Some 59% of directors report that their boards find it challenging to oversee cyber risk, and only 19% report that their boards possess a high level of knowledge about cybersecurity, according to a study by the National Association of Corporate Directors.
“Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk,” authors of the study note.
More than two-thirds of directors feel confident and five percent even feel very confident that their company is properly secured against a cyberattack, yet many of their boards may lack sufficient expertise or adequate information to confidently assure that cybersecurity defenses are indeed effective, respondents say.
The main cyber threats companies are not prepared for are outsider attack (43%), data vulnerability (38%), insider sabotage (35%), user errors (35%), and phishing (35%), according to a Bitdefender survey on US IT decision makers. Outsider attacks and data vulnerability pose a significant risk for all companies and represent the main threats that companies are unprepared to handle, and CIOs are aware that cybercriminals can spend large amounts of time inside organizations without being detected. Read the full white paper here.
In case of a breach, NACD recommends directors and management focus on the following areas of concern:
- What data, and how much data, are we willing to lose or have compromised?
Discussions of risk-tolerance will help identify the level of cyber-risk the organization is willing to accept. A key step is distinguishing between mission-critical assets and data that is less essential.
- How should our cyber-risk mitigation investments be allocated among basic and advanced defenses?
When considering how to address more sophisticated threats, management should focus most on sophisticated defenses designed to protect the company’s most critical data. While most organizations would agree with this, research from the Armed Forces Communications and Electronics Association (AFCEA) indicates companies typically apply security measures equally for all data and functions. The same AFCEA study, cited by NACD, notes that protecting low-impact systems and data from sophisticated threats could require greater investment than warranted. For those lower-priority assets, organizations should consider accepting more security risk than for higher-priority assets, as the costs of defense will likely exceed the benefits. Boards should encourage management to frame cybersecurity investments in terms of ROI, and to reassess ROI regularly, as the costs of protection and the company’s asset priorities will change over time.
- What options are available to assist us in transferring certain cyber risks?
Organizations of all industries and sizes have access to end-to-end solutions that can help mitigate and transfer some cyber-risk. Beyond coverage for financial loss, these tools can help mitigate risk of property damage and bodily injury resulting from a cyber breach. Some solutions also include access to proactive tools, employee training, IT security and expert response services, to add another layer of protection and expertise. The inclusion of these value-added services proves even further the importance of moving cybersecurity outside of the IT department into enterprise-wide risk and strategy discussions at both management and board levels. When choosing a cyber-insurance partner, it is important for an organization to choose a carrier with the breadth of global capabilities, expertise, market experience, and capacity for innovation that best fits the organization’s needs.
- How should we assess the impact of cyber events?
Conducting a proper impact assessment can be challenging given the number of factors involved. To take just one example, publicity about data breaches can substantially complicate risk evaluation. Employees, customers, suppliers, investors, the press, the public and government agencies may see little difference between a comparatively small breach and a large, dangerous one. As a result, damage to reputation and share price may not correspond directly to the size or severity of the event. The board should seek assurances that management has carefully thought through these implications in devising their priorities for cyber-risk management.