Corporate boards ‘not cyber ready’

New research has found that corporate boards in Barbados and the Caribbean face significant challenges in providing effective cybersecurity oversight.

This is characterised by limited understanding of cybersecurity risks, inconsistent reporting practices, and a lack of specialised expertise which hinders their ability to address emerging cyber threats strategically, researcher Dr Ron Sookram concluded in his study Assessing The Readiness Of Caribbean Boards For Effective Cybersecurity Oversight.

“While operational measures such as threat assessments and data backups are in place, they lack alignment with broader governance frameworks. Furthermore, inadequate funding and reliance on external consultants underscore the need for a more proactive approach to building internal capacity,” said Sookram, who is academic director and team lead, corporate governance services at the Arthur Lok Jack Global School of Business, which is based in Trinidad and Tobago.

He is advising the directors of the region’s corporate boards that to enhance their preparedness, they “must prioritise cybersecurity as a strategic imperative”.

“This includes investing in boardlevel training, recruiting directors with specialised expertise, and establishing structured reporting mechanisms,” he said.

“By adopting a forward-looking and comprehensive governance approach, boards can strengthen their oversight capabilities, safeguard critical assets, and bolster organisational resilience against the growing threat of cyberattacks. Ultimately, addressing these gaps will position Caribbean boards to align with international best practices and build trust with stakeholders in an increasingly digital world.”

Sookram’s made the following nine specific recommendations to Caribbean corporate boards.

• Prioritise cybersecurity as a strategic issue, not just an information technology (IT) concern.

• Enhance cybersecurity expertise.

• Make cybersecurity a responsibility of the audit or risk management committee.

• Implement consistent and structured cybersecurity reporting.

• Invest in cyber insurance and develop a risk transfer strategy.

• Conduct regular cybersecurity audits and risk assessments.

• Develop and test a cybersecurity incident response plan.

• Leverage external consultants to address expertise shortages.

• Allocate sufficient resources for cybersecurity investments. Data for this report was gathered through a survey distributed to 150 directors across the Caribbean. The survey achieved a 70 per cent response rate, with 105 completed responses. The survey instrument was disseminated via the Caribbean Corporate Governance Institute network and other professional and business networks to ensure broad participation.

Sookram’s key findings included that most organisations have conducted cybersecurity audits; many have not considered cyber insurance, reflecting a limited focus on risk transfer strategies; few directors rated their boards’ understanding of cybersecurity as excellent and significant gaps remain, particularly in managing technology and data privacy risks; and boards lack regular updates on cybersecurity.

The responses from corporate board directors also indicated that organisations emphasise identifying critical assets, conducting risk assessments, and testing data backups; many directors expressed dissatisfaction with cybersecurity funding; and there were limited board appointments of directors with cybersecurity expertise, leading to reliance on external consultants and upskilling initiatives.

Sookram also reported that resource constraints, shortage of experts, narrow perspectives, and a focus on short term goals were the four primary challenges Caribbean corporate boards faced in governing cybersecurity.

“Limited financial resources delay cybersecurity investments and preparedness. A regional shortage of cybersecurity professionals limits board access to specialised expertise,” he elaborated.

“Some boards view cybersecurity as an IT issue rather than a strategic priority. Volatile Caribbean markets drive boards to prioritise immediate business performance over long-term cybersecurity strategies.”

Remedying these shortcomings were important, as the researcher said that a successful cyberattack “can inflict significant harm on organisations, affecting their financial performance, reputation, and consumer trust”.

He explained that the consequences of a security breach typically fall into three key categories – financial, reputational, and legal.

“Cyberattacks often lead to significant financial losses, which may arise from theft of corporate information, theft of financial details, direct theft of funds, disruption to operations, loss of business or contracts, and increased cybersecurity insurance premiums,” Sookram said.

“Additionally, businesses typically face expenses related to addressing the breach, including repairing compromised systems, networks, and devices.”

Quoting information from Statista, he noted that in 2024, the average cost of an industrial data breach was US$5.56 million, up from US$4.73 million in 2023.

“By adopting a forward-looking and comprehensive governance approach, boards can strengthen their oversight capabilities, safeguard critical assets, and bolster organisational resilience”. (SC)

The post Corporate boards ‘not cyber ready’ appeared first on nationnews.com.