GUBERNA Sounding Board Committee - Cybersecurity

According to Directors & Boards author Tom Horton, “A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole.”

Each day, there are numerous kinds of cyber-attacks on companies and organisations all over the world. While the management should be prepared to deal with such attacks adequately and rapidly, it is up to the board to keep the helicopter view on the risks and consequences of the organisation's information security policy. This e-programme is created for directors and aspiring directors, executives and professionals, who want to acquire insights and tips and tricks on how to deal with Information Security policies, cyber risk assessment and GDPR issues from a board level perspective.

In the wise words of Professor Lynn Sharp Paine, former Senior Associate Dean at Harvard Business School, the primary role of a board is to ensure that a company operates within the "Zone of Sustainability" – a vital nexus of legal, economic, and ethical sustainability. In our rapidly evolving digital world, a key challenge to this zone is cybersecurity.

GUBERNA's Cybersecurity Sounding Board Committee conducted two exploratory surveys with its community of Belgian directors, focusing on cybersecurity governance. These surveys aimed to evaluate directors' perceptions of cybersecurity within their strategic frameworks, their awareness of cybersecurity issues, and their depth of knowledge on the topic. Specifically, we explored how governance maturity can be achieved through various approaches, such as the frequency of cybersecurity discussions on the board’s agenda, the existence of clear incident response plans, well-defined accountability frameworks, and the regular conduct of cybersecurity audits.

In this article GUBERNA offers seven questions to ask to help you as director understand how cybersecurity is being managed in the organisation. Just asking these seven questions will also raise awareness of the importance of cybersecurity and the need to prioritise actions.

Ransomware is one of the largest cyber threats facing any organization today. Ransomware targets organizations across all industries, including healthcare, finance, education and critical infrastructure. Ransomware attacks can be financially devastating and severely disrupt business operations.

The NIS2 Directive, which came into force on January 16, 2023, replaces the NIS1 Directive and aims to strengthen the overall cybersecurity landscape in the European Union. In Belgium, the directive was transposed into national law through the Law of 26 April 2024, establishing a framework for the cybersecurity of network and information systems critical to public safety. This law, known as the NIS2 Law, took effect on October 18, 2024. In this article, we explore key aspects of management liability under this new regulation.

NIS2 stands for “Network and Information Security Directive” and is a continuation and expansion of the previous EU cybersecurity directive, NIS1.

NIS: EU’s First Cybersecurity Law
The Network and Information Systems Directive (NIS) was introduced in 2016 as the first European legislation on cybersecurity. Its primary objective was to increase the cyber resilience of EU Member States by identifying essential service operators in the Union and enforce cybersecurity measures, with incident reporting being a central requirement.

In an increasingly data-driven world, corporate leaders face challenges in protecting the information they process. Executive and non-executive directors, as key decision-makers within organisations, must navigate complex regulatory landscapes, information security risks, and ethical considerations surrounding data protection and privacy.