Cybersecurity expertise must be incorporated into the boards of Bangladeshi companies

In the middle of this month, Uber employees saw this message in one of their internal Slack channels: “Hi @here, I am announcing that I am a hacker and uber has suffered a data breach .” “The Entity,” which has since claimed to be 18, also mentioned a series of Uber systems that were hacked. Uber employees initially took it as a joke, reacting with “light emojis” to what they thought was an internal prank. Soon Uber realized that they had in fact been compromised. The company tweetedperhaps in typical corporate fashion, that they were “responding to a cybersecurity incident”.

The hacker has since proudly shared the steps he took to break into Uber’s systems with several security experts. Their method relied heavily on using employee login credentials to access Amazon Web Services and G-suite accounts, among other things. No financial loss or breach of customer data has occurred. The motivation was political. The hacker used the incident to rant about Uber’s controversial payment practices to its drivers. While Uber’s app remained operational throughout this time, the company took its Slack channels offline until it could investigate further. The incident was reported to law enforcement.

Information technology (IT) security experts have been calling for a deeper recognition of enterprise-wide cybersecurity threats for some time. Unfortunately, most of the time, cybersecurity risk management has remained a departmental responsibility. IT departments have been designated to oversee cybersecurity issues. Today, the boards of publicly traded companies across all industries in the United States and Europe have begun to view cybersecurity much more seriously and as part of both good governance and business interests. strategic fundamentals. It’s good news.

Several factors are at play. On March 9 of this year, the United States Securities and Exchange Commission proposed new regulations aimed at mitigating cyber risks for publicly traded companies. The ongoing conflicts in Ukraine have reinforced Russia’s established pattern of targeting critical military and commercial infrastructure. In recent years, despite international efforts to reduce cyberattacks, we have seen an increase in cases of identity theft and cyberattacks around the world. In 2021, the number increased by 15.1% in the United States. For this reason, the Securities and Exchange Commission’s proposal should be seen as a wake-up call and a wake-up call. Around the world, board members and senior management need to pay attention to this growing area of ​​security concern.

The proposed new rules have increased disclosure requirements for companies on matters related to cybersecurity. The Commission noted that cybersecurity is an important “emerging risk”. Businesses have little choice but to “fight” against such threats. As with financial and accounting information, investors are best served by “consistent, comparable, and decision-useful” disclosure on cybersecurity threats, mitigation plans, information on absorbed cyberattacks, and associated costs.

By attributing importance to cybersecurity in investment decisions, the proposed new rules pave the way for industry-wide recognition and disclosure of the strategic imperative related to cybersecurity risk management. . Boards of directors, senior management and the company as a whole, regardless of markets and industries, must integrate cybersecurity into their overall business strategy.

As the world becomes more connected, data takes on an increasingly central role, and consumers and investors become better informed about cyber risks, careful cybersecurity risk mitigation will allow businesses to retain an edge while creating and maintaining profits. Companies that do not integrate cybersecurity into their overall business strategy remain exposed to severe economic losses and public relations disasters.

A key part of the new rules proposed by the Securities and Exchange Commission is the requirement for cybersecurity expertise. Boards are expected to develop this expertise within their governance structures. They are also required to provide adequate information on this subject to investors. Additionally, the settlement highlights the importance of cybersecurity expertise coexisting with regular financial and economic acumen, good judgment, foresight and risk sensitivity. Simply appointing a cybersecurity expert will not suffice.

Digitization efforts are a key driver of Bangladesh’s national economic agenda. To achieve its sustainability goals by 2030 and meet the targets set in the 2041 Forward Plan, the digitization of existing processes and services is both innovative and strategically important. As Bangladeshi businesses increasingly rely on interconnected national, regional and global digital infrastructures to create profits, the imperative to implement similar regulations for businesses operating here grows exponentially. In fact, we argue that it is already high time for the Bangladesh Securities and Exchange Commission to give serious thought to ways to institutionalize a minimum level of cybersecurity expertise on the boards of public companies across all sectors.

“Expertise” is the operational word here. Raising awareness alone will not be enough. For cybersecurity to be truly integrated into the strategic agenda of the company, expertise must permeate the board of directors. Simply appointing a “cybersecurity expert” will most likely result in a handover at every meeting while business strategy remains insufficiently informed by cybersecurity concerns.

We understand this is a bold expectation. It is frustrating to see that a good number of SOE boards in Bangladesh lack adequate financial and accounting knowledge. In reality, the implementation of basic corporate governance safeguards is inadequate. However, good corporate governance is a prerequisite for resilient cybersecurity mitigation plans, as it is for all other organizational performance indicators. Synergy can be expected from the integration of a cybersecurity risk mitigation framework into the Bangladesh Securities and Exchange Commission’s 2018 corporate governance code.

At the same time, we must recognize that proactive boards, particularly those overseeing financial services companies, already understand the strategic value of a prudent, forward-looking and continuously adjusted. Considering the global and national factors, we can say that Bangladesh cannot afford to wait any longer for cybersecurity reporting to become the norm. This disclosure can be expected to inspire action by boards and senior management and enable investors and consumers to choose wisely.

Providing companies and investors with a solid benchmark based on global best practice guidance, tailored to national challenges, on cybersecurity governance is the first step the Bangladesh Securities and Exchange Commission must take. Subsequently, the commission may find it useful to restart the process by introducing mandatory disclosure requirements, integrating cybersecurity expertise, implementing cyber risk mitigation plans and indexing implementation progress for listed companies.

At the same time, there is still much to be done to increase the level of awareness of risk factors and potential losses in cybersecurity. The concerted efforts of regulators, security experts and academics, as well as companies with best practices, can help create a better environment in which cybersecurity expertise is integrated into company boards. This, in our view, will be the start of a more resilient Bangladeshi business community to cyber threats in the years to come.

Dr. Md. Rezaul Kabir is a professor of finance at the Institute of Business Administration (IBA), University of Dhaka. He is also the coordinator of the IBA MBA program. Aumit Ahsan is a graduate student of the Institute.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.