On the heels of the SEC’s proposed rule on cybersecurity risk management, strategy, governance, and incident disclosure (we reported on here and which the Society commented on here), Deloitte’s “A new chapter in cyber” discusses the board’s cybersecurity oversight responsibility and suggests tangible action items the board may wish to consider to bolster its oversight in a manner commensurate with the risk.
Among the key takeaways:
Board Cyber Expertise, Competence
Boards may consider any number of factors in determining whether they should add a “cyber expert director,” including their operating model, structure, culture, management expertise, and investor expectations.
Boards can tap external and internal resources and tools to become more tech-savvy, including:
- Participation in ongoing organizational cyber risk governance awareness programs and director education programs
- Board meeting presentations by internal and external cyber risk experts
- Professional association industry forums and resources
- Peer interaction/dialogue
- Reviews of incident responses at other companies
- Cyber war games and simulations
- Directors’ colleges aimed at directors and management
Active/Proactive Governance
Deloitte suggests boards be more visibly and actively engaged in cyber risk mitigation oversight to promote the proper mindset and culture within the company.
Potential action steps to bolster the board’s cyber risk governance include:
- Conducting a cyber risk assessment
- Evaluating the company’s cyber incident response plan and ensuring that the proper members of management practice the plan
- Regularly reviewing and ensuring the adequacy of cyber risk mitigation monetary and other resources
- Reviewing the company’s cyber risk policies to promote the proper culture and accountability
- Engaging a third-party review of the company’s cyber risk program
- Requesting and reviewing vendor and other third party risk assessment reports
The article includes suggested questions for the board to consider asking management to inform its understanding of the company’s cyber risk and cyber risk management posture, with the caveat that the list of potentially relevant questions is expanding and evolving as new risks emerge.
Access additional resources on our Cybersecurity/Data Privacy page.
This post first appeared in the weekly Society Alert!