Following a 177-page report on strengthening corporate governance presented by a committee chaired by Uday Kotak, Executive vice-Chairman and Managing Director of Kotak Mahindra Bank, it seems that in some senses, the report of the Kotak Committee is a missed opportunity to firmly entrench cybersecurity as a core governance concern for listed entities
Data breaches are multiplying in frequency and scale and the importance of addressing cybersecurity at the highest levels of corporate leadership cannot be devalued.
Directors and executive management play important roles in risk management, and by inference managing cyber-risk through periodic monitoring, supervision, and improvement of security measures.
Executive management buy-in is also paramount to ensure retention of specialist expertise and deployment of security infrastructure that is commensurate with an organization’s risk profile. However, despite emerging global consensus that cybersecurity firmly belongs on Board agendas, corporate practice has been slow to adapt / adopt.
Within this context, recommendations of the Uday Kotak Committee on Corporate Governance will partially address the dichotomy as far as listed entities are concerned.
With a specific focus on cyber concerns, the Committee acknowledged that cybersecurity was a key priority in ensuring that shareholder interest was safeguarded. The Committee also noted that the scope and periodicity of core Board Committees such as Audit, Risk, and Technology be enhanced so as to specifically account for cyber-risk.
In terms of specific proposals, the Committee recommended that the role of a listed entity’s Risk Management Committee be legally mandated to include cybersecurity concerns. In addition, the obligation for listed entities to constitute Risk Management Committees was expanded to apply to the Top 500 listed entities – a marked increase from the existing Top 100.
The Kotak Committee also recommended that those listed entities be encouraged to constitute Information Technology Committees to focus on digital and technology aspects in conjunction with the Risk Management Committee.
While the report of the Kotak Committee cannot be said to comprehensively address corporate governance issues relating to cybersecurity, it provides a useful beginning for conversations to continue. Although a report originating from Asia, South African entities need to heed its findings. In some senses, the Report of the Committee is a missed opportunity to firmly entrench cybersecurity as a core governance concern for listed entities.
This development should not be seen in isolation. The implementation the cybersecurity-linked recommendations of the Uday Kotak Committee on Corporate Governance is both timely and welcome for a growing economy such as South Africa’s.