– Annick Rimlinger, Executive Director of the CDSE (Club des directeurs de sécurité et sûreté des entreprises), founding member of Cercle K2 and member of the board of directors of Hack Academy;
– Éliane Rouyer, independent director, President of the Audit Committee and member of the Compensation Committee of Legrand, independent director of Vigéo Eiris.
I would like to thank all these speakers for their contributions and support, as well as Marc Triboulet (my teammate from HEC Gouvernance, with whom this round table cycle was initiated).
The training I developed within the Airbus group for directors and managers of subsidiaries, the work carried out for these conferences, as well as the exchanges during these round tables, have been supplemented by research work carried out over the past five years, participation in working groups (Switzerland’s cybersecurity strategy, for example), support for several start-ups in the field of cybersecurity, the implementation of training, speeches given at the university of HEC Paris and Swiss management universities and at companies or service providers, the implementation of risk mapping, the definition and deployment of measures to improve compliance with the GDPR (General Data Protection Regulation), not to mention the implementation of cyber programs through companies, associations, foundations and public bodies.
Marie DE FRÉMINVILLE
December 2019
Introduction: Financial and Cyber Performance
Why not assess the cyber performance of companies in the same way as their financial and non-financial performance (governance and CSR – corporate social responsibility)?
Why not certify the cyber performance of companies in the same way as their financial performance via auditors, whose intervention is mandatory for companies of a certain size?
Despite some progress, the vast majority of shareholders, and therefore the board of directors and management, are primarily interested in the company’s financial performance.
However, the digital age is introducing upheavals in the company and in its ecosystem. Indeed, the “all-digital” concerns all stakeholders, administration, public services and national and international infrastructures, defense and intelligence services.
We have reached a stage of non-return, which offers important opportunities, but which is also a source of fragility and major risks, particularly because cyber threat actors are becoming more professional and have significant resources to defraud, spy and sabotage.
The risks for companies are systemic: shareholders are financially exposed and directors, in charge of defining their strategy and ensuring their sustainability, are legally exposed if they do not inform themselves about the quality of data security and information system protection and if they do not ensure that an organization, procedures and tools for a high level of cybersecurity are in place.
There is no such thing as zero risk, but the negligence of a board of directors would be associated with it if no action were taken in the field of cybersecurity of the company and if the attacks had significant consequences for its proper functioning, profitability and reputation.
Financial performance should therefore no longer be the only priority. Financial performance and cyber performance should now be the two priorities of corporate governance bodies.
Should we therefore reinvent the governance body designated by the national actions, namely its competences, its functioning, its agenda and its partners?
For 50 years, we have been wading through a technological tsunami:
– 1970: mainframe;
– 1980: PC (Personal Computer) and client/server;
– 1990: Internet and e-commerce;
– 2000–2010: mobile and cloud;
– 2010–2020: Internet of Things and artificial intelligence;
– 2020–2030: quantum computing and blockchain.
The digital world is borderless and immaterial, and the threats are invisible.
Digital and related new technologies are transforming the way companies operate and business models.
The main cyber-risks are risks of malfunctioning of the industrial or commercial process, financial risks, as well as risks of loss of considerable confidential information (strategic information, personal information) which affect different sectors: hospitals, autonomous cars, banks, telecom operators, energy, etc., with potential human consequences.
According to a study conducted in the United States by the National Archives and Records Administration in 2018, 93% of companies that lost their data for 10 or more days declared bankruptcy in the year of the disaster and half (50%) filed for bankruptcy immediately after the attack.
The question is not “when will we be attacked?” but “what can we do to protect the company as much as possible, what can we do in the event of an attack, what can we do to restore systems as quickly as possible?”
Cyber-risk is an integral part of companies and also of personal organizations (everyone is concerned individually and as a member of an organization). It is not just a technical risk.
People are the weakest (and strongest) link in the entire safety chain.
This book does not deal with tools (hardware, software, servers, architecture), but with organizations, processes and behaviors, without which the company cannot improve its performance, security, incident or crisis management, and resilience.
It is about companies exercising their digital responsibility and maintaining or improving the trust of their stakeholders: customers, suppliers, partners and investors.
Only 30 years ago, I experienced the arrival of personal computers (computers and word processing existed, but were not deployed in companies), the digitization of financial operations (accounting, cost accounting, banking relations and cash management, tax returns, reporting tools, accounting and management consolidation, financial relations with customers and suppliers), as well as the digitization of human resources management (payroll, social declarations, recruitment, training), internal and external communication, particularly with the arrival of social networks, production (connected factories and extended companies), marketing and sales of course, and logistics.
All company functions are now concerned, as well as the relations with all stakeholders: customers, suppliers, service providers, subcontractors, shareholders (individual investors, investment funds), board of directors, auditors, employees, subsidiaries, proxy advisers (governance advisers who publicly comment on the proposals made by companies for their general meetings).
Companies are completely digitalized: their data, operations, accounts, processes are intangible; their internal and external communications, their products are connected.
Organizations and work habits have changed, skills have evolved, tools have been transformed, the classification of documents and people has sometimes (often?) fallen into oblivion.
Companies have been able to internationalize, thanks to the ultra-fast means of communication. We talk to the company across the street as well as to those in the United States or China: only the time difference is incompressible.
Companies share their data with their customers, suppliers, employees, shareholders, subsidiaries, etc. The digital environment provides companies with opportunities to create new businesses, new products and services and new customers, in order to optimize their organizations, reduce their costs, improve their internal and external processes, with their suppliers, service providers, subcontractors, investors, customers, depending on the business sector in which they operate.
Companies are judged on their financial performance: