A cybersecurity action plan for corporate boards

meeting2The following is part of a series of concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes Chapter 10: A cybersecurity action plan for corporate boards, by Internet Security Alliance, NACD – Larry Clinton, CEO of ISA and Ken Daly, President and CEO of NACD. Please refer to the original article for any direct quotations.

With the advent of the digital age, corporate boards are faced with a set of unique challenges. For one, 80% of corporate assets of Fortune 500 companies now consist of intellectual property and other intangibles. This means that the traditional view of assets and dealing with their associated risks have changed quite dramatically. Corporate assets now come with a whole new set of threats, and cyber threats are probably one of the most significant new threats that boards that boards need to tackle.

It is imperative that cyber risk be seen as a central feature of the business, and cybersecurity is as important to business success as legal and financial considerations.

Are corporate boards concerned about cybersecurity?

Over the past few years, corporate spending on cybersecurity has doubled to over $100 billion a year. Recent surveys indicate cybersecurity is now at the top of the list of priorities of corporate boards – above leadership succession.

Despite the fact that statistics show that boards are more aware and interested in cybersecurity, there is a lot of uncertainty about how to approach the issue, due to the ‘novelty and complexity’ of cyber risks.

One recent survey shows that:

  • nearly 50% of directors had not discussed the company’s crisis response plan;
  • 67% had not discussed cyber insurance coverage in the event of a breach;
  • nearly 60% had not discussed engaging an outside cybersecurity expert;
  • more than 60% had not discussed risk disclosures in response to SEC guidance;
  • approximately 80% had not discussed the National Institute of Standards and Technology (NIST) cybersecurity framework.

A corporate board action plan for cybersecurity

The Cyber-Risk Oversight Handbook for corporate boards, published by the NACD in June 2014, provides five core principles for corporate boards to enhance their cyber risk oversight.

  1. Understand that cybersecurity is an enterprise-wide risk management issue

Boards should avoid falling into the trap of asking ‘what should we do if we have a breach?’ – which is reactive – and rather focus on proactive measures to manage the risks caused by breaches. Virtually all companies will be successfully breached if there is enough desire and intent.

Boards should also avoid the common mind-set that cybersecurity is solely an IT issue that can be addressed with technical solutions. The biggest vulnerability in cyber systems is people – brought about either by disgruntled, ill-informed, poorly trained, distracted, or corrupted employees.

The Institute of Internal Auditors recommends an internal annual health check of the organization’s cybersecurity program that covers all elements of the organization’s cybersecurity, including an assessment of whether the enterprise risk levels have improved or deteriorated from year to year. Furthermore, it notes that “Sarbanes-Oxley compliance provides little assurance of an effective security program to manage cyber risks.”

  1. Directors must understand the legal implications of cyber risk

Boards should be fully aware of the legal ramifications a breach poses to the company on an individual and collective basis.

Directors should maintain records of discussions related to cyber risks at board meetings. This should include updates about specific risks, feedback about the company’s overall cybersecurity, and how it is addressing risks.

Board members should also record evidence that they have sought out specialized training to educate themselves about cyber risk.

The board should also be fully aware of all the critical data being managed by third parties, request audits of its third-party providers and ensure it has the appropriate agreements in place with these organizations. The board should encourage the development of a “chain of trust” where third-party providers request similar agreements with their downstream relationships.

  1. Board members need adequate access to cybersecurity expertise

Board members do not usually possess the required know-how to deal with cyber risks, and lack the time to become properly educated on the subject.

Some boards now recruit independent experts to provide cybersecurity expertise for this reason, while others have created dedicated audit committees for dealing with cyber risks.

Another option is to empower the board to ask the right questions. The NACD Cyber-Risk Oversight Handbook provides a list of five to ten simple and direct questions for board members to ask.

  1. Directors need to set an expectation that management have an enterprise-wide cyber risk management framework in place

The following actions are recommended to employ an enterprise-wide approach:

  • Establish leadership with an individual with cross-departmental expertise.
  • Appoint a cross-organization cyber risk management team including all relevant stakeholders (e.g., IT, HR, compliance, GC, finance, risk).
  • Meet regularly and report directly to the board.
  • Develop an organization-wide cyber risk management plan with periodic test reports and refinements.
  • Develop an independent and adequate budget for the cyber risk management team.
  1. Based on the plan, management need to have a method to assess the damage of a cyber event. They need to identify which risks can be avoided, mitigated, accepted, or transferred through insurance

Organizations must establish which data, and how much, the organization is willing to lose or have compromised. Risk mitigation budgets must then be allocated appropriately between defending against basic and advanced risks. For instance, the marketing department may want to appoint a specific supplier to undertake some work. The CISO may decide that the vendor does not have adequate security, which places the business under threat. Should the marketing team want to proceed with this plan, the business may decide to transfer some of this risk with the purchase of additional insurance.

“If an organization follows these principles, it should be well on its way to establishing a sustainably secure cyber risk management system.”

Blog banner 27k