Among other tangible action items suggested in PwC’s new publication: “Overseeing cyber risk: the board’s role,” which is equally instructive for management supporting the board, is regular reporting to the board that includes a cyber dashboard or scorecard to help the board understand and evaluate current risks, monitor trends, and track the company’s progress against specific metrics.
PwC: How your board can be effective in overseeing cyber risk
According to the report, common elements of board reporting include:
- Multi-year strategic plan and current year business plan
- Cyber security resource allocation - funding and staffing
- Periodically updated inventory of mission critical systems that need to be protected
- Dashboard or scorecard highlighting key cyber risks and metrics to address these risks
- Significant security incidents at the company
- Training and awareness program for employees
- Maturity assessment against a recognized framework (e.g., NIST)
- Third-party cyber risk management program
- Industry benchmarking against peers
- Significant legal and regulatory developments
- Incident readiness framework, including summary of the cyber insurance policy
- Lessons learned from external events in the market
Boards are advised to consider actions in four areas to facilitate effective oversight, including integration of cybersecurity considerations into the company’s operations and strategic decisions such as M&A, new product/service development, expansion into new markets, and new business operations, and reassessment of the board oversight structure. Each suggested area of oversight is accompanied by relevant benchmarking and suggested “next step” action items.
See our recent report: “SEC Cybersecurity Rulemaking Insights” and additional resources on our Cybersecurity/Data Privacy page.
This post first appeared in the weekly Society Alert!