Understanding and managing cyber risk
Last week, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40-50 board members very actively involved – because this is a hot topic for boards.
I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.
The set of questions can also be used by executive management, risk professionals, or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.
This is my list.
- How do you identify and assess cyber-related risks?
- Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
- How do you evaluate the risk to know whether it is too high?
- How do you decide what actions to take and how much resource to allocate?
- How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
- How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
- Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
- How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
- Can you respond appropriately at speed?
- What procedures are in place to notify you, and then the board, in the event of a breach?
- Who has responsibility for cybersecurity and do they have the access they need to senior management?
- Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?
I am interested in your comments on the list, how it can be improved, and how useful it is – and to whom.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Good list. I would include the following question:
Does management make an effort to identify the organization’s “crown jewels” (data, information and information systems that the organization cannot afford to lose) to focus its cyber protection strategy or, alternatively, does management view all information assets to be of equivalent value?
Nice to see you in Miami, Norman.
Jim, thanks for the suggestion.
One of the Miami panelists also talked about focusing more resources on the crown jewels than on minor assets.
I made the point that people don’t think about whether any breach could have a significant effect on the achievement of the organization’s strategies and objectives. Management should take each of the above and ask what effect, if any, could a breach have?
Norman, Very easy to ask questions. The real intellectual discourse is the sharing of possible solutions not questions. COBIT/NIST/ISO and many others we all are working on for a long time.
I would turn q’s 1, 2, 7, 9, & 12 into open questions so that the answers are not automatic “yes” and make the respondent think, or follow up the closed question with “how do you know?”
Good thoughts. Will take them with me for a ERM presentation to savings banks shortly.
For those interested in further reading IRM in Ldn has good material:
https://www.theirm.org/knowledge-and-resources/thought-leadership/cyber-risk/
Kind regards / Per
I think also that one of the important questions is how frequently the company gets independent verification. Depending on the industry and its reliance on IT, each business must get a third party to verify their IT risk policies.