3 minute read 24 Jun 2024
Business people brainstorming at modern office boardroom behind closed doors

Why cybersecurity should be a board priority

Authors
Koen Machilsen

EY Belgium Cybersecurity and Privacy Partner

Trusted advisor on cyber and technology. Straightforward. Solution-driven. Pragmatic. Enthusiastic. Critical. People manager.

Edwin Haedens

EY Belgium Cybersecurity Senior Manager

10+ years at EY focusing on providing excellent services to clients. Focuses are cybersecurity, creating more resilience and optimizing IT departments for clients.

3 minute read 24 Jun 2024

Companies need to acquire more cybersecurity knowledge at all levels; every executive team must have a Chief Information Security Officer.

In brief:

  • Due to the threat of sophisticated cybercrime and to comply with the upcoming NIS2 legislation, boards need to prioritize cybersecurity.
  • Companies need a robust cyber policy that integrates into all strategic initiatives and strengthens the supply chain to protect critical business processes.
  • People are the first line of defense. Boards must endorse the importance of awareness and training to prevent, respond to, and recover from a cyberattack.

Cybercrime is a very profitable sector. Coupled with geopolitical evolutions, with certain countries conducting cyberattacks, companies that have increasingly digitized core processes are becoming very vulnerable.

If cybersecurity is inadequate, the consequences can be severe. Consider ransomware, malicious software that encrypts files on a computer and demands a ransom to release them, or deepfake fraud, such as at a British engineering firm where an employee recently transferred 23 million euros based on false images of the CFO, made with artificial intelligence. You only need a photo and a few seconds of speech to make a deepfake.

There are other ways criminals are using AI. They used to send poorly written English-language phishing emails on a large scale to gain access to computer systems. Now, they can almost automatically send highly targeted, well-written emails based on (profile) data found online.

The executive team must include a Chief Information Security Officer (CISO), and the board must give the CISO the mandate to roll out a cyber policy throughout the organization.
Koen Machilsen
EY Belgium Cybersecurity and Privacy Partner

European legislation

Companies must therefore be more concerned with cyber security than ever. However, in practice, this often leaves much to be desired. Companies will have to do better quickly. Boards also have to catch up in the field of cyber and technology knowledge.

From October 18, 2024, NIS2 will introduce legislation that will make the board and management liable for cybersecurity. For non-compliance, fines can amount to 10 million euros or 2 percent of global annual turnover, whichever is higher. That’s why it is essential for companies to acquire sufficient knowledge of cybersecurity in-house, and not just on the board. The executive team must include a Chief Information Security Officer (CISO), and the board must give the CISO the mandate to roll out a cyber policy throughout the organization.

Companies that are not very advanced with their cyber security policy no longer receive insurance.
Koen Machilsen
EY Belgium Cybersecurity and Privacy Partner

Protecting critical business processes

A good cyber policy not only integrates into all strategic initiatives and crisis management of the company but also strengthens the supply chain. How vulnerable is the company's ecosystem? What are the consequences if a supplier becomes a victim of cybercrime? And what happens to your customers if your company itself suffers a cyberattack?

The board must make enough resources available to protect its critical business processes from an impactful cyberattack. Has the company taken the proper measures to protect them? Is there a monitoring system that quickly warns if there are signs of a cyberattack? Does the company have sufficient capacity and knowledge to respond?

People are the first line of defense. Awareness and training are crucial for preventing, responding to, and recovering from a cyberattack.
Edwin Haedens
EY Belgium Consulting Cybersecurity and Privacy Senior Manager

Awareness and training

Corporate culture and awareness are crucial and require constant attention. Boards must also endorse its importance. Every cyberattack involves people; they are the first line of defense. Awareness and training are crucial for preventing, responding to, and recovering from a cyberattack. For example, if you work in finance and get a strange request from the CFO to transfer money, pick up the phone to confirm.

Companies can take out cyber insurance to cover, among other things, the damage caused by unauthorized access to IT systems. However, that insurance is becoming increasingly difficult to obtain. A few years ago a simple report was sufficient, but nowadays the conditions are much stricter. Companies that are not very advanced with their cyber security policy no longer receive insurance.

At EY, we can help clients implement a complete cyber strategy. Our experts help companies identify cyber risks, determine priorities, ensure a long-term improvement path and monitor progress.

EY Belgium newsletter

Subscribe to our monthly newsletter and stay updated on our latest insights.

Subscribe

Summary

Cybersecurity is crucial for companies due to the rising threat of sophisticated cybercrime. The new NIS2 legislation will hold boards accountable for cybersecurity, with significant fines for non-compliance. Therefore, boards must prioritize cybersecurity, and companies should acquire comprehensive cyber knowledge in-house. Implementing effective cyber policies will protect critical processes and the supply chain, with continuous awareness and training as key components. As cyber insurance becomes harder to obtain, advanced cybersecurity measures are essential.

About this article

Authors
Koen Machilsen

EY Belgium Cybersecurity and Privacy Partner

Trusted advisor on cyber and technology. Straightforward. Solution-driven. Pragmatic. Enthusiastic. Critical. People manager.

Edwin Haedens

EY Belgium Cybersecurity Senior Manager

10+ years at EY focusing on providing excellent services to clients. Focuses are cybersecurity, creating more resilience and optimizing IT departments for clients.