While there's certainly no shortage of cybersecurity guidance these days, this recent piece from PwC does a particularly nice job of identifying the key, big picture aspects of cybersecurity that boards should consider so as to effectively carry out their oversight responsibilities - regardless of company-specific facts and circumstances.
Here are my take-a-ways:
1) Due care – What does exercising due care mean in the context of cybersecurity and privacy?
- In that cybersecurity is a broad corporate risk - not just an IT risk, boards should: (i) determine who on the board is responsible for cyber risks (often it's the full board); (ii) work with management to determine what information it needs to effectively oversee cyber risks; and (iii) consider - in conjunction with management - whether the company should adopt a cybersecurity framework such as the NIST Framework.
2) Board briefings – Who should meet with the board to discuss cyber risks?
- Boards should be meeting regularly with the company's CIO or CISO or equivalent, and should also consider meeting from time-to-time with outside expert advisors for additional insights.
3) Insider threats – What has the board done to mitigate insider threats?
- Boards should understand and be comfortable with how the company monitors company insider cyber threats.
4) Third-party risk management – How does the company ensure that the data its third parties handle, store, and transmit is reasonably protected?
- Boards should understand how the company screens, selects, and monitors third parties, and understand third-party cyber breach legal risks.
5) Cyber insurance – What does it cover, and will insurers continue to cover you?
- Boards should discuss and consider procuring cyber insurance coverage, and should understand how the cyber insurance market is evolving.
6) Information sharing – Does the company share breach experience or solutions with competitors? Does it communicate with the federal government about threats and intelligence?
- Cybersecurity information-sharing among and between the public and private sectors is increasingly perceived as an important cybersecurity tool. Boards should understand what the company is doing to learn from others in the market and in the industry to bolster its own cybersecurity.
7) M&A – How does cybersecurity factor into M&A?
- Directors should understand how management is analyzing and addressing cybersecurity in potential M&A transactions, including conducting adequate cyber due diligence on targets when the company is the acquiror.
8) Incident response/breach notification – Does the company have a cyber response plan in the event of a breach? What does it entail?
- The board should ensure that the company has a cyber incident response plan, and that it is periodically tested and regularly re-evaluated for updates.
See heaps of additional resources on our Cybersecurity topical page.