We have previously reported on the great, community coordinated and extensively vetted work on cyber risks and governance by organizations like The Institute of Internal Auditors (IIA), The Information Systems Audit and Control Association (ISACA),The Internet Security Alliance (ISA), and The National Association of Corporate Directors (NACD). For example, see our post titled Cyber Security and Corporate Governance: The five principles every corporate director should embody. The principles there and the execution tips provided in that post remain valid, with the only big change being there is even more of a sense of urgency now.
Another source of insight we like is the Security and Exchange Commission. The recommendations and guidance they have been putting out is in consonance with NACD (which is good don’t you think) and is absolutely worth reviewing.
All board members should take a look at the SEC Guidance on disclosure obligations relating to cybersecurity risks and cyber incidents.
Another reference with good context is the very simply articulation of cyber risk actions plans for boards provided by SEC Commissioner Luis A. Aguilar in a June 2014 presentation at the “Cyber Risks and the Boardroom” conference at the New York Stock Exchange titled “Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus.”
Here is the gist of what he recommends:
- Cyber-risk must be considered as part of the board’s overall risk oversight (“boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”)
- Boards should assess the corporation’s cybersecurity measures including corporate policies and annual budgets for privacy and IT security programs.
- Consider the creation of a separate enterprise risk committee on the board (this is already required by Dodd-Frank for large financial institutions).
- Ensure the company have the right personnel to carry out effective cyber-risk management and provide regular reports to the board on breaches and IT risks. Know who is responsible for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.
- Prepare for breach! The company must be ready to respond fast. There is no one-size-fits-all way to do this, but preparation is key. Response plans should include a communications and crisis response plan.
- Take action to curtail the knowledge gap and focus director attention to known cyber-risks. This could include mandatory cyber-risk education for directors, or ensuring that the board be at least adequately represented by members with a good understanding of information technology issues that pose risks to the company.
We we so glad to see this point about the need for boards to take action to address the knowledge gap. The entire thesis of our book on The Cyber Threat is that this knowledge gap needs to be addressed right away so better decisions can be made. For boards that are looking for more, including tailored threat briefs, quick turn cyber assessments or longer term end to end cyber posture evaluations please Contact Us Here.
- An OODAcast Conversation with Dr. David Bray of the Atlantic Council Geotech Center (Part One) - April 3, 2020
- OODAcast– A Conversation with Dan Gerstein - April 1, 2020
- Update on The End Coronavirus Project and Need for Volunteers - March 28, 2020