Home > Audit, Compliance, COSO, Cyber, Governance, GRC, ISO, IT, Risk, Technology > Board Oversight of Cyber-Risks

Board Oversight of Cyber-Risks

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.

In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.

But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).

I like their five principles, especially the first two:

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.

In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.

In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.

Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.

I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.

Do you agree?

 

Related articles

  1. Alan Proctor
    June 29, 2014 at 8:21 AM

    Amen, Norman, you’re preaching my favorite sermon!

  1. June 29, 2014 at 1:18 PM
  2. June 30, 2014 at 4:32 PM
  3. August 28, 2014 at 10:04 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: