Upcoming Events

There are no upcoming events.

The Marie Trust – Chair

Chair – The Marie Trust 11759 The Marie Trust is a charity with an excellent and established reputation for its multi-faceted and progressive services delivery within the homelessness, criminal justice and addictions sectors in Glasgow. The dedicated, experienced and highly skilled Board, staff and volunteers of The Marie Trust work tirelessly for and with some […]

The post The Marie Trust – Chair appeared first on NEDworks.

[…]

Irise International – Chair

Chair – Irise International Organisation: Irise International Reference: Vacancy Type: Chair Deadline: 30th April 2019 Region: Nation Wide Vacancy Details We are excited to be looking for an individual with experience of leadership and senior management who can chair our board of trustees. Irise International is committed to creating a world where no girl is […]

The post Irise International – Chair appeared first on NEDworks.

[…]

What boards need to know about whistleblowing

whistleblower, whistleblowing, whistle, red card, yellow card

Big corporate scandals have made whistleblowing a headline topic. From Danske Bank to the Panama Papers, whistleblowers have thrown a spotlight on problematic behaviour.

Politicians and regulators have responded with measures to protect whistleblowers, seeing such individuals as a check on wrongdoing and a way of ensuring corporate accountability. But what are the key elements of whistleblowing in the UK and how do companies get it wrong?

The statutory regime for whistleblowing in the UK was established in 1998 with the Public Interest Disclosure Act, which followed a wave of corporate scandals.

Crucially, the legislation provides protection for whistleblowers. First, by deeming unfair any dismissal of a worker for making what is known as a “protected disclosure”. Second, by making unlawful any action that causes “detriment” to a worker if the action was prompted by the worker blowing the whistle.

Key to the legislation is the definition of “protected disclosure”. Whistleblowing is considered protected if a worker discloses information rather than making threats; the worker has a “reasonable belief” the disclosure is in the public interest; information is disclosed to specified persons such as the employer or to prescribed external bodies; and the disclosure relates to one of six kinds of “relevant failure”.

Failures considered relevant are breaches of a legal obligation and dangers to health and safety; criminal offences; miscarriages of justice; damage to the environment; and, lastly, covering up information about failures in these areas.

Public interest

Crowley Woodford, head of the European employment practice at law firm Ashurst, warns that the law in this area can be “tricky”. The requirement that workers need only have a “reasonable belief” that something is awry is a key example.

“That’s a relatively subjective test, “ says Woodford. “As long as the whistleblower subjectively believes that a breach has occurred and that is objectively reasonable, it does not matter if that belief later turns out to be wrong.”

There is a further warning as whistleblowing must be in the “public interest.” When originally enacted the legislation demanded that whistleblowing was in “good faith”. But, prompted by many workers reporting their own employment concerns, the public interest test was introduced as a counterweight.

“As long as the whistleblower subjectively believes that a breach has occurred and that is objectively reasonable, it does not matter if that belief later turns out to be wrong”

—Crowley Woodford, Ashurst

Woodford warns, however, that employment concerns can still be reported; all whistleblowers need do is show that their complaint applies to more than one individual.

The legislation is also open to use tactically by a worker. For example, when an individual’s professional performance is called into question, companies may find that he or she then blows the whistle and consequently argues that any dismissal
has arisen because of their whistleblowing.

“If the tribunal can see that there is a history of poor performance before the whistleblowing and a good paper trail evidencing this,” says Woodford, “that will present a powerful argument that the dismissal or detriment did not arise as retaliation for blowing the whistle.

“The problem is that employers often don’t do that and performance issues are often dealt with informally without documentation, leaving the company more exposed.”

As mentioned, whistleblowers are protected from “detriment” where they have made a protected disclosure. It is relatively easy for companies to ensure at the time of a report that a worker is not subjected to detriment.

According to Woodford, problems arise once an investigation has ended if a whistleblower is excluded from events as innocuous as project team meetings or discussions because that could be enough for someone to claim that detriment has taken place.

“The wider the knowledge of the whistleblowing spreads, the more potential there is for this type of exclusion to occur,” says Woodford. “It requires effective management and containment to a small group of individuals who are skilled in dealing with these issues.”

Restricting access to information also applies to anonymous whistleblowing because of the natural tendency for speculation to focus on who made the report. Protocols are therefore needed to govern access to information.

“Having these issues embedded in a policy is a powerful means of ensuring that the employer at each step is trying to afford the whistleblower protection,” concludes Woodford.

The situation in France

French multinationals have been implementing whistleblowing policies for some years, but the work was given added impetus in 2016 with the introduction of the Sapin II law.

The legislation details which companies must implement a whistleblowing policy (those with 50 employees or above), lays out step-by-step procedures to be followed and offers a definition of what constitutes whistleblowing.

However, according to Nataline Fleury, an employment law partner at Ashurst in Paris, a complex mesh of laws apply to whistleblowing in France. This includes Sapin II, data protection law (GDPR), law relating to works councils and legislation applying to disciplinary sanctions.

Sapin II procedures are designed to ensure whistleblowers do not face discrimination, while those found responsible for wrongdoing do not face sanctions that cannot be justified. That means taking great care with the process.

French whistleblowing is driven by a desire to avoid anonymous reports. Whistleblowers can claim anonymity but should not be encouraged. It is considered preferable for whistleblowers to be named.

“Where there is an opportunity to pass the matter to a regulator, it is better for them to investigate”

—Hubert Blanc-Jouvan, Ashurst

Confidentiality must also be maintained. This is why many French firms choose third-party service providers to handle their whistleblowing hotlines and investigatory procedures. It’s not mandatory, but it provides a level of assurance against leaks.

Risk then arises when an investigation is complete and a company must decide on what disciplinary action they will take.
Hubert Blanc-Jouvan, a regulatory partner with Ashurst, explains that in financial services, this is the point when matters are often handed to a regulator when related to financial regulations.

“Where there is an opportunity to pass the matter to a regulator, it is better for them to investigate,” he says. Additional requirements apply to financial firms and French regulators implement specific procedures to collect and deal with the reports received from whistleblowers, he adds.

Employers in unregulated sectors must decide which disciplinary action to take themselves. Here confidentiality remains paramount, as does the need to follow procedure as it is set down in law.

Fleury warns: “You need to ensure that the whistleblowing policy, the consultation process of the employee representatives, the information of the employees and the manner in which the whistleblowing procedure was followed through all comply with the law, or an employee can challenge any sanction faced by arguing that the process did not comply with the regulations.”

German flagThe situation in Germany

Unlike the UK and France, Germany has no specific whistleblower law. However, according to Andreas Mauroschat, an employment law expert at Ashurst in Frankfurt, German companies, especially those in financial services, have been implementing whistleblowing plans for many years. These have also become a mandatory part of the risk management obligations stipulated in the German Banking Act.

Regulatory requirements from BaFin, Germany’s financial regulator, are broad and simply ask firms to have some form of whistleblowing plan and procedure which allows employees to secretly provide information on breaches of certain laws, such as MAR (Market Abuse Regulation), the German Banking Act, the German Securities Trading Act and others.

“When there is a follow-up, or a challenge to a decision, we frequently see documentation for the original incident is not complete and elements of the process are undocumented”

—Andreas Mauroschat, Ashurst

Employee protection comes through labour laws because employment agreements impose a fiduciary duty on employees to disclose problematic behaviour, or go to an external body if the issue is thought to be in the public interest. In these circumstances an employer is prevented from taking any retaliatory action because the employee is not in breach of their employment contract.

According to Mauroschat, whistleblowing policies need to be robust with standard procedures that allow for benchmarking, action plans for containment and prevention plans addressing future processes. Most importantly, systems need to document each step taken during the whistleblower process, especially the reasons for any decisions taken on issues such as disciplinary action.

A failure to keep adequate records can lead to problems later. “We often see an incident is handled professionally,” says Mauroschat, “but when there is a follow-up, or a challenge to a decision, we frequently see documentation for the original incident is not complete and elements of the process are undocumented.”

One way to resolve that issue is through the use of new internet-based integrity systems. “These systems allow you to move away from managing data to managing a process, and avoid people failing to act correctly because the system forces you to take steps in line with internal policies,” says Mauroschat.

“They can be a very powerful tool and massively reduce risk.”

This article has been prepared in collaboration with Ashurst, a supporter of Board Agenda.

The post What boards need to know about whistleblowing appeared first on Board Agenda.

[…]

Calculate your statutory redundancy pay

Calculate how much statutory redundancy you can get based on age, weekly pay and number of years in the job […]

Nissan’s governance report is a warning for all boards

Carlos Ghosn

Just 20 minutes. That’s the time Carlos Ghosn allegedly allowed for each board meeting when he was heading Nissan.

Whatever the facts surrounding Ghosn’s guilt or innocence of the charges he now faces, that nugget of information stands out as a red warning light.

The disclosure that Nissan’s boardroom get-togethers were so brief comes in the report published this week from the car maker’s Special Committee for Improving Governance.

Headline writers were quick to highlight the report’s conclusion that a “personality cult” existed around Ghosn that made his behaviour “impenetrable territory” that could not be questioned.

The report says Ghosn “realised concentration of authority in himself” through domination of appointments and remuneration of senior managers. It alleges he cemented this power through the appointment of a single director, Greg Kelly, to run administrative affairs. According to the report, any questioning of remuneration or appointments, Kelly, or the so-called “office of the chief executive” were met with vague answers that gave little away.

At Nissan, the report says “dissenting views” could be met with suggestion that “they would be removed”.

What emerges, therefore, in the under-reported recommendations of the committee, is a strategic effort to drastically reduce the powers of the CEO at Nissan.

The process of distributing accountability through committees may be considered bureaucratic and mundane. But try functioning without it and the risks are all too clear

Those used to Western norms will be surprised to hear that the major prescription for improved governance will be to move Nissan from its current complex, “traditional” Japanese governance structure to a slimline “three statutory committees” system. In other words: audit, nominations and remuneration committees.

This is worth reflecting on. For many in business the process of distributing accountability through committees may be considered bureaucratic and mundane. But try functioning without it and the risks, as far as Nissan’s special committee is concerned, are all too clear.

Some of the other recommendations of the committee include:

  • The majority of directors should be independent and from outside the company;
  • The number of directors should be enough to prompt “lively discussion”;
  • Diversity among directors should be “fully considered”;
  • The nominations committee should have a majority of external, independent directors;
  • One role of the nominations committee should be to refresh membership of the board “on a regular basis”;
  • All members the remuneration committee should be external, independent directors;
  • The chair of the board should be an independent, external appointment;
  • Independent members of the board should meet regularly;
  • Third-party providers should evaluate the effectiveness of the board, but the audit committee should also conduct audits in “respect to the effectiveness of the supervisory function” of the board of directors;
  • Internal audit should report directly to the audit committee if it encounters “misconduct”. Directions to internal audit from the audit committee trump those from the chief executive.

The report highlights the need for corporate culture to change, not least switching attention from short-term aims to mid and long-term objectives. The CEO’s office will become subordinate to other departments and the rather opaque “CEO’s reserve” fund is to be abolished.

Rebuilding trust

Over-reliance on a single chief executive is always risky. However, it’s not hard to see how it happens if they appear particularly successful.

But there’s a further issue connected to Nissan’s report. The business world has for some time battled with a “trust” deficit. Ever since the financial crisis, a succession of corporate scandals and endless headlines shining a light on excessive executive pay, the discussion among business organisations and politicians has been focused on how to rebuild trust in business—indeed, how to rebuild trust in the capitalist system.

Reports of a chief executive who was “deified”, who could not be questioned, who built opaque corporate structures to duck accountability, only feeds into the public perception of business being much less than honest. It confirms the narrative of business suffering from moral bankruptcy.

What Nissan’s report recognises is that even high-flying CEOs are accountable to their companies, not the other way round. That’s something worth remembering, not just in Japan, but here in Europe too, where chief executive pay settlements seem to indicate that chief executives are treated reverentially.

The special committee concludes:

“Although it is a matter of course that business strategies shall be proposed on the CEOs’ responsibility, such strategies must be discussed by not only the board of directors but also management meetings such as the executive committee, and eventually, approved at the board of directors.

“SCIG [the special committee] believes that it is unfortunate for Nissan that under the Ghosn system, there is a perspective that no goals that it should reach had necessarily been discussed in an effective way in meetings of the board of directors or the executive committee and other management meetings.”

The board is there for a reason. It must be allowed to do its work, not least to actively prevent the “deification” of its CEO, to question and to challenge. Most of all, it should define an organisation’s purpose. Without those elements we will always see CEOs who come to believe their own propaganda.

The post Nissan’s governance report is a warning for all boards appeared first on Board Agenda.

[…]

Sir Roger Carr: What makes a good non-executive?

Sir Roger Carr

A lifetime achievement award has the thrill of a corporate Oscar—tinged with a slight sense of concern as a business obituary.

Nonetheless—having chaired these awards in the past, and seen previous winners—I receive this award with a mix of enormous gratitude and considerable humility. So, thank you very much.

In these turbulent times, the need for non-executives has never been greater. Having had the privilege of sitting on many boards, in good times and the not so good (of which there have been a few) I am often asked what I think makes for a good non-executive. So, I felt I would take this moment to share with you my top five.

First: Make sure you have the right motives when joining a board. The risk reward ratio is rarely favourable. The standard five principles of life: “What’s in it for me?”, must be outweighed by, “What can I contribute to it?”

To contribute you must have a genuine interest in the business, a desire to add value, a willingness to give advice, but the tolerance to be ignored.

And where you add value is critical: independent judgement on people; clarity of mind on risk management; vision for the future on strategy; focus on succession planning, and help in the day to day.

In summary, rule one, you need the skillset to contribute as an individual, but the mindset of a team player.

Rule two: Don’t confuse helping with meddling. This is one of the greatest challenges, particularly for those used to executive roles.

To help, you have to understand the business. Read the papers, visit the sites, engage with management, listening more than transmitting, thinking more than doing, advising more than telling.

So remember, board members challenge, advise, and encourage. Executives execute; non-executives execute the executive if they continually fail. Role confusion is dangerous for everyone.

Rule three: Have the humility to believe that others have something to offer and the patience to judge if you are right.

Weighing the evidence is vital, listening and learning. Rushing to judgement is risky, just as delay in acting on poor performance is dangerous. The best boards comprise individuals who are sure of themselves, but respect colleagues for their contribution; who are measured in forming opinions, but swift in implementing conclusions. A good principle—action this day—having slept on it overnight.

Rule four: Remember that you may have been hired for your experience but you will be valued most for your character.

As a chairman I look for those who are authentic in manner: who look to the mirror for judgement not the gallery for applause; who have the courage to speak truth to power and the resilience to be rebuffed.

Most importantly the integrity to know—whatever the pressure from shareholders, competitors, customers or peers—a board must do the right thing simply because it is the right thing to do.

Finally, rule five: Remember shareholders, employees, prospective employees and customers increasingly focus on how you make money, not simply how much money you make.

Honesty, integrity and diversity are the hallmarks of a good board. And diversity is not box ticking. It provides the healthiest environment for collective decision making, it is a combination of merit and gender. We have made good progress in the boardroom, it is work in progress in executive management, and we have a long way to go to see more women in the role of chair.

Let’s not forget this is not simply a gender issue, it’s about making business better. Plus respect for the environment, concern for all stakeholders.

These are not optional extras. They are at the heart of the business and the key to social acceptability. If capitalism is to thrive, the reputation of business must improve and in this, the role of the non-executive is key; how we conduct ourselves, present ourselves, govern ourselves and pay ourselves.

In short business and business leaders must be performance driven, value led. Being a non-executive is not simply a job, it is a privilege and vital if business is to be of value to society and valued by the community in which we live. Thank you.

The post Sir Roger Carr: What makes a good non-executive? appeared first on Board Agenda.

[…]

Sir Roger Carr: What makes a good non-executive?

Sir Roger Carr

A lifetime achievement award has the thrill of a corporate Oscar—tinged with a slight sense of concern as a business obituary.
Nonetheless—having chaired these awards in the past, and seen previous winners—I receive this award with a mix of enormous gratitude and considerable humility. So, thank you very much.

In these turbulent times, the need for non-executives has never been greater. Having had the privileged of sitting on many boards, in good times and the not so good (of which there have been a few) I am often asked what I think makes for a good non-executive. So, I felt I would take this moment to share with you my top five.

First: Make sure you have the right motives when joining a board. The risk reward ratio is rarely favourable. The standard five principles of life: “What’s in it for me?”, must be outweighed by, “What can I contribute to it?”

To contribute you must have a genuine interest in the business, a desire to add value, a willingness to give advice, but the tolerance to be ignored.

And where you add value is critical: independent judgement on people; clarity of mind on risk management; vision for the future on strategy; focus on succession planning, and help in the day to day.

In summary, rule one, you need the skillset to contribute as an individual, but the mindset of a team player.

Rule two: Don’t confuse helping with meddling. This is one of the greatest challenges, particularly for those used to executive roles.

To help, you have to understand the business. Read the papers, visit the sites, engage with management, listening more than transmitting, thinking more than doing, advising more than telling.

So remember, board members challenge, advise, and encourage. Executives execute; non-executives execute the executive if they continually fail. Role confusion is dangerous for everyone.

Rule three: Have the humility to believe that others have something to offer and the patience to judge if you are right.

Weighing the evidence is vital, listening and learning. Rushing to judgement is risky, just as delay in acting on poor performance is dangerous. The best boards comprise individuals who are sure of themselves, but respect colleagues for their contribution; who are measured in forming opinions, but swift in implementing conclusions. A good principle—action this day—having slept on it overnight.

Rule four: Remember that you may have been hired for your experience but you will be valued most for your character.

As a chairman I look for those who are authentic in manner: who look to the mirror for judgement not the gallery for applause; who have the courage to speak truth to power and the resilience to be rebuffed.

Most importantly the integrity to know—whatever the pressure from shareholders, competitors, customers or peers—a board must do the right thing simply because it is the right thing to do.
Finally, rule five: Remember shareholders, employees, prospective employees and customers increasingly focus on how you make money, not simply how much money you make.

Honesty, integrity and diversity are the hallmarks of a good board. And diversity is not box ticking. It provides the healthiest environment for collective decision making, it is a combination of merit and gender. We have made good progress in the boardroom, it is work in progress in executive management, and we have a long way to go to see more women in the role of chair.

Let’s not forget this is not simply a gender issue, it’s about making business better. Plus respect for the environment, concern for all stakeholders.

These are not optional extras. They are at the heart of the business and the key to social acceptability. If capitalism is to thrive, the reputation of business must improve and in this, the role of the non-executive is key; how we conduct ourselves, present ourselves, govern ourselves and pay ourselves.

In short business and business leaders must be performance driven, value led. Being a non-executive is not simply a job, it is a privilege and vital if business is to be of value to society and valued by the community in which we live. Thank you.

The post Sir Roger Carr: What makes a good non-executive? appeared first on Board Agenda.

[…]

Lymphoma Action – Treasurer and Trustees

Treasurer and Trustees – Lymphoma Action Organisation: Lymphoma Action Reference: Vacancy Type: Treasurer & Trustees Deadline: 26th April 2019 Region: Nation Wide Vacancy Details Lymphoma Action is the UK’s only charity dedicated to lymphoma, the UK’s fifth most common cancer; we have been providing expert information and wide-ranging support for over 30 years. Based in […]

The post Lymphoma Action – Treasurer and Trustees appeared first on NEDworks.

[…]

CXK Ltd – Trustee

Trustee – CXK Ltd Business / Organisation Name: CXK Ltd Business / Organisation Sector: Not-for-Profit Business / Organisation Website: https://www.cxk.org/ Business / Organisation Type: Charity or Not-for-Profit Role Title: Trustee Remuneration: Expenses only Role Description CXK – A south east charity One Team, One Organisation, Changing Lives CXK is a registered Charity which works across […]

The post CXK Ltd – Trustee appeared first on NEDworks.

[…]

Taking control of cyber risk

globe, world, magnifying glass

When Facebook chairman and CEO Mark Zuckerberg faced the press after hackers stole data from up to 50 million social networking accounts last September, he said “we need to do more to prevent this from happening”.

It’s a typical response, the sort of reaction you get from CEOs when the data horse has already bolted. Unlike the CEO of Equifax, which saw 693,000 UK data records stolen in 2017, Zuckerberg kept his day job.The problem most boards have is that, following a cyber-attack and data breach, there is little more you can say other than “sorry”.

For Facebook and the many other businesses that suffered cyber-attacks in 2018, the real implications are still being felt: lost revenue, lost customers, fines (Facebook was fined £500,000 by the UK’s ICO) and ongoing reputational damage. The average cost of a data breach to a business is around $3.86m. For all businesses—even Facebook—it’s not just a case of “doing more” and expecting this will be sufficient in preventing further attacks.

Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making

If 2018 proved anything, it’s that everyone and everything is a target, hackers are persistent and mistakes happen. This is why the forecast figures are always rising. On a global basis, cybercrime will cost $6trn annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures. It’s one of many similar forecasts.

The important thing to remember is that it’s not someone else’s problem to solve. As AON revealed in its Global Risk Survey 2018, cybercrime is top of the charts when it comes to ranking risk, so businesses and boardrooms have to take control and minimise that risk where possible.

“There is no such thing as 100% secure,”says Mark Camillo, head of cyber, EMEA at global insurance organisation AIG. Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making. It’s about top-down culture: if the boardroom takes it seriously and acts, the rest of the organisation will take it seriously too. A key part of that is being prepared for all eventualities.

Make a plan

A cybersecurity plan should be as much about cure as prevention. If you accept, in all likelihood, that at some point the business will be breached, the mindset has to be about continuity and recovery. No board wants to see all the hard work of a business be undermined within a few days due to a cyber-attack.

Every business should have a cybersecurity policy. This is essentially a plan for making sure the whole organisation pulls in the same direction when it comes to preventing attacks, but also knowing what to do post-breach. A comprehensive plan for
protecting data, networks and devices will ensure nothing is left to chance.

A cybersecurity policy should cover four main areas—compliance, infrastructure protection, recovery and employees.

  • Compliance Detail what is expected of the business when it comes to managing data and how to adhere to the EU’s data protection rules in GDPR or US rules such as the HIPAA.
  • Infrastructure protection What and who will be protecting the data? Ensure that there is a coherent plan of protection, from a multi-layered software approach (antivirus, firewall, anti-malware and anti-exploit software) to comprehensive insurance cover. Who is in charge of this and how will software updates and patches be applied and data backed up?
  • Recovery Who does what in the event of a breach? What is the action plan to isolating an incident and getting the business back up and running as quickly as possible? Who is going to communicate with regulation bodies, customers, partners and suppliers and deal with an insurance claim?
  • Education The business needs a clear communication strategy to all staff about internet and email usage and best practice. Clear guidelines on what is acceptable usage, how to detect scams, how remote workers should access the network, social media regulations, password management systems and reporting incidents.

Building a plan will focus the minds of the board. Cybersecurity is no longer a specialist field that concerns only the IT department or a chief security officer. A breach can affect the whole organisation and even put it out of business, so cybersecurity awareness training is now essential for everyone within the company. Human error is after all, the biggest culprit. According to Experian’s Managing Insider Risk Through Training and Culture report, 66% of the data protection and privacy training professionals questioned said employees were the weakest link.

The insurance safety net

More than ever, businesses need to protect themselves, physically, virtually and financially, from the threat of cyber-attack. By transferring risk to an insurer, boards can build a robust strategy to deal with threats.

Knowing where to start is often a problem, but risk can be measured. An insurance firm or broker should be able to model a company’s risk and provide feedback in terms of how their current risk level will translate in terms of premiums. This will also have recommendations on how to improve their risk score.

“We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk,” says Camillo at AIG, adding that this data also builds a benchmark for vertical sectors. “This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”

Interestingly, despite being one of the biggest safety nets for businesses, insurance is underutilised when it comes to cybersecurity. A survey in August last year by digital research firm Ovum found that only 38% of firms had cybersecurity insurance covering all eventualities. The survey also revealed a lack of understanding among companies of the impact a cyber-attack can have across an organisation.

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business. “It’s an essential tool in giving more transparency and intelligence back to companies, and an entry point to more comprehensive cover that could also include incident response, forensics and legal and PR support from crisis management experts,” says Camillo at AIG.

A recent PwC report believes this is the future, and it’s already gaining recognition from organisations looking for solutions to the growing threat. PwC estimates that annual gross written premiums for cyber insurance will rise from roughly $2.5bn today to $7.5bn by the end of the decade. “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape,” says the report.

However, the problem for the board is identifying policies that work specifically for cybersecurity and are not just bolted-on, often expensive, extras. As the Ovum study found, 62% of US companies reported they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk. This has to be an education for both insurer and insured, and demands more extensive risk modelling.

As with all specialist insurance sectors, cyber insurance cannot blanket cover a business and expect to be sufficient. Cover has to be designed to meet the urgent needs of a breach. It has to be 24/7 responsive, help cover investigations and fines, protect a business from the intensive costs of data recovery and reputational mitigation but also lost revenue.

Supplier and customer trust are fundamental to the ongoing success of a business. Few if any businesses can afford to jeopardise that trust. A cybersecurity breach, with potential loss of sensitive data is now one of the biggest, if not the biggest threat to that trust, placing more importance than ever on remediation, insurance and that often under-appreciated notion, peace of mind.

TOP FIVE RECOMMENDATIONS FOR MANAGING CYBER RISK

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas.
  • Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  • Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

For more details download the Internet Security Alliance’s Managing Cyber Risk: A Handbook for Boards of Directors.

This article was produced in association with AIG, which is a supporter of Board Agenda.

The post Taking control of cyber risk appeared first on Board Agenda.

[…]