Since almost two-thirds of managers surveyed by Gartner say IT risk management data influences decisions at the board level, boards started to admit the importance of their direct involvement once a breach is found and business results are at risk. However, since decisions on the incident response plan have to be fast, board members need to see the big picture and ask the proper questions.
Boards’ role is to bring judgment to bear and provide effective guidance to management to ensure the company’s cybersecurity strategy is appropriately designed and sufficiently resilient. In case of a data breach, boards’ reaction is fundamental to prevent lost business and protect the company’s reputation. Recent surveys show boards of directors have begun to address cybersecurity as a serious risk-oversight issue with strategic, cross-functional, legal and financial implications.
“Directors need to continuously assess their capacity to address cybersecurity, both in terms of their own fiduciary responsibility as well as their oversight of management’s activities, and many will identify gaps and opportunities for improvement,” guidelines from the National Association for Corporate Directors (NACD) advise. “While the approaches taken by individual boards will vary, the principles in this handbook offer benchmarks and a suggested starting point. Boards should seek to approach cyber risk from an enterprise-wide standpoint; understand the legal ramifications for the company as well as the board itself; ensure directors have sufficient agenda time and access to expert information in order to have well-informed discussions with management; and integrate cyber-risk discussions with those about the company’s overall tolerance for risk.”
According to Gartner’s survey, previously cited by Business Insights, although half of respondents indicate that the governance body is involved in assessing and approving the policies, only 30 percent of respondents indicated that business units are actively involved in developing policies that will affect their businesses. This indicates a lack of active engagement, yet it is considerable improvement from previous years – 16% in 2014.
“Lack of engagement is a major cause of differing risk viewpoints between the security team and business, resulting in redundant, mismanaged controls, unnecessary audit findings and, ultimately, in reduced productivity,” Gartner adds.
Board-management discussions about cyber risk should identify which risks to avoid, accept, mitigate, or transfer through insurance, and specific plans for each approach, the report shows.
Managers should also understand what “crown jewels” the company most needs to protect, and ensure management has a protection strategy that builds from those high-value targets outward. The board should instruct management to consider not only the highest-probability attacks and defenses, but also low-probability, high-impact attacks that would be catastrophic, the document says.
However, total cybersecurity is an unrealistic goal. A company’s cyber-risk tolerance must be consistent with its strategy and its resource allocation. According to NACD’s recommendations, directors and management teams will need to grapple with questions including:
- What data, and how much data, are we willing to lose or have compromised?
Discussions of risk-tolerance will help identify the level of cyber risk the organization is willing to accept. A key step is distinguishing between mission-critical assets and other data that is important, but less essential.
- How should our cyber-risk mitigation investments be allocated among basic and advanced defenses?
When considering how to address more sophisticated threats, management should place the greatest focus on sophisticated defenses designed to protect the company’s most critical data. While most organizations would agree with this, research from the Armed Forces Communications and Electronics Association (AFCEA) indicates companies typically apply security measures equally against all data and functions. The same AFCEA study, cited by NACD, notes that protecting low-impact systems and data from sophisticated threats could require greater investment than warranted. For those lower-priority assets, organizations should consider accepting a greater level of security risk than higher-priority assets, as the costs of defense will likely exceed the benefits. Boards should encourage management to frame cybersecurity investments in terms of ROI, and to reassess ROI regularly, as the costs of protection and the company’s asset priorities will change over time.
- What options are available to assist us in transferring certain cyber risks?
Organizations of all industries and sizes have access to end-to-end solutions that can help mitigate and transfer some cyber risk. Beyond coverage for financial loss, these tools can help mitigate an organization’s risk of property damage and bodily injury resulting from a cyber breach. Some solutions also include access to proactive tools, employee training, IT security and expert response services, to add another layer of protection and expertise. The inclusion of these value-added services proves even further the importance of moving cybersecurity outside of the IT department into enterprise-wide risk and strategy discussions at both the management and board levels. When choosing a cyber-insurance partner, it is important for an organization to choose a carrier with the breadth of global capabilities, expertise, market experience, and capacity for innovation that best fits the organization’s needs.
- How should we assess the impact of cyber events?
Conducting a proper impact assessment can be challenging given the number of factors involved. To take just one example, publicity about data breaches can substantially complicate risk evaluation. Stakeholders—employees, customers, suppliers, investors, the press, the public and government agencies—may see little difference between a comparatively small breach and a large and dangerous one. As a result, damage to reputation and share price may not correspond directly to the size or severity of the event. The board should seek assurances that management has carefully thought through these implications in devising their priorities for cyber-risk management.
Here is a list of questions boards can ask management once a cyber breach is found:
- How did we learn about the breach? Were we notified by an outside agency, or was the breach found internally?
- What do we believe was stolen?
- What has been affected by the breach?
- Have any of our operations been compromised?
- Is our crisis response plan in action, and is it working as planned?
- Is the breach considered “material information” requiring prompt disclosure and, if so, is our legal team prepared for such notifications? Who else should be notified about this breach?
- What steps is the response team taking to ensure the breach is under control and the hacker no longer has access to our internal network?
- Do we believe the hacker was an internal or external actor?
- What weaknesses in our system allowed it to occur (and why)?
- What steps can we take to make sure this type of breach does not happen again, and what efforts can we make to mitigate any losses caused by the breach?