The Cyber Security Challenge - Are The Boards Ready?

Denish Osodo

Director – Internal Audit

Safaricom Limited

27 May 2016

Safaricom Public C13

Safaricom Public C1

The situation in Kenya

Safaricom Public C1

What keeps business leaders awake

Global

Africa

Kenya Source: PwC’s 2016 The Africa business agenda survey

Source: PwC’s 19th Annual Global CEO Survey

Source: Serianu Kenya Cyber Security Report 2015

Safaricom Public C14

Functions and Accountability of the board

The board of directors is ultimately responsible for the company’s business affairs and governance

Assume responsibility of leadership and control of the

corporate

Direct and supervise the corporate’s

affairs

Make decisions in the interests

of the corporate

Board Accountability

Accountability to shareholders

Accountability for Board

Operation.

Accountability for Strategic

Decisions and Performance.

Safaricom Public C1

Integrity and Ethics

• Emphasis on a culture driven by the organization’s value

system.

• Injudicious risk-taking is the new warning sign on which

prudent boards are seeking substantial assurance.

• Greater emphasis on leadership by example

• Embedding ethics as part of the organization’s DNA.

2

Cybercrime and Technology governance

• Boards are upskilling to provide effective direction

and oversight in areas of rapid technological

advancement and change.

• Cyber security and social media are examples of IT

risks that can cause privacy breaches, reputational

damage, and significant investor loss.

3Governance in the public interest

• Regulators are requiring that corporate entities are

created to protect the public interest, where public funds

or resources are involved, that are separate from the

primary commercial entities. There is also a move towards

prescribing the competency matrices for directors and

oversight functions of those entities.

• There is a growing tendency to account for the wider

stakeholder view of governance that is not limited to

shareholder democracy.

4

Governance Trends

Board Accountability

• Board members are increasingly being held to account,

individually or collectively, for failure to provide

oversight

• Media, activists and public pressures are augmenting

the objective standard of care for directors. Director

action (or inaction) will be more and more visible.

• Onerous risk coverage requirements on directors that

require oversight of internal controls and risk

management.

• Greater scrutiny of board composition, capabilities and

skills for effective direction of management teams.

1

Safaricom Public C1

Board Engagement and Oversight

Leadership and

Governance

Human Factors

Information Risk

Management

Business Continuity

Operations and

Technology

Legal and Compliance

General areas of concern to Boards

Safaricom Public C1

Financial impact

• Will investment in cybersecurityincrease my revenue?

• How much loss would result from a cybersecurity incident?

Reputational damage

• Can I sustain the fury of KoT(Kenyans on Twitter?)

• Can customers trust me

Regulatory Compliance

• Fines by the regulator

• Legislation targeted against my company

• Requirement by regulators for compulsory IT audits

Stakeholder/ Customer Focus

• Uninterrupted services to customers

• Customer data privacy

• Enhance partner confidence

Lost of Intellectual Property

• Will they steal my trade secrets?

Areas to address in increasing Board awareness and action

What the Board cares about

Safaricom Public C1

Perception that information security governance is best handled by the company’s management

Board members may be overly confident about the effectiveness of their cybersecurity governance processes

Management may not be providing information on cyber attacks and data breaches affecting the organization i.e. lack of transparency

It may not be clear to the board on what an effective cybersecurity function should be achieving i.e. what does success look like?

Perception that cybersecurity is an issue to be handled by law enforcement authorities

Limited knowledge on cybersecurity

Why Cybersecurity may not be on the Board’s Agenda

Safaricom Public C1

Form a special cybersecurity committee to elevate the attention and importance of cybersecurity risk and ensure it is on the board's agenda

To increase transparency, establish parameters for accountability without blame and with appropriate, pre-understood consequences

Establish an understanding that cybersecurity is an enterprise-wide risk management issue. not just an IT issue

Include cybersecurity as a standing topic in every risk committee and board meeting

Frequent briefings on state of cybersecurity in the organization to keep the board members informed about the threat landscape and how they may impact the company

Create and standardize security metrics and KPIs. Use risk-based frameworks to which the board can relate

Think business and communicate cyber impact in terms of business-based outcomes

Bridging the gap

Safaricom Public C1

Cybersecurity governance: policies, strategy, frameworks

User security awareness and training

Risk assessment of internal and external threats

Adequacy of incident response mechanisms

Continuous monitoring & assurance

Customer data privacy (PII)

Business continuity and prompt recovery of operations

Questions that a well-informed board will ask regarding Cybersecurity

Safaricom Public C13

The Cyber Security Challenge – is your Board Ready?

Safaricom Public C1

Thank You

Reactions