Authors
Authors
Read time: 5 minutes
Every organization faces an exponential increase in potential cyberattacks from ever-changing, intelligent and complex adversaries, which “guarantees a volatile risk environment which will only demand more time, attention, and focus from corporate directors” (see Forbes, Dec. 15, 2022). In 2022 alone, IBM confirmed that the global average cost of a data breach was $4.35 million.
Preparing for an attack
Cyber risk is “an enterprise-wide risk management issue, rather than a pure IT security issue” (see Deloitte, 2021), meaning that it is crucial for corporate boards to understand why and how cyber breaches affect their companies and what they can do to mitigate that risk. To ensure that corporate board members are prepared for this complex and changing environment, we have set out 10 key questions that each board member should ask themselves and/or the wider board.
1. What and where are your company’s technology-based assets?
By determining a company’s online and technology-based assets (including customer details, key financial data and/or trade secrets), the board can ensure that its cybersecurity plan properly protects all exposed assets.
2. What cyber insurance does the company benefit from and when was it last reviewed?
With cyberattacks increasingly inevitable for many organizations, the board needs to ensure that any risk that cannot be mitigated fully by the company be insured. Therefore, it is important for the board to be aware of what cyber insurance it benefits from and whether it is likely to cover the possible consequences of an attack. This analysis should include the business stakeholders, as well as the IT department, to ensure that the analysis is holistic.
3. How do your company’s employees and third-party contractors interact with the company’s cyber assets?
Understanding whether key business associates, stakeholders, contractors and others have access to the company’s network and data will help inform the company of its risk exposure. Cyber policies can be implemented to better protect the company’s technological assets. Relatedly, the company should, at the same time, review any business agreements and contracts for gaps in coverage. The company should ensure that it is sufficiently protected under any agreements that include indemnification language that could expose the company to liability.
4. What are the legal, regulatory and reputational consequences of a cyberattack on your company?
As the threat of a cyber event increases, so does the compliance landscape around data protection. It is important for the board to understand what the impact of a cyberattack would be – not only on its networks, data and potential business interruption – but on the legal, regulatory and reputational consequences as well. It may be advisable to bring in a speciality consultant to ensure that the full ramifications of an attack have been considered and understood (see World Economic Forum).
5. Who at the company owns the cybersecurity risk portfolio? Does the business have sufficient capacity to deal with cybersecurity issues?
The board should understand where the day-to-day responsibility for cyber threats sits within the business and should make sure it is clear whether the board itself or a specialized committee is responsible for oversight of those persons (see Deloitte). In some cases, companies will not have the internal capacity to address cybersecurity and should consider hiring a third-party expert (see Security).
6. What cyber expertise exists at the company’s board level?
While strategic, financial and increasingly ESG knowledge are expected at the board level, the growing prevalence of cybersecurity risks means that a specific cyber committee should be formed at the board level (see Forbes), and the board should include a member with sufficient experience to ensure that cyber governance by design is implemented at the company (see Deloitte).
7. In the event of a cyberattack, what is the company’s plan to mitigate its impacts and consequences?
The company must have a comprehensive plan to deal with a cyberattack, which the board must understand. First and foremost, there should be clear lines of responsibility in the event of a cyber event. It is also important that any incident plan is stress-tested to ensure it is workable. Anything “too long, or too detailed, or simply too confusing” would indicate that a new plan should be developed (see Financier Worldwide, Jan. 2023).
8. What is the reporting structure to the board regarding cybersecurity issues, and at what frequency does the board receive reports on cyber issues?
The board should consider requiring regular reporting in line with strategic and financial reporting, so that cybersecurity becomes (if it is not already), and remains, a fundamental component of board decisions (see Deloitte).
9. What cybersecurity policies are in place at the company? How does the company ensure that its employees, contractors and other third parties comply with the policies?
The board should ensure that a formal structure within the company addresses cybersecurity measures (see Financier Worldwide, Jan. 2023) and sets out cybersecurity policies for the company. The board should ensure that regular and mandatory training is a key aspect of the governance plan in relation to cybersecurity and verify that it is provided on a regular basis.
10. Specifically, how does the company ensure that online meetings are kept private and secure in the increasingly hybrid working world?
A significant amount of a company’s calls and meetings happen online, especially post-COVID-19, and this presents a specific and large target for cyberattacks. Accordingly, it is important that the board take extra precautions in preserving the privacy of its meetings (see Deloitte).
Conclusion
The board has an important role in making certain that cybersecurity is understood and that attendant risks are sufficiently addressed. To ensure that the board is equipped to deal with any cybersecurity issue, they must understand the company’s risk exposure, have the right team or person in place to analyze and address its cyber-risk exposure and have sufficient security and mitigation policies in place to protect the company. By asking the above 10 questions, the board members will be better enabled to understand and address the increasing cybersecurity risks that their company faces.
Authors