When a powerful entity like Lloyd’s of London moves cyber risk from #12 on its board agenda to #3 just two years later, as they did in 2013, it should serve as a wake-up call for other boards of directors to take similar action.
How knowledgeable is your board about cyber risk? Are you actively assessing and managing cybersecurity risks? If your company had a cybersecurity breach today, would you have a plan for mitigating it? Do you know how a cyber breach would affect your organization? These are all questions that form the basis for board discussions around cyber liability.
Boards of Directors Should Be Aware of Data on Cyber Risks
One of the most important board concerns is one of the issues that board directors know the least about – cyber risk. This is largely due to the fact that technology is evolving quickly to improve the ways that companies do business. Security threats are moving just as fast, posing a cyber liability risk to businesses.
As board directors become increasingly aware of cyber liability concerns, they need to place a higher priority on cyber risk assessment and cybersecurity risk management.
A governance audit committee reported that only 21% of boards thought the cybersecurity in their company was well under control. Another facet of the study reported that 66% of board members stated that their IT teams gave them reports only occasionally.
Why Board Directors Should Be Concerned About Cyber Risk
Cyber risk is the risk of someone hacking into a company’s information technology system and stealing information, or causing the system to shut down. Board directors can learn a lot from some recent, major cyber breaches about how to assess and manage cyber risks. Let’s look at an example.
In 2015, the U.S. Office of Personnel Management was hacked, exposing personal data about more than 18 million current and former federal employees. Hackers stole important information, including security clearance information and personal data like dates of birth, addresses and Social Security numbers.
Cybersecurity Ventures conducted an analysis of cyber liability risks and reported that the estimate of cybercrime costs in 2015 was $3 trillion. The organization anticipates that cybercrime will intensify and reach $6 trillion by 2021.
What Are the Risks of Not Having Cybersecurity Risk Management?
As the breach of the U.S. Office of Personnel Management example shows, companies have much to lose by not actively managing cyber risks. Companies stand to have many types of information stolen, such as:
- Employees’ personal information
- Vendor information
- Client information
- Intellectual property
- Manufacturing patents
- Chemical formulas
- Financial loss/fraudulent transactions
When a company becomes the victim of a cybersecurity breach, the board of directors may need to answer for their actions during regulatory investigations for failing to take action to prevent such a risk.
The media spreads news of major cyber breaches, which causes loss to the company’s reputation, affecting profitability margins.
Since boards of directors will be held accountable for cyber liability, they need to accept responsibility for managing it on the front end to protect their companies and themselves.
How Do Boards Set Up Cyber Risk Assessment Measures?
At a minimum, boards of directors need to place a higher priority on cyber risk discussion on their board agendas. Their discussions should include asking for reports from the IT department at least quarterly. Board directors should insist that IT reports include trends and emerging IT vulnerabilities.
The board may also consider hiring outside experts, either to work directly with their IT teams or to make presentations to the board about how they can oversee and manage cyber risks.
Management Expectations on Cyber Risk Management
Cyber risk management includes making sure the company has adequate staff and knowledge regarding cybersecurity threats and that they have the budget to address up-front concerns. Board directors may also consider requiring management to set up company-wide training on cyber risk.
As a further initiative, board members may opt to tie in cyber risk management issues with CEO incentive plans.
Board Oversight for Cyber Risk Management
Boards have many tasks before them as they assess and manage cyber risks. Board members need to make decisions about how and when the board gets information on cyber risk, how they will prevent cyber risk and how they will mitigate it if a breach occurs.
Boards of directors may decide to delegate the responsibility for cyber risk management to an audit committee or IT committee rather than managing it themselves. Board directors should be aware that audit committees don’t usually have an adequate level of technology expertise to make informed recommendations on IT security threats.
Cyber risk legal experts are an excellent resource for boards in assessing legal risks. Companies will need a plan on how to notify their customers in the event of a cybersecurity breach. Some companies also need to comply with privacy practices or international laws.
During board discussions with IT teams, board directors need to ask questions about how they can identify and mitigate the organization’s individual risks. Having cyber insurance policies allows board directors to transfer or mitigate cyber risks in the event of a breach. They also need to work with IT and financial committees to assess their cyber insurance plans. Board members need to review their insurance policies to make sure they cover cybersecurity breaches and that the limit of liability is at least equal to the company’s assets.
There is value for boards of directors in bringing in an outside auditor to assess the company’s risk if a breach were to occur. An auditor’s report could be a valuable tool in guiding board discussions. The auditor’s report may be even more valuable if the board faces a regulatory investigation because it could show that they took an active approach to cybersecurity issues by bringing in an expert.
Cyber Risk as a Part of Overall Board Planning
There’s no question that cyber risk issues are here to stay. Boards cannot eliminate the potential for cyber threats, but they can – and should – make plans to mitigate them.
This is something to consider when planning for the diversity of the board. This is a good time to review how recruiting a board member with knowledge of and expertise with cyber risk might be an asset to your organization.
The most important steps for boards to take are to assess cyber risk, manage it and have a plan in place to mitigate a breach if it happens. Boards should also consider rehearsing their mitigation plan to learn from any matters they may not have thought of previously. Just as in a theatrical play, you don’t want to wait until opening night to discover that there is a major problem that can’t be overcome.