IoT and Governance

It is miraculous how technology has changed the lives of people completely. The computer processing speed has increased immensely because of which technological advancement is taking place at a fast pace. IoT has a big role to play in many digital transformations unfolding and the ones to come. Let’s first understand what IoT is.

Meaning of IOT

‘IoT’, an acronym for ‘Internet of Things’ is an evolution of the Internet and can simply be defined as “a vast network of devices that are connected to the Internet and, consequently, each other increasingly.” Any sensory device that has connectivity to the Internet is part of the IoT revolution. We see IoT devices all around us in our daily lives. For example, the smartwatch that you wear on your wrist, the device that you put on your fingers to measure heart rate and blood pressure, voice command devices to control your TV or room temperature, your front door video camera etc. IoT is a product of the combination of Information Technology (IT) and Operational Technology (OT). IoT devices have at least one transducer to facilitate direct interaction with the physical world and a minimum of one network interface. Every sector today has its own set of IoT devices like the transportation sector has smart road technologies, the healthcare sector has specialised hospital devices and so on.

Corporate Governance (CG) Challenges

IoT devices are being manufactured in millions. But something that is being ignored while manufacturing these IoT devices is the data security aspect. These devices are different from conventional IT devices like a smartphone or a laptop and they fail to understand and implement cyber security features which are understood by these conventional devices.

We come across news of cyber theft every day as we flip the pages of our newspapers. Companies have been facing a lot of flak for not addressing the issue seriously and then ending up being victims of cyber attacks. The data of millions is at stake due to inadequate data security. There is no dearth of such examples. In 2016, Yahoo reported a breach of a whopping 500 million records with leaked email addresses, passwords, phone numbers, DOB and answered questions. The First American Financial Corporation in the US reported a breach of private data of 885 million real estate customers including their bank details, mortgages and licence images. NetEase Inc, China reported that 1.2 billion records in its possession were stolen by hackers and offered for sale on the dark web. These are just a select few from abundant such cases.

Role of Directors

Universally, a board is encompassed with fiduciary duties of care and loyalty towards its shareholders. The directors are endowed with the responsibility to ensure the data privacy of users and customers. However, they seem to ignore this responsibility.

As the National Institute of Standards and Technology [NIST] rightfully observes-

“Many organisations are not necessarily aware they are using a large number of IoT devices. It is important that organisations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently from conventional IT devices. Once organisations are aware of their existing IoT usage and possible future usage, they need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response- accepting, avoiding, mitigating, sharing or transferring risk.”

Duty of care in a wider sense includes the duty to provide data security. As information technology is being widely used across organisations, the directors have an added responsibility as a part of the duty of care to take care of the implications of a company’s digital data. Directors are required to provide appropriate technical, physical and administrative security standards to maintain the confidentiality and integrity of a company’s digital data.

A major loophole in the system is the absence of a comprehensive data security law that gives out a detailed procedure and measures to secure the data. The law is presented in the form of drafts in many jurisdictions but is yet to be enacted. Once these rules and regulations are enacted, it will be far easier as well as mandatory to implement these data security measures. However, just because there is no explicit exclusive framework on data security, that does not mean that directors can escape this corporate fiduciary obligation. Also, there exist laws in bits and pieces on data security along with a lot of court judgements that make such a duty enforceable in the eyes of the law.

Data theft and cyberattack are one of the leading threats to a company, government and all other entities in today’s technological world. The leadership team of a company should take effective steps on maintaining good cyber hygiene in the organisation to prevent cyber attacks. They should employ resources to analyse and track potential cyber threats and come up with solutions to tackle the same.

It is observed that in many companies the audit committee steps into the shoes of safeguarding cyber security. The risk committee also sometimes deals with data security. Experts believe that board skills play a large role in fulfilling such a duty. Times today demand that the board has a couple of directors who possess expertise in information systems-related risks and data protection. It is ideal to have a few directors from IT and computer science backgrounds. If the board is deprived of such directors, it will be very difficult for an organisation to deal with data security issues.

Conclusion

Smart devices are not always smart solutions. Where technology is giving us so much on the one hand, it is creating some loopholes on the other hand. Organisations are deeply threatened by IoT security vulnerabilities. It is high time they realise this and develop a strong action plan to avoid cyber attacks. The poorly secured IT devices should be converted into strongly secured IT devices.

You can learn more about this topic by opting for our recognised courses — ESG Expert Certification from Directors’ Institute- World Council of Directors.