11 Key Cybersecurity Factors Every Board of Directors Needs to Know
Cyber risk is business risk. It’s crucial for today’s Board of Directors to ensure their organization has a solid cybersecurity plan. Today’s organizations face ransomware attacks that hold organizations hostage for weeks and completely disrupt business operations, as well as data breaches that can quickly damage an organization’s reputation and drain its finances. In addition, Boards of directors can also be held personally liable for the damages, as seen in the 2019 Yahoo! settlement, when a judge approved a $29 million payout for a derivative lawsuit against the company’s former directors.
For these reasons, boards of directors are increasingly engaged in cybersecurity oversight. A new Gartner report predicts that by 2025, “40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member.”
What cybersecurity information does a Board of Directors need for proper oversight?
Every Board needs to ensure that a designated member has a clear understanding of the organization’s risk posture and controls with regards to cybersecurity. The Board of Directors should not be shy when it comes to requesting information about cybersecurity from management. Here is a list of cybersecurity information that every Board of Directors should consider requesting.
- Statement of Applicable Laws, Regulations, and Obligations – The Board of Directors needs to understand what legal, regulatory, and contractual obligations apply to the organization with respect to cybersecurity. This is especially important because new cybersecurity-related laws have emerged rapidly. A qualified cyber attorney should evaluate the organization’s regulatory and contractual obligations with respect to cybersecurity. This assessment should take into account the company’s industry, geographic areas of service, type and volume of information stored, key existing contracts, insurance coverage, and any other factors that counsel believes is relevant. Then, counsel should produce a written statement summarizing the organization’s obligations with respect to cybersecurity, as detailed in the previous section. This statement should be reviewed and updated annually so that the Board can ensure that the organization remains up-to-date with respect to legal obligations.
- Inventory of Data – The Board needs to be aware (at a high level) of the volume and types of sensitive data that the organization stores. It is wise to request a high-level inventory of the sensitive data that the organization stores, along with information about where it is stored and who may access it. This inventory will also be necessary for counsel to produce an accurate statement of applicable laws, regulations, standards and obligations. To simplify this report, the organization can classify data into categories based on regulatory requirements and security risks.
- Board Oversight Responsibilities – The Board’s minimum responsibilities are often defined by law, regulatory guidance, or industry standards. The exact roles and responsibilities vary depending on the nature of the organization and the information it holds. Each Board should ensure that a qualified person is assigned the task of researching the Board’s responsibilities and ensuring that the Board’s oversight processes are in line with requirements.
- Risk assessment report – Organizations should have a cybersecurity risk assessment report produced by a third party, with a one-page summary suitable for an annual presentation to the Board of Directors. This risk assessment should be aligned with all applicable laws, regulations, standards and contractual obligations. Leadership may want to consider using a common risk assessment framework such as the NIST 800-30 standard, which typically aligns with many industry requirements. This helps the organization identify risks, so the Board can accept and prioritize risk reduction activities. This is a good first step in creating a risk management plan.
- Cybersecurity controls assessment – This controls assessment should be based on a widely accepted framework, such as the NIST Cybersecurity Framework or similar. This type of assessment typically evaluates the current cybersecurity program, compares it to the organization’s cybersecurity goals, and helps define a prioritized plan to increase cyber maturity over time. Again, the organization’s cybersecurity framework should be selected to align with all applicable laws, regulations, standards, and contractual obligations. It is best to get a third-party assessment with a one-page summary suitable for an annual presentation to the Board.
- Technical test results – Each organization should have annual security assessments that vary depending on the organization’s needs. Technical testing should include appropriate penetration testing/vulnerability scanning of the organization-maintained resources, as well as configuration reviews for any cloud assets containing high-risk data (i.e., Office365), web app assessments, etc. The Board of Directors should ask for a one-page executive summary of the cybersecurity test results.
- Risk management documentation maintained by the organization’s management. This should document the plan for addressing risks and the anticipated residual risk so that the Board can review and approve.
- Cyber insurance policy and summary of coverage – Cyber insurance coverage should be selected based on the anticipated residual risk, to ensure that appropriate risks are transferred. Coverage should be aligned with the Board’s stated risk appetite.
- Third-party service provider oversight – This report should summarize the list of third-party providers with access to sensitive data or IT resources, and the results of the vetting process (a simple letter grade or other indicator of cyber risk rating would be sufficient, along with the date of most recent review). For more information on vendor vetting, read our blog on vendor vetting.
- Cybersecurity incidents and response report. The Board should receive a report of all cybersecurity incidents at least annually, and incidents above a certain severity threshold should be reported to the board immediately.
- Information Security Program, along with recommendations for changes. These recommendations should be produced by the management team and/or a qualified third party.
Today’s Board of Directors should be actively engaged in determining whether the current cyber risk management practices are in line with the Board’s risk appetite. This is especially important because the cyber threat model has changed dramatically during the past year due to increased use of cloud services and increasing attacker sophistication. Moreover, the regulatory landscape is evolving quickly and the risk of unintentional violation of law/regulation has increased.
Make sure your Board of Directors has the information you need to make effective, informed decisions. If you need assistance producing any of the reports in this list, or guidance on a cybersecurity oversight program, contact LMG’s team of experienced cybersecurity professionals today.