On 25 April 2018, TheCityUK published a report on governing cyber risk.

The report was commissioned by TheCityUK in conjunction with Marsh. It is intended as a guide for company boards, setting out a new framework to enable them to meet the growing cyber threat.

For the purposes of the report, 30 interviews at board and senior executive level were carried out within the financial and related professional services industry. Boards were then benchmarked based on six elements of cyber risk governance (strategy, board ownership, financial resilience, executive accountability, assurance and reporting). The aim was to evaluate how proactive boards are in engaging and informing themselves on cyber risk and how much challenge they are creating for management through active and intrusive oversight.

For each of the six elements of board governance of cyber risk, the report identifies three levels of maturity, with level 1 the lowest and level 3 the highest maturity level. All firms are now taking actions to manage cyber security, but here are material differences in the extent to which boards are driving those actions. Most of the firms interviewed are operating at level 2 for the majority of elements. Others are at level 3, but a number are at level 1. The larger, balance sheet businesses (that is, banks and insurers) tend towards level 3, possibly reflecting their more mature infrastructure for managing risk and the influence of regulators. A summary illustrating the differences in cyber risk governance between firms operating at levels 1 and 3 is included in the report.

The report’s authors encourage firms to act to at least a minimum standard of proactivity and challenge and they expect the regulators to reach a similar conclusion

The report highlights that boards would benefit from cross-sectoral action in the areas of education and infrastructure and suggests that the financial industry explore a collective approach to assessing their cyber governance rather than each firm acting independently.

Although there is “no single right way” of structuring cyber risk management within an organisation, there are a number of practical steps that boards can take. The report sets out some recommendations in this regard, including seven key questions on cyber governance that boards need to confirm they can answer positively.