IT security, the risks and the board’s role & responsibilities
Key takeaways from the Break out session C featuring Najia BELBAL | Member of ILA Executive Committee (Moderator) - Pascal STEICHEN | Chairperson of the ECCC Governing Board; CEO of the Luxembourg House of Cybersecurity - Astrid WAGNER | Partner, Arendt & Medernach - Yanniss LERVON | Director, Change Digital

Prove you are cyber-resilient

It’s not a question of if, but when your organisation will be hit with a cyber-attack.

Prevention through a work culture of cyber hygiene is important to reduce vulnerability, but ultimately boards have to ensure their organisations are resilient. These fundamentals were fleshed out in the "IT security, the risks, and the board’s role & responsibilities" breakout session.

“To protect against liability, as a corporate body must be able to provide evidence that you have taken the threat of cybercrime seriously, debated this in the board with the result of this risk being properly managed,” said Astrid Wagner, a partner with Arendt & Medernach. This might start with the regulatory aspect, but should not stop there. “Ultimately we are talking about resilience, because full protection is impossible,” said panel moderator Najia Belbal, a member of the ILA Executive Committee.

At least regulation

From GDPR to the coming Digital Operational Resources Act (DORA) and the second Network and Information Security directive, European regulators are setting benchmarks. Ms Wagner gave an overview of this landscape, including mentioning the five pillars of DORA: ICT risk management, ICT-related incident management, incident classification, reporting, and testing of digital operational resilience.

She also focused on the specific regulatory challenges the country faces. “The Luxembourg financial sector is particularly reliant on an outsourcing model, hence the importance of managing third-party ICT risk,” she noted. There has been increased focus on ensuring service providers have the necessary cyber resilience expertise and experience, and clients are increasingly sending out questionnaires as proof of best efforts.

An agenda must-have

“Yet regulatory box ticking should not be the primary aim of an organisation, but rather building an organisation that can respond effectively to cyber crises,” she said. “No company can afford to not address cybersecurity at all levels,” agreed Pascal Steichen, Chair of the European Cybersecurity Competence Centre Governing Board and CEO of the Luxembourg House of Cybersecurity. “Boards have to have cybersecurity on their agenda, and it’s not me telling you this but numerous global best practice reports, and it was one of the main topics at the World Economic Forum.”

Mr Steichen insisted that this is not a topic to be entrusted solely to the chief information security officer (CISO). He recommended that each company should have at least one or two members of the oversight or executive boards focus on that topic. “Beyond that, all key people should have a certain level of knowledge about the topic, just as they do about finance and the law,” he said.

As well, all staff should be engaged to build a security culture within the enterprise. ”Most of the attacks that we see today target humans, and these are increasingly sophisticated and tailored to be particularly persuasive and realistic,” he said.

Categorise risks and prepare

There is also a need to identify and categorise different risks to develop a risk appetite. Mr Steichen recommended independent audits to identify the nature of different vulnerabilities, with teams then able to focus on high-risk areas while accepting an element of lower risk elsewhere. “The investment required to mitigate all risks might be too high, so maybe investment into response capacity would give the minimum comfort required,” he said. “It's also a communication challenge, within the company, but also with providers, clients and regulators,” he said. Hence the importance of soft skills alongside technical know-how.

The starting point of a cyber security strategy is the ability to detect attacks and threats. “The main challenge is always monitoring,” said Yanniss Lervon, director of Change Digital, who gave some case studies of cyber-attacks, including one where the hacker had infiltrated the organisation two years previously before the main assault occurred.

Simulate to build effective teams

As well as training, Mr Steichen recommended having management teams and boards take simulation exercises to enable them to understand how they need to work and cooperate during an attack. “Such simulations help threats and vulnerabilities to be identified, and how teams should work together in times of crisis,” he said.

The state-backed House of Cybersecurity has “Room 42”, a simulation and exercise facility in which management teams can experience a mock cyber crisis. “It's not technical but is an immersive session, a stress test where you can understand what it is like to go through as many as 10-15 incidents,” said Mr Steichen. “The objective is to test your organisation’s limits and identify gaps into which you can build competence.”

He also spoke about the dedicated Incident Response Centre that can be called “like the fire service” during an incident. They can also offer advice outside of crisis periods, helping businesses make contacts to solve their unique cyber resilience challenges.

Najia Belbal

Yanniss LERVON 
Change Digital

Luxembourg House of Cybersecurity

Arendt & Medernach

CGO = (Corporate Secretary)², can this equation be solved?
Key takeaways from the Break out session B featuring Anastasia PAPAGEORGOPOULOS | Senior Governance Officer at NATO (Moderator) - Raphaël DOCQUIER | Member of the ILA Board of Directors and Co-Chair of the Company Secretarial & Governance Officer Working Committee - Aisling MURPHY | Senior Associate, Allen & Overy - Revel WOOD | Founding Partner, One Group Solutions