This article originally appeared on spencerstuart.com. Read the full article.
Boards increasingly understand that cybercrime is a risk management issue that affects the entire organization and requires board oversight. However, although directors know that they need to stay informed about cybersecurity, keeping up with it in the complex, rapidly evolving world of IT is often a challenge.
In response to boards’ growing concern about how to approach cybersecurity, Spencer Stuart and Morrison & Foerster convened a panel to frame the board’s role in overseeing cybersecurity business risk and to help identify key questions directors should be asking – both of themselves and management.
Our panelists identified five key aspects to the board’s role in managing cybersecurity risk.
1. Accept Responsibility for Cybersecurity
How a company and its board approach cyber risk depends on the industry and the company’s tolerance for risk. Some boards deal with cybersecurity issues as a whole board, while others choose to delegate these matters to a standing board committee, such as the audit committee, to help facilitate achievement of those goals. However, while the audit committee may be well-equipped to address issues of risk, audit committees are not traditionally oriented towards matters of innovation, competitiveness and strategy – all of which are essential to effective technology oversight.
A separate committee does not relieve the full board of its core oversight responsibilities. Boards must ensure that cybersecurity is viewed as an enterprise risk issue, not just an IT topic, and that discussion of cybersecurity gets adequate time on the board agenda and with management.
2. Set Expectations for Management
Regardless of how boards structure themselves around this matter, directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget to oversee cybersecurity risks.
Boards need to ensure that they are adequately briefed about the company’s security model and vulnerabilities. Briefings should occur on at least a quarterly basis, and if the management of cyber risk is allocated to a committee, the full board should also be briefed at least semiannually.
Boards may also want to consider hiring outside experts to explain the latest technologies and best practices to help directors become more educated on cyber risk and preparedness. Existing third-party advisers, including law firms, audit firms and communications firms, may have skilled experts in this area.
3. Understand Your Company’s Cyber Risk
Assess legal risk. Boards must ensure that they understand the legal implications of cyber risk and have plans in place to deal with it. Federal and state laws often require that customers be notified in the event of a breach, and international laws, including privacy practices, may apply to some companies. There may also be industry-specific legal concerns, such as healthcare and defense, requiring special consideration.
Prioritize assets. Boards should undertake a thorough analysis of the company’s most valuable assets and determine the risk that each might present in the event of a cyberbreach or loss. For some companies, assets might include a patented manufacturing process, customers’ private financial data, or competitive research that has been years in the making. A discussion around which risks to prioritize, avoid and mitigate should take place among directors.
Consider cyber insurance. Does the company’s insurance policy cover breaches? Is the coverage equal to the value of the company’s assets? Some companies may consider buying dedicated cyber insurance as an additional method to transfer or mitigate risk.
Identify risk from third parties. Third parties – including outsourced IT – may have vulnerabilities of their own. It is important to factor in the risk associated with partnering with third parties as companies coordinate their cybersecurity strategy.
Anticipate change. Companies are especially susceptible to risks during times of change. When they move into new markets overseas, adopt new technologies with unknown vulnerabilities or bring third-party vendors into the fold; boards need to be sure that they understand new vulnerabilities that emerge as the organization evolves.
4. Assess Current Cybersecurity Practices
Boards should consider the following questions when assessing their preparedness:
- Does executive leadership have a clear and consistent understanding of cybersecurity relative to the business?
- Does management understand its responsibility for cybersecurity and have an adequate system of controls in place?
- Is the cybersecurity budget appropriately funded?
- Is the organization’s enterprise risk management program appropriately staffed and resourced given the types of risk assessed?
- Are there clear policies and procedures in place in the event of a breach?
- Is the company’s disclosure response in line with SEC guidelines and shareholders expectations?
In addition to internal audits and briefings, our panelists recommended hiring an outside auditor to evaluate the company’s level of preparedness for a breach. Resistance to bringing in outside consultants is a red flag that the current cybersecurity practices and technologies may need updating. Additionally, having brought in an outside expert can pay off later, in the event of a breach: if you can show on record that you’ve had experts in, then you have a paper trail documenting your preparedness efforts. Many companies lack the internal security expertise to manage through a cyber-security program. The board plays an important role in mandating the use of outside experts.
5. Plan & Rehearse
When a breach occurs, there will be pressure to move quickly. You will have to make a series of decisions in a matter of hours. Therefore, it is vital to have policies and procedures in place before a breach occurs.
To prepare for a breach, our panelists recommended boards:
Review management’s response plan. Boards should ask to see management’s response plan to potential cybersecurity breaches. The plan should identify who will be responsible for making decisions when a breach occurs and what actions the company will take in the event of a breach. Some questions to consider:
- Under what circumstances will there be a public announcement? If so, when?
- Do you need to send notice to your customers?
- Under what circumstances will you call law enforcement?
- In the event of a breach, will you bring in a forensic group? If so, will the forensic team report to the board or management?
Do a tabletop exercise. It may be helpful to do a “dry run” of a breach. The time you invest will help you deal more effectively with an actual breach. Analyze what works and what doesn’t, and modify your plan as necessary.
Create a rapid response team. A dedicated team ready to act in the event of a breach helps ensure that your response goes smoothly.
Establish a relationship with law enforcement. If you already have a relationship with law enforcement, you’re ahead of the game in the event of a breach.
When it comes to cybersecurity, vigilance is key. Boards must ensure there is executive ownership – ideally at the top with the CEO and that the management team and IT are keeping security top of mind as they make decisions about new programs and products.
Even with the best plans in place, it’s important to recognize that cyber risk cannot be completely eliminated.
Breaches are inevitable, but boards can mitigate risk and damages by staying informed and ensuring that, in the event of a breach, their company is prepared to respond.