Cyber breaches continue to make headlines, and their impacts are increasingly being felt across industries. As organizations tackle these evolving risks, executives, directors, and committees of the board are facing pressure from shareholders and scrutiny from regulators to build robust cyber strategies.
While board members have an opportunity to defend their organization's interests by a prioritising sound and robust cyber defence, they may not know where to start. Understanding their organization's risk profile, their role in supporting and empowering leadership, and their own responsibilities to act can be daunting. To provide a perspective on how directors can become more effective on this front, KPMG built a straightforward framework informed by extensive global research: Understand-Guide-Act.
Understand-Guide-Act is the first framework of its kind, designed to provide directors and boards with actionable guidance to help them understand and discharge their responsibilities around cyber security. The scalable and industry-agnostic principles enable sound and risk-informed decision making, while championing the same pillars of good governance boards are familiar with.
And it all begins with understanding the risk.
No two cyber strategies are the same. While there may be some similarities within industries, each organization's approach is defined by its unique business priorities, risk appetite, and threat landscape. It is incumbent on boards of directors to look carefully at internal, external, and regulatory factors impacting their organization to inform their understanding of the overall risk profile. By consulting with tech, cyber, and risk leaders within their organization, directors may enhance and contextualize their understanding through the use of various tools. These may include:
By first equipping themselves with an understanding of the organization's cyber threat landscape, risk profile, regulatory requirements, and programme performance, directors are able to support executive leadership's cyber security efforts. Understand-Guide- Act outlines five areas where that board-level support is most valuable:
As with other areas of the business, it is incumbent on boards to provide responsible oversight and governance of cyber security activities. The Understand-Guide-Act framework describes five key areas across which boards can take meaningful action to enable corporate cyber governance:
Directors will increasingly be called upon to understand and meet their cyber security responsibilities. As high-profile breaches keep making headlines, and as legislation continues to evolve across jurisdictions, shareholders and regulators alike are looking to boards to provide a sophisticated level of understanding and oversight of cyber security within their organizations.
By equipping themselves with the right tools and advice, boards can take concrete steps to promote their organization's priorities and safeguard their business.