Supervisory boards and cyber security In 2019, The European Union Agency for Cybersecurity (ENISA) reported that the scale of cyber attacks had changed significantly. We are seeing a steady increase this year as well. Cyber threats are the fastest growing threats that threaten organizations today. Supervisory boards need to find a way to address them. The risks posed by cyberspace are relatively young, especially for traditional businesses, as there has not been such a high level of digitization and dependence on information technology in the past. Information security has been, and unfortunately still is, lagging behind with new cyber threats, as these are constantly exploiting the vulnerabilities that organizations are producing with a lack of information security management. The recipe for supervisory boards in addressing cyber threats consists of five principles. The Boards are responsible for security incidents and costs incurred due to poor security policy. In doing so, they must, of course, have an appropriate influence on management boards.
Principle 1: Management boards need to be aware that cybersecurity is part of corporate risk management and not an isolated task for IT departments. Principle 2: Management boards need to consider how cyber risks affect the legal consequences as well as the reputation of the organization. Principle 3: Management boards must introduce cyber security reporting, both at the level of management reports to management boards and supervisory boards. Principle 4: Supervisory boards should ensure that management boards establish a comprehensive cyber security risk management framework that includes an organizational culture, capabilities to prevent, detect and respond to perceived cyber security incidents, and to monitor and communicate at all levels. In accordance with the adopted strategy, they must provide a sufficient amount of adequate resources. Principle 5: Supervisory boards and management boards should discuss cyber risks with each other and include principles for their management (reduction, transfer or acceptance of certain risks).