According to the Allianz 2016 Global Risk Report, business interruption and cybersecurity occupied two of the top three risks to businesses. It’s no wonder that with the increased frequency of cyber attacks, data leaks, and computer fraud, cyber risk now nears the top of board and audit committee agendas.
While no two boards of directors are alike, boards in general are responsible for providing appropriate governance and oversight of the management team, allocating resources to support business objectives and strategic direction. They must account to shareholders (in the case of for-profit companies) or the public (nonprofit and government organizations) for the expenditures of funds and their decisions.
Yet when it comes to cybersecurity, such decisions and board responsibilities become even more challenging. One reason is lack of expertise. Typically, board members consist of community and business leaders who don’t really have knowledge of cybersecurity oversight, and therefore, find it difficult to properly oversee it when there’s little understanding about it.
That lack of understanding is hardly their fault. Cyber issues and IT in general have typically been “backroom” topics, not boardroom topics. Additionally, there’s been little visibility or transparency into security processes. Which is why some boards are also still unaware of their cybersecurity responsibility.
For instance, in one UK study published this year, only 33 percent of boards have a clear understanding of their cyber risk or have clearly established their “appetite” for such risk.1 That said, awareness is changing fast. How fast? That 33 percent statistic is a huge leap over the previous year when just 18 percent of boards professed their cyber risk understanding.
When it comes to that understanding and board responsibilities, the financial services industry is leading the way in part thanks to specific requirements for boards of directors as outlined by the FFIEC. It includes a cybersecurity assessment tool to help boards better determine their organizations’ cybersecurity preparedness. Much of the FFIEC standards and guidelines are easily transferable to help any board of directors looking for a place to start.
Clearly, security leaders must do a better job of communicating to their boards of directors. In the meantime boards should be asking their security leaders for answers and assurances. Here are the top questions to ask:
- What top five risks does our organization have related to cybersecurity?
- How are we managing these risks?
- How are employees and customers made aware of their roles related to cybersecurity?
- Are external and internal threats considered when planning cybersecurity program activities?
- How is security governance managed?
- In the event of a serious breach, has management developed a robust response protocol?
Cyber Governance Health Check Report 2015, HM Government, May 2016.