Nearly 90 percent of directors at public companies say their board discusses cyber-risk regularly, yet only 14 percent of boards have in-depth knowledge of cyber-risks, according to a survey by the National Association of Corporate Directors (NACD), cited by Internal Auditor.
Almost 60 percent of respondents reported that they find it challenging to oversee cyber risk. For 51 percent of publicly listed companies, cyber-risk oversight falls on the audit committee, but 96% of directors surveyed say the full board takes on the big picture risks that could impact their company's strategic direction.
The most common board cyber-risk oversight practices are reviewing the company's approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent).
"The cyber-threat picture continues to become more challenging with nation-state attacks against both public and private sectors,” authors of the study say. “Industry needs to demonstrate leadership in promoting enhanced cyber defense.”
In case of a breach, NACD recommends directors and management focus on the following areas of concern:
- What data, and how much data, are we willing to lose or have compromised?
Discussions of risk-tolerance will help identify the level of cyber-risk the organization is willing to accept. A key step is distinguishing between mission-critical assets and data that is less essential.
- How should our cyber-risk mitigation investments be allocated among basic and advanced defenses?
When considering how to address more sophisticated threats, management should focus most on sophisticated defenses designed to protect the company’s most critical data. While most organizations would agree with this, research from the Armed Forces Communications and Electronics Association (AFCEA) indicates companies typically apply security measures equally for all data and functions. The same AFCEA study, cited by NACD, notes that protecting low-impact systems and data from sophisticated threats could require greater investment than warranted. For those lower-priority assets, organizations should consider accepting more security risk than for higher-priority assets, as the costs of defense will likely exceed the benefits. Boards should encourage management to frame cybersecurity investments in terms of ROI, and to reassess ROI regularly, as the costs of protection and the company’s asset priorities will change over time.
- What options are available to assist us in transferring certain cyber risks?
Organizations of all industries and sizes have access to end-to-end solutions that can help mitigate and transfer some cyber-risk. Beyond coverage for financial loss, these tools can help mitigate risk of property damage and bodily injury resulting from a cyber breach. Some solutions also include access to proactive tools, employee training, IT security and expert response services, to add another layer of protection and expertise. The inclusion of these value-added services proves even further the importance of moving cybersecurity outside of the IT department into enterprise-wide risk and strategy discussions at both management and board levels. When choosing a cyber-insurance partner, it is important for an organization to choose a carrier with the breadth of global capabilities, expertise, market experience, and capacity for innovation that best fits the organization’s needs.
- How should we assess the impact of cyber events?
Conducting a proper impact assessment can be challenging given the number of factors involved. To take just one example, publicity about data breaches can substantially complicate risk evaluation. Employees, customers, suppliers, investors, the press, the public and government agencies may see little difference between a comparatively small breach and a large, dangerous one. As a result, damage to reputation and share price may not correspond directly to the size or severity of the event. The board should seek assurances that management has carefully thought through these implications in devising their priorities for cyber-risk management.
Here is a list of questions boards can ask management once a cyber breach is found:
- How did we learn about the breach? Were we notified by an outside agency, or was the breach found internally?
- What do we believe was stolen?
- What has been affected by the breach?
- Have any of our operations been compromised?
- Is our crisis response plan in action, and is it working as planned?
- Is the breach considered “material information” requiring prompt disclosure and, if so, is our legal team prepared for such notifications? Who else should be notified about this breach?
- What steps is the response team taking to ensure the breach is under control and the hacker no longer has access to our internal network?
- Do we believe the hacker was an internal or external actor?
- What weaknesses in our system allowed it to occur (and why)?
- What steps can we take to make sure this type of breach does not happen again, and what efforts can we make to mitigate any losses caused by the breach?