EY's "What boards are doing today to better oversee cyber risk" summarizes inputs from more than 100 public company directors on cyber risk oversight practices.
Among the key takeaways - each of which is supported by additional information and relevant director input - are:
- The board should ensure the company's cyber risk management program is assessed by an independent third party, and that the results of that assessment are reported back to the board.
- The board should thoroughly understand and buy into the company's incident response plan, which should include the board's periodic participation (with management) in tabletop exercises, and playbooks that clearly identify the circumstances under which the board will be notified of an incident.
- The board should stay informed about cyber oversight and disclosure practices generally, as well as the company's disclosures relative to its peers.
The report includes a list of questions for the board to consider to facilitate discussion of this topic in the boardroom.
Access additional Board/Director Oversight resources on our Cybersecurity/Data Privacy page. This post first appeared in the weekly Society Alert!