'Put it on your board agenda!' - GUBERNA's Listed Company Day embraces cybersecurity

What are the risks and opportunities regarding governance in the cyber age? How can organisations raise cybercrime awareness throughout their structure? How should board members be educated on cybersecurity issues and obligations? The annual Listed Company Day, jointly organised by GUBERNA and VBO-FEB, in partnership with EY and A&O Shearman, addressed these questions and other cyberrisks comprehensively.

Introducing the link between governance & cybersecurity

In her introduction, Sandra Gobert outlined the organisers' threefold intention: to raise awareness about cyberthreats and cybersecurity, to provide a clear overview of the legal rules, and to offer practical guidance to board directors and CEOs. "We all must inform ourselves about the measures that companies can take to prevent and remedy cyberthreats. They have never been so prominent."

She acknowledged the valuable work of the GUBERNA Sounding Board Committee for Cybersecurity, which has published important materials and potential board solutions in this area. Recalling Sounding Board Committee Chairman Alex Driesen's key points, she emphasised why cybersecurity demands heightened attention from a board perspective:

1
  1. Cyber risks rank amongst the most severe global threats due to their immediate and potentially significant organisational impact
  2. Cyber attacks can inflict significant financial losses, damage reputation, and result in legal repercussions
  3. New EU cybersecurity regulations escalate explicit liabilities for directors, underlining the general duty of care required in their roles
  4. Lack of awareness and preparedness regarding cybersecurity affects both immediate stakeholders and poses broader societal challenges

"In this cyber era, good governance is more important than ever: you can both seize opportunities and reduce risks," she concluded.

Beware of cybercrime

EY's Partner for Technology Consulting and Cybersecurity, Koen Machilsen, reinforced the awareness message with crucial warnings: cybercrime is big business, and this sector operates as a well-oiled machine of professional criminals. They have even developed excellent customer support for their victims: "When you get hacked, you end up on a user-friendly website!" Moreover, these cyber opponents quickly adopt new technologies. .

The number of security flaws and vulnerabilities is spiralling, with ransomware as a top-ranked danger. Its financial impact causes $8 trillion in annual damages.

He specifically illustrated how a ransomware attack strikes all business fronts. An effective response against a cyber attack requires robust coordination and necessitates cooperation throughout the entire organisation. "This is not just an IT matter." The priority is containing or isolating the problem.

Recovery to business as usual is challenging: organisations must prioritise their actions effectively.

2

Cyber resilience attention points for a Board of Directors

According to ENISA, 'cyber resilience' is defined as an organisation's ability to continuously deliver its intended outcomes despite adverse cyber events. Machilsen enumerated six points of advice for boards and executive committees in building cyber resilience:

  1. Rethink cyber governance
  2. Integrate cyber in business continuity and crisis management
  3. Ensure long-term investment in cyber
  4. Drive awareness and cultural change
  5. Foster and participate in cyber drills
  6. Monitor the regulatory landscape

"Cybercriminals always look for the weakest link. That may also be the company directors."

 

What about NIS2?

Of course the conference dedicated significant attention to the new NIS2 regulation. Both Koen Machilsen and A&O Shearman's Peter Van Dyck and Sarah De Wulf provided excellent explanations, receiving numerous requests for clarification from the engaged audience. NIS2 is quite complex and cannot be separated from other regulations such as DORA, GDPR, eIDAS, the Cyber Resilience Act and the Cyber Security Act. But we refer readers to our comprehensive overview addressing what directors certainly need to know about NIS2.

Peter Van Dyck and Sarah De Wulf concluded with some concrete advice for boards to deal with these new legal requirements:

  • Put cybersecurity as a recurring theme on the management’s and board’s agenda.
  • Expand the knowledge of your management and your board through training, reporting, certifications, etc.
  • Be prepared for incidents, establish a crisis plan and response to cybersecurity threats.
  • Supervise the compliance with legal requirements. Supervisory authorities hold management accountable for cybergovernance and compliance.
  • Provide management with directions and authority to act, determine a cybersecurity budget.

Panel discussion

Following the break, a distinguished panel gathered around Valéry Vander Geeten, Head of Legal at CCB (Centre for Cybersecurity Belgium):

  • Marc Vael, Digital Information Security Expert at Veralto
  • Nathalie Ragheno, Senior Advisor at VBO FEB
  • Danielle Jacobs, CEO at BELTUG
  • Fabrice Clément, CISO at Proximus

Board matters

Marc Vael emphasised: "Board members should not fear the word 'cyber' as it's not merely a 'technology first' matter. Consider it holistically, as it encompasses people, teams, processes, audits, reviews and strategic vision. Put cybersecurity regularly on the board agenda as a planned and prepared item."

3

He also referenced valuable guidance from the GUBERNA Cybersecurity Sounding Board Committee for Cybersecurity: seven essential questions that directors should regularly ask executive management. If they need more than one month to respond, they are clearly not adequately prepared.

Regarding security investment, he advised: "One per cent of global revenue is appropriate. Below that threshold indicates potential gaps."

How to talk to the board?

Fabrice Clément shared Proximus's experience following their famous 2013 cyber attack. "Cybersecurity has become a yearly board agenda item. Today, our board is well-educated and informed about all possible risks."

 

He emphasised the importance of accessible language in reporting, structuring his board presentations in these seven chapters:

  1. Current threat landscape
  2. Regulatory framework overview
  3. Internal organisation status
  4. Cybersecurity improvement programme and investments
  5. Employee awareness initiatives
  6. Customer awareness and resilience support
  7. Cybersecurity collaboration overview

Collaboration for more awareness

Nathalie Ragheno stressed the importance of collaboration between competent authorities, including the CCB and business federations (such as VBO-FEB), to provide effective tools and guidance. “Many managers still lack a clear vision of what needs to be given priority protection and what are their most crucial assets. In that respect the new legislation will help as it creates a structure for their story towards the board.” She acknowledged that whilst larger companies might find compliance easier, SMEs often lack the resources to prioritise cybersecurity effectively.

The CIO and CISO relationship

Danielle Jacobs noted BELTUG's observation of more CISOs (Chief Information Security Officers) reporting directly to boards alongside CIOs (Chief Information Officers). She emphasised the importance of clear, non-technical communication with boards: "Don't show them what you're doing; show them what decisions need to be made. Ask for clear choices between options which all may have different effects and costs. By interacting with you, your board can give you and your work a lot of credibility!”

NIS2's regulatory requirements create a positive business dynamic where robust cybersecurity becomes a competitive advantage, as customers and supply chain partners increasingly demand high security standards, thereby helping CISOs justify larger security budgets.

BELTUG’s annual survey confirms AI, cybersecurity and regulatory compliance as the top three board concerns, with strong alignment between CIOs, CEOs and boards.

"Cybersecurity is not a matter of IT, it is everywhere in the organisation."

4

Keep learning and preparing

CCB's Johan Klykens concluded by emphasising partnership with business in combating cybercrime. He introduced ‘Cyberfundamentals’ as a comprehensive tool for organisational protection: “You cannot make a secure digital product in a non secure environment! So we developed Cyberfundamentals because we think every organisation should have a tool to protect themselves, and to continue to do business.” 

He also urged adoption of basic security measures like multi-factor authentication on all endpoints, system diversification and isolated backup systems. "Board members must lead by example. Training alone won't change behaviour without leadership demonstrating commitment."

He really convinced the audience that the highly respected CCB wants to make Belgium one of the least cyber-vulnerable countries in Europe…

A last practical advice for boards during cyber crises:"Be prepared! It will be a long meetingb,so provide refreshments and good food!"