The Board's responsibility for information security

The digitalization of society in the last decade has created many opportunities for businesses and organizations. But digitalization, combined with a rapidly changing world, has also opened up new threats and vulnerabilities that can cause very serious damage to businesses. Every day we see headlines about different types of attacks and incidents. 

The Royal Swedish Academy of Sciences (IVA) states in its report "Cybersecurity for increased competitiveness" (2022) that information and cybersecurity has become a strategic issue that affects both the competitiveness and long-term survival of both companies and society at large. 

The role of the board, from a shareholder perspective, includes protecting shareholders from unknown and unacceptable risks and ensuring the long-term survival of the business. In this respect, the board plays a very important role in the company's strategic information security work. At the same time, as a layman in the field, it can be difficult to know where to start and how to tackle the issue. 

Below is a list of concrete advice on how board members can work on information security: 

  • Educate yourself in the field at a general level so that you can understand the threats and stay informed about information security risks. As a board member, you may be an attractive entry point for criminals or other actors to access your company's information. You should therefore also inform yourself about how to protect yourself against this type of threat. 
  • Analyze and understand potential inherent conflicts of interest that may exist between different stakeholders in the business. This may include the risks management chooses to take in the short and long term. 
  • Require the organization to adopt a systematic approach to information security and for management to be able to identify the key risks and the strategy for managing them. There are various standards and frameworks that can be used for this purpose. 
  • Ensure that the organization conducts and reports on periodic and independent tests of information security.