Board and Leadership

Why Directors Should Scratch Below the Surface of Cybersecurity Risks

Protecting Long-Term Value Creation

Cybersecurity risks have been front of mind for a while, but what are boards doing to make sure they’re aware of them and are properly prepared to deal with them? Not enough it seems. Academic research sponsored by Nasdaq and Tanium shows a serious accountability gap in all the territories studied – the U.S., the UK, Nordic countries, Germany and Japan.

With only 10% of executives surveyed regularly briefed on cybersecurity threats relevant to their business, and 91% of board member surveyed having trouble interpreting a cybersecurity report, the lack of awareness and readiness is significant. So are boards sleepwalking into a risk landscape that could seriously threaten long-term value creation - whether from serious data loss itself or consequential financial loss from the attrition of investor and customer confidence?

The importance of risk management to corporate governance is not new, and boards have a firm grip on general operational and strategic risks, having developed policies and procedures over the years - to identify enterprise risks, assess the nature of them, agree how to manage or mitigate them, and to monitor the effectiveness of the systems and related disclosures. But should cybersecurity risks be firmly established as principle business risks and be subject to much closer board attention? It still isn’t in a lot of cases, but it probably should be: boards should be trained to properly understand the cyber-language; be aware of the implications of a breach; and be briefed on threats and the changing regulatory environment.

Cybersecurity risk is still seen as an esoteric and “techie issue” but it certainly shouldn’t be, with the incidences of serious breaches and financial harm on the rise. Also, the EU regulatory landscape is heating up with significant changes coming for those offering goods or services (even for free) within or into the region. After three years of political negotiation the EU data protection framework has now been agreed (the General Data Protection Regulation), and together with the EU cyber security directive (the Network and Information Security Directive) they represent a sea change in responsibilities and sanctions.

How can you prepare?

First, read our report to learn more. Management should then assess the accountability gap in their own organization and agree actions with the board to narrow it. A starting point will likely be to provide more timely and clear communication to directors - transferring knowledge, understanding and expertise to the very top of the organization.

Boards will then begin to understand risks beyond the general – now more than ever, directors need to be able to scratch a few more layers below the surface. After which, the board can start to strengthen and foster a culture of responsibility and ensure it permeates throughout the organization.

Management should keep an eye on what should matter to the board - strategy, long-term value creation and business sustainability – and if there is a risk to these from a cybersecurity point of view discuss it and spend time with directors to ensure the risks are understood, in turn enabling directors to fulfil their responsibilities. As Joan Conley, Senior Vice President and Corporate Secretary at Nasdaq, Inc. notes in the report, “good governance is good business”.

To read the cybersecurity research report, “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility” and discover the seven challenges that predict cybersecurity vulnerability, click here.

Blake Stephenson
Blake Stephenson -- After being called to the English Bar in 2007, Blake has held governance, risk and compliance roles and has had a particular focus in regulatory compliance and good governance in UK markets infrastructure. His experience in this regard is from SIX Swiss Exchange and the UK's Financial Services Authority (now Financial Conduct Authority), where he supervised the London Stock Exchange Group. Blake also spent time as an advocate towards the European political institutions while working at the Futures and Options Association (now FIA Europe). Since joining NASDAQ in 2013 and before joining the Directors Desk management team in 2015, Blake was the Associate General Counsel in London, ensuring regulatory and governance compliance for NASDAQ's London interests. In addition to being called to the Bar, Blake has a degree with honours from the University of Kent, Canterbury, a Graduate Diploma in Law and a CISI Diploma in Investment Compliance.



Nasdaq Corporate Solutions helps organizations manage and master the two-way flow of information with their audiences. Around the globe, market leaders rely upon our unmatched suite of advanced technology, analytics and consultative services to maximize the value of their work – from investor relations and corporate governance to public relations and communications.

Nasdaq Corporate Solution – Directors Desk

Intuitive Board Portal Software for Public, Private, and Non-Profit Boards

Nasdaq's Directors Desk board portal helps strengthen your governance with streamlined board and leadership management. Access the most relevant materials and information from anywhere in the world using your PC, Apple® iPad®, or Microsoft® Windows® tablet.

Learn more:

Visit our website: (this will eventually be

Follow us on Twitter: @MyCorpSolutions

This communication and the content found by following any link herein are being provided to you by Corporate Solutions, a business of Nasdaq, Inc. and certain of its subsidiaries (collectively, “Nasdaq”), for informational purposes only. Nasdaq makes no representation or warranty with respect to this communication or such content and expressly disclaims any implied warranty under law.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.