cyber-crimes-annual-impact-on-sa-estimated-at-r22bn/JN1gPvOAxY3MjL6m [Accessed 20 May 2024].

ITWeb, 2023b. Financial services must move to comply with new standards for cyber resilience. [online] Available at: https://www.itweb.co.za/article/financial-services-must-move-to-comply-with-new-standards-for-cyber-resilience/LPp6V7rBnoK7DKQz [Accessed 20 May 2024].

South African Reserve Bank, 2023. Publication of the Joint Standard IT Gov and Risk. [online] Available at: https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-public-awareness/Communication/2023/Joint-Communication-4-of-2023-Publication-of-the-Joint-Standard-IT-Gov-and-Risk [Accessed 20 May 2024].

(ISC)², 2024. What's trending in GRC? [online] Available at: https://www.isc2.org/Insights/2024/02/whats-trending-in-GRC?queryID=645ba836d4e2f0fe53d17fd1ba63545f [Accessed 20 May 2024].