This special supplement to Jim DeLoach’s recent blog post provides several questions to empower effective conversations about the state of a company’s cyber-risk oversight practices.
I recently shared several business realities that boards should consider as they oversee cybersecurity risk. These realities point to the need for companies and their boards to ensure that cyber-risk management efforts are focused, targeted, cost-effective, and continuously improving. While these realities are important to bear in mind, the board must inform its understanding of the company’s cyber-risk capabilities by asking the right questions.
Following are suggested questions that directors may consider, in the context of the nature of the entity’s risks inherent in its operations.
- As a board, are we sufficiently engaged in our oversight of cybersecurity? For example:
- Do we include cybersecurity as a core organizational risk requiring appropriate updates in board meetings?
- Do we have someone on the board, or someone advising the board, who is the point person this topic?
- Are we satisfied that the company’s strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted?
- Does the board receive key metrics or reporting that present the current state of the security program in an objective manner?
- Is there a policy on securing board packets and other sensitive material communicated to directors? If not, is there potential exposure from sharing confidential information through directors’ personal and professional email accounts and free file-sharing services that are not covered by the company’s cybersecurity infrastructure?
- Have we identified the most important business outcomes (both unanticipated successes of the digital initiative, as well as adverse events) involving critical data and information assets (the crown jewels)? With respect to those outcomes occurring:
- Do we know whether and how they are being managed?
- Does our security strategy differentiate them from general cybersecurity?
- Do we assess our threat landscape and tolerance for these matters periodically?
- Are we proactive in identifying and responding to new cyber threats?
- Does the company have an incident response plan? If so:
- Have key stakeholders supported the development of the plan appropriate to the organization’s scale, culture, applicable regulatory obligations and business objectives?
- Have we thought about the impact specific cyber-events can have and whether management’s response plan is oriented properly and supported sufficiently?
- Is the plan complemented by procedures providing instructions regarding actions to take in response to specific types of incidents? Do all the stakeholders for a planned response know their respective roles and responsibilities? Is it clear for which events the board should play a key role in overseeing the response efforts?
- Are effective incident response processes in place to reduce the occurrence, proliferation, and impact of a security breach?
- Are we proactively and periodically evaluating and testing the plan to determine its effectiveness? For example, does management have regular simulations to determine whether the detective capabilities in place will identify the latest attack techniques?
- In the event of past significant breaches, have we made the required public disclosures and communicated the appropriate notifications to regulators and law enforcement in accordance with applicable laws and regulations?
The dialogue resulting from these questions stand to lead to improvements in cybersecurity, if any are needed. Be sure to check out my earlier blog for further discussion of this important topic.
Jim DeLoach is managing director at Protiviti.