8005CGOV-Corporate Governance

Task

The capstone assessment involves the study and analysis of one of the most prominent issues in corporate governance circles nowadays: cybersecurity. The aim of the assignment is to analyse the topic from a risk management/governance perspective. Please read thoroughly the description and requirements discussed below.

Background

Tricker (2019, p. 207) states that “Corporate risk involves the gain or loss that might be incurred by an uncertain event”. As displayed by many examples of corporate collapse, the magnitude of losses caused by unanticipated events an organisation is subject to can jeopardise its survival. As such, (enterprise) risk management is a critical activity, one that the board of directors should be responsible for safeguarding the value of a business.

Cyber threats represent one of the risks that corporations across the globe are increasingly exposed. In March 2019, a cyber-attack on the Norwegian aluminium maker Norsk Hydro has cost the company £45m (Tidy 2019), subsequently leading to an 82% decrease in profit (Reuters 2019). In October 2018, Yahoo agreed to pay $50m in damages to people affected by cyber-attacks that affected three billion accounts in 2013 and 2014 (Kuchler 2018). These incidents came to public’s attention. The fact that some companies might not disclose breaches for fear of becoming more vulnerable make the potential number of cyber-related losses even higher (Price 2016). 

There is another dimension of cybersecurity not related to cyber-attacks per se, but, instead, they relate to the management of customers’ data. The concept of digital license to operate revolving around how a business uses technology and the data shared with it by its clients is turning into a relevant issue in corporate governance circles. AICD (2018) (and references therein) elaborates on the effect that ethical handling of information and clear communication with customers has on trust, and how that can become a source of competitive advantage (or disadvantage). 

Customer data is a highly sensitive issue, as illustrated in Facebook’s Cambridge Analytica case (Rodriguez 2019). This case demonstrated the need for cybersecurity governance and active participation of corporate board.

The above examples (and other cases as listed in Kammel et al. 2019) illustrate the reasons why cybersecurity is turning into a priority investment in every business industry (Quiocho 2018). 

In this context, this assessment provides you with the opportunity to analyse the issue of cybersecurity (either from a cyber-attack or data management perspective) in a company with which you are familiar. Please write a report addressing the questions below: 

• In which way(s) can cybersecurity subject the company under study to losses? Elaborate on (at least) three cyber threats that the organisation might be exposed

• Provide a risk mapping of the threats identified above following the impact/likelihood diagram of chapter 8 in Tricker (2019), explaining the rationale behind the mapping established.

• Define strategies that could be put in place to address the risks identified. Particularly, discuss for each of the cyber threats whether to avoid/mitigate/transfer/retain the corresponding risk.

• Argue whether the board of directors of the company under study has (or not) been adequately overseeing the business’s cyber risks. Justify your answer. (Hint: Cohn et al. 2017 and Klemash 2018 are good starting points to address this question).