As cybersecurity has become a buzzword in the headlines, boards of directors are finding it imperative to formulate policies and provide oversight processes that address these issues. A recent study by Gartner estimates that by 2020, 100% of large enterprises will be asked to report to their board on cybersecurity risks at least annually. Today, only 40% do.
So what should a board do? This article will discuss some of the practical steps a responsible board of any size company should take to reduce cybersecurity risks.
- Assess Legal Risk. Boards must ensure that they understand the legal implications of cyber risks. Federal and state laws require that customers be notified in the event of a breach, and international laws, including privacy practices, may apply to some companies. Some industries, such as healthcare and financial, also have industry-specific regulations. Boards should also evaluate valuable assets and determine not only how a cyber breach or data loss could impact such assets, but also how to prioritize risk mitigation for the assets most critical to the success of the company.
- Governance. The board must determine who is responsible for managing cybersecurity risks at the board level. Typically, boards delegate cybersecurity oversight to audit committees, which may not be the best choice because they are not traditionally oriented towards matters of innovation, competitiveness, and strategy. Smaller companies may want to consider having someone with a cybersecurity background on or available to the board.
- Talent. A key area of board oversight is ensuring that the company’s organizational structure and internal education are aligned with its cyber-strategy and that management has the skills and experience to execute this strategy. The trend is to appoint CISOs to lead cybersecurity. Corporate culture involving cybersecurity training is also imperative. Studies show that employee lapses are the largest significant cause of cyber intrusions.
- Outside Experts. Boards may also want to become more knowledgeable about risks and appropriate policies by hiring outside experts to explain the latest technologies and best practices. Having these experts already on hand in the event of a breach helps to more quickly mitigate risk and provide an effective defense should litigation ensue. Examples of such experts include law firms, audit firms, insurance brokers, and communications firms. Resistance to hiring outside consultants is often a red flag that the current cybersecurity practices and technologies need updating.
- Insurance. The board should determine whether the company’s insurance covers cyber risks appropriately. Cyber insurance is dynamic and ever-evolving, thus companies need procedures to periodically review policies and update coverage. Among the coverage to look at today is:
- Business Interruption coverage
- Cyber extortion coverage
- Digital Asset restoration coverage
- Third party business interruption coverage (e.g., a cloud provider is down)
- Required Disclosures. The SEC has issued guidance on disclosing material cyber risks and incidents, but few companies currently do this. Companies should anticipate that cybersecurity whistleblowers will be increasingly active in the future. Boards should ensure that the company has provided procedures for whistleblowers to report internally and that managers have been trained on the scope of cybersecurity whistleblower complaints and how to escalate any such issues.