IBA report examines the role of the board and management in cybersecurity

The report draws on sources from ten jurisdictions

IBA report examines the role of the board and management in cybersecurity

A new report from the International Bar Association highlights the shared accountability between senior management and boards of directors to tackle cybersecurity risks and provides 17 recommendations to both parties, including:

  • understand the cyber risk profile of the organisation;
  • ensure the board and management have sufficient cybersecurity expertise;
  • ensure appropriate reporting lines so that cyber risks are raised to leadership;
  • invest sufficient funds to meet cybersecurity goals; and
  • review, understand and test the organisation’s cyber incident response plans.

The report entitled Global perspectives on protecting against cyber risks: best governance practices for senior executives and boards of directors, provides a global perspective on key governance practices for senior managers and boards of directors to protect their organisations against cyber-attacks.

The report draws on sources across ten jurisdictions—Australia, Brazil, Denmark, Germany, India, Israel, Singapore, Uganda, the United Kingdom and the United States – to provide comparative analysis with diverse international case studies. It provides an insight into existing cybersecurity threats and outlines actionable steps that companies can take to strengthen their cyber risk governance. 

 There is a real need for leadership and development of international cyber best practices in the intersection of law, public policy and technology,” said Sternford Moyo, immediate past president of the IBA and chairman, Scanlen and Holderness, Zimbabwe, who appointed the Task Force during his 2021–22 presidency and assigned the project as a presidential priority. “This IBA report sets a global benchmark on best governance practices for corporations in effectively safeguarding their organisations against cyber risks.”

Through its country-level case studies, the report highlights the widely varying cybersecurity practices across regions due to differences in regulatory capabilities. While organisation-level governance and accountability are important, large-scale leadership is undoubtedly necessary, according to the report. Setting guidelines and standards apart from national legislation can bridge existing gaps in knowledge.

“It is more important than ever that senior executives and boards of directors engage directly in ensuring their organisations are managing cyber risks effectively,” said Luke Dembosky, co-chair of the Presidential Task Force on Cybersecurity and a partner at Debevoise & Plimpton, US. “The days of leaving that enormous responsibility to the IT team or to privacy compliance to handle are long over, as these are clearly whole-company risks to operations, data, and brands.”

The report determines that senior management play a crucial role in day-to-day operations, positioning them well to map cybersecurity risks and identify high-priority concerns. Tracking internal knowledge, external support and expertise, and cross-functional collaboration, they are best placed to select the ideal policy for their organisation. They are also responsible for ensuring internal compliance, and as the primary reporters to the board, they can also suggest timely analysis/assessments and updates.