Cybersecurity expertise needs to be incorporated into Bangladeshi company boards

Sometime near the middle of this month, employees at Uber saw this message in one of their internal Slack channels: "Hi @here I announce i am a hacker and uber has suffered a data breach." The "entity," who has since claimed to be an 18 year old, also mentioned a series of Uber systems that were breached. Uber employees initially took it as a joke, reacting with "light hearted emojis" to what they thought was an internal prank. Soon enough, Uber realised they had actually been compromised. The company tweeted, perhaps in a characteristically corporate manner, that they were "responding to a cyber security incident."

The hacker has since proudly shared the steps they followed to get into Uber's systems with multiple security experts. Their method heavily relied on using employee login credentials to access, among others, Amazon Web Services and G-suite accounts. No financial loss or breach of customer data occurred. The motivation was political. The hacker used the incident to agitate about Uber's controversial payment practices to its drivers. While Uber's app remained operational throughout this time, the company did take their Slack channels offline until they could investigate further. The incident was reported to law enforcement agencies.

Information Technology (IT) security experts have been pushing for deeper, enterprise-wide recognition of cyber security threats for some time now. Unfortunately, for the most part, cyber security risk management remained a department-specific responsibility. IT departments were designated to oversee cyber security issues. Today, boards of publicly traded companies across all sectors in the US and Europe have started to regard cyber security far more seriously and within the purview of both good governance and strategic, core business interests. This is good news.

Several factors are at play. On 9 March this year, the US Securities and Exchange Commission proposed new regulations aimed at cyber risk mitigation for publicly traded companies. Ongoing conflicts in Ukraine reinforced Russia's established pattern of targeting critical military and commercial infrastructure. For the past several years, despite international efforts to reduce cyber attacks, we have seen increasing cases of identity theft and cyber attack worldwide. In 2021, the number rose by 15.1% in the US. Due to this, the Securities and Exchange Commission's proposition should be considered an alarm bell and a wakeup call. Board members and senior management anywhere in the world need to pay attention to this steadily growing area of security concerns.

The proposed new rules raised disclosure requirements for companies on matters related to cyber security. The Commission noted that cyber security is a material "emerging risk." Companies have little option other than to "contend" against such threats. Similar to financial and accounting information, investors are best served by "consistent, comparable, and decision-useful" disclosure on cyber security threats, mitigation plans, information on cyber attacks absorbed, and related costs.

By assigning importance to cyber security relative to investment decisions, the proposed new rules pave the way for industry-wide recognition and disclosure of the strategic imperative attached to cyber security risk management. Boards, senior management, and the enterprise as a whole, regardless of markets and lines of business, need to incorporate cyber security into their overall business strategy.

As the world gets more connected, data plays an increasingly central role, and consumers and investors get more educated on cyber risks, prudent cyber security risk mitigation will enable businesses to maintain an edge while creating and sustaining profits. Companies that fail to incorporate cyber security into their overall business strategy remain exposed to severe economic losses and public relations disasters.

A key highlight from the new rules proposed by the Securities and Exchange Commission is the requirement for cyber security expertise. Boards are expected to develop this expertise within their governance structures. They are also required to provide adequate disclosure on this to investors. Additionally, the regulation underlines the importance of cyber security expertise co-existing with regular financial and economic acumen, good judgement, foresight, and risk sensitivity. Merely appointing a cyber security expert will not be enough.

Digitisation efforts are a key driver to Bangladesh's national economic agenda. In attaining its Sustainable Development Goals by 2030 and achieving targets set forth in the Perspective Plan 2041, digitisation of existing processes and services are both innovative and strategically important. As Bangladeshi businesses rely more and more on interconnected national, regional, and global digital infrastructures to create profit, the imperative to implement similar regulations for companies operating here grows exponentially. In fact, we argue that it is already high time for the Bangladesh Securities and Exchange Commission to seriously think of ways to institutionalise a minimum level of cyber security expertise in public company boards across sectors.

"Expertise" is the operational word here. Awareness alone will not cut it. For cyber security to be truly incorporated in the strategic business agenda, expertise should permeate the board. Mere designation of a "cyber security expert" will most likely result in passing over the ball at every meeting while business strategy remains inadequately informed by cyber security concerns.

We understand that this is a bold expectation. It is vexing to observe that a good number of public company boards in Bangladesh lack adequate financial and accounting literacy. In reality, implementing basic corporate governance safeguards is inadequate. However, good corporate governance is prerequisite to resilient cyber security mitigation plans, just as it is for all other metrics of organisational performance. A synergy can be expected from the integration of a cyber security risk mitigation framework into the Bangladesh Securities and Exchange Commission's Corporate Governance Code 2018.

At the same time, we have to recognise that proactive boards, especially those overseeing financial services companies, already understand the strategic value of a prudent, forward looking, continuously adjusted cyber risk management policy. Considering global and national factors, we can tell that Bangladesh cannot afford to wait further for cyber security reporting to become a norm. Such disclosure can be expected to drive boards and senior management into action, and allow investors and consumers to choose wisely.

Providing companies and investors with a solid benchmark based on global best practice guidance, adjusted for domestic challenges, on cyber security governance is the first step the Bangladesh Securities and Exchange Commission needs to take. Afterwards, the commission may find it useful to jump-start the process by introducing mandatory disclosure requirements, onboard cyber security expertise, implement cyber risk mitigation plans, and index implementation progress for publicly traded companies.

At the same time, much remains to be done to raise the level of awareness on cyber security risk factors and potential losses. Concerted efforts from regulators, security experts, and academics, as well as companies with best practices, can help produce a better environment in which cyber security expertise is incorporated into company boards. This, in our view, will be the start towards a Bangladeshi business community more resilient to cyber threats in the coming years.

Dr Md. Rezaul Kabir is Professor of Finance at the Institute of Business Administration (IBA), University of Dhaka. He is also the Coordinator of IBA's MBA Program.

Aumit Ahsan is a graduate student of the Institute.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.