The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.
This blog summarizes Chapter 16: Oversight of compliance and control responsibilities by Elizabeth McGinn, Rena Mears, Stephen Ruckmanm, Tihomir Yankov, and Daniel Goldstein of Data Risk Solutions: BuckleySandler LLP & Treliant Risk Advisors LLC. Please refer to the original article for any direct quotations.
Corporate cybersecurity is no longer the sole realm of the IT department: Nowadays, data is recognized as a core business asset, valuable to companies and cyber criminals alike. The enterprise risk caused by cyber threats to data therefore requires a holistic approach to cybersecurity; oversight of cybersecurity compliance and controls must be a C-suite, boardroom, and senior management responsibility.
Cybersecurity oversight is risk management oversight
Risk management aims to identify the risks a company faces and mitigate them to a level determined by the company’s risk appetite. As data risk encompasses the risk of financial losses; business disruption; the loss or compromise of assets and information; the failure to meet legal, regulatory or contractual requirements; and reputational damage, effective oversight of cybersecurity is essential to corporate oversight of risk management.
Two core components of a corporate cybersecurity program must be overseen at the highest levels of management to actively confirm that they go beyond mechanical application of generic cybersecurity rules and standards:
- Compliance – The company’s program for ensuring adherence to internal cybersecurity policies and relevant external privacy and data protection laws and regulations.
- Controls – The company’s systems and processes for protecting data.
Cybersecurity risks are partially an extension of data retention risks, so the board and senior management must approach the oversight of cybersecurity compliance and controls from a broader risk management vantage point that considers the value of the data asset.
Board of directors’ role in oversight of compliance and controls
Monitoring the management of data risk associated with cybersecurity is part of the board’s fiduciary duty to the corporation, so it must build cybersecurity oversight into its general strategy for overseeing risk management from day one – not the moment data is actually put at risk – and be well informed about how cybersecurity is managed at all stages of the company’s data risk management lifecycle (identification, design and implementation, monitoring, evaluation, and reporting and reassessment).
All oversight activities must be properly documented so that the board can demonstrate that it is carrying out its fiduciary duties.
Building blocks of effective oversight of cybersecurity compliance
Cybersecurity compliance must support compliance with appropriate rules and regulations, as well as organizational policies and procedures, by:
- identifying risks
- preventing risks though the design and implementation of controls
- monitoring and reporting on the effectiveness of those controls
- resolving compliance difficulties as they occur
- advising and training.
In order to do this, the C-suite should implement an enterprise-wide approach to compliance risk management across the company’s entire ecosystem – including third parties. This should include a cybersecurity risk management plan that is reviewed by the board and regularly updated, and matches what the company actually does rather than being aspirational or hyper-specific.
The cybersecurity compliance team should be independent of the company’s IT and business units, the C-suite should make sure it can test compliance effectively and communicate the results to the board, and the board should make cybersecurity compliance a priority.
Building blocks of effective oversight of cybersecurity controls
When implementing cybersecurity controls, many companies focus on prevention and detection and fail to address remediation – such as incident response plans. Boards should recommend the appointment of a permanent incident response team.
They should also oversee the lines of communication between the business areas that use the cybersecurity controls, prioritize regular staff training on cybersecurity threats, and ensure that cybersecurity controls are properly funded.
Drafted policies and procedures are often disconnected from operational practices and technology infrastructure; cybersecurity policies and procedures are, however, effective only if they are tailored specifically to the company.
Boards should also be aware that the Federal Trade Commission (FTC) views the disconnect between cybersecurity policies and procedures and their actual implementation as unfair trade practices under Section 5 of the FTC Act.
The cybersecurity program should be monitored and its effectiveness evaluated. The metrics used must be clearly defined and meaningful, and should measure progress against a clearly stated objective.
Data security is no longer a cost of doing business but a core component of remaining in business. Resources must therefore be appropriately allocated to meet risks. Budgeting must enable the company to deploy the right people, processes, and technology to truly address the company’s security needs.
The human element is frequently the weakest link in an otherwise solid data security program so resources must be dedicated to personnel training. Staff must both be proactive in safeguarding data and recognize attempts by unauthorized parties (via phishing attacks, for example) to gain network access.
Once implemented, a cybersecurity program needs active management to maintain success.
The C-suite must strive to employ strong cybersecurity compliance and control measures that go beyond mechanical satisfaction of applicable legal rules, and the board has an obligation to ensure that these measures are adopted. Only with consistent C-suite involvement and strong board oversight — informed by an understanding of data risk as a central enterprise risk — can cybersecurity challenges be handled effectively.
Best-practice cyber risk management
The international standard ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cyber security is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.
Certification to the Standard demonstrates to investors, stakeholders, customers, and staff that information security best practice is being followed.