The Cyber Readiness for Boards project, which is jointly funded by the National Cyber Security Centre and the Lloyd's Register Foundation, has launched to explore the factors shaping UK board decisions around cyber risk and develop interventions to provide guidance and support.
A consortium of UK cyber security experts including UCL academics is to support global businesses to tackle online threats and protect themselves from cybercrime.
Project lead and Director of the Research Institute in Science of Cyber Security (RISCS) Dr Madeline Carr (UCL Science, Technology, Engineering & Public Policy) said: "With the UK being the largest digital economy in the G20 and 83 per cent of UK critical infrastructure in private hands, the role of boards is central to cyber security.
"Understanding the decision-making process and the way that boards assess cyber risk will be fundamental to addressing some of the ongoing challenges we face - both here in the UK and globally."
A survey by PWC Global Investor in 2018 revealed that cyber threats are among the top concerns for company CEOs and investors; however, only 11 per cent of corporate directors believe their boards possess a high level of understanding of cyber security risk, meaning companies are increasingly exposed to cybercrime.
Cybercrime cost the UK economy between £11bn and £30bn each year according to figures from 2016. Recent security breaches from more than 2,000 leaked databases exposed over 770 million individuals' private data. Facebook could face a record $1.6bn fine and a formal investigation over its recent data breach.
In the UK, 2.9 million companies are estimated to be attacked by cyber criminals every year. Tesco Bank was fined £16.4m for security failures after a cyber-attack in 2016.
Research conducted by the National Cyber Security Centre (NCSC) in 2018 found that the boards of private sector organisations, who tend to have positive attitudes towards risk, are instrumental in how protected the business is against cybercrime. Key to protecting companies is ensuring that boards understand the nature and importance of cyber security.
JP Cavanna, Group Head of CyberSecurity at Lloyd's Register said: "With the ever-increasing complexity and expansion of cyber threats, it is vitally important that Boards feel sufficiently knowledgeable and supported. Lloyd's Register Foundation is supporting the Cyber Readiness for Boards research to provide Boards with the tools and information they need to understand and manage their cyber risk effectively."
The project is a collaboration between researchers at three leading UK universities - UCL, the University of Reading and Coventry University. They are joined by the Research Institute in Science of Cyber Security (RISCS), the NCSC, Lloyd's Register Foundation and RESILIA - a leading cyber security training provider, part of AXELOS Global Best Practice.
The project will initially work with six multinational companies who are at particular risk due to their high profile, before rolling out to include more businesses including SMEs and larger enterprises in early 2020. First year results are expected to be delivered from September 2019 and the project will conclude in September 2020.
The collaboration will focus on four main areas:
- An evaluation of board level training interventions
- An assessment of how boards evaluate cyber risk 'evidence'
- An investigation into the significance of board composition, accountability and responsibility
- The impact of investor pressure on board decision-making on cyber risk
Sarah Lyons, Deputy Director, National Cyber Security Centre said: "We believe that cyber security is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks.
"We have taken an evidence-based approach to developing our own board toolkit, and welcome new research into how UK boards make decisions around cyber risk. This research will help us refine and develop targeted guidance for business leaders, helping to make the UK the safest place to live and work online."
Nick Wilding, General Manager of Cyber Resilience at AXELOS, who leads RESILIA best practice said: "Using evidence based research is critical. Not only in developing appropriate tools and interventions that can help boards to manage their cyber risks, but also for designing them in ways that actively engage with and effectively integrate into existing risk management oversight and governance. I look forward to helping to engage and inform boards during the research through RESILIA's focus on culture and behaviour change."
The project is jointly funded by the NCSC through RISCS and Lloyd's Register Foundation, who have each contributed £500,000. The work feeds into the NCSC's cross-Whitehall strategy to make the UK the safest place in the world to do business.