Among other tangible action items suggested in PwC’s “Overseeing cyber risk: the board’s role” is management’s regular reporting to the board, fostered by an annual cyber calendar (consistent with the annual board and committee calendars corporate secretaries typically develop to organize other required activities) (p9) and inclusive of a cyber dashboard or scorecard (illustrated here on p6) to help the board understand and evaluate current risks, monitor trends, and track the company’s progress against specific metrics.
According to the report, common elements of board reporting include:
- Multi-year strategic plan and current year business plan
- Cybersecurity resource allocation — funding and staffing
- Periodically updated inventory of mission critical systems that need to be protected
- Summary of key cyber risks impacting the company
- Dashboard or scorecard highlighting key cyber risks and metrics to address these risks
- Significant security incidents at the company
- Training and awareness program for employees
- Maturity assessment against a recognized framework (e.g., NIST)
- Third-party cyber risk management program
- Industry benchmarking against peers
- Significant legal and regulatory developments
- Incident readiness framework, including summary of the cyber insurance policy
- Lessons learned from external events in the market
Boards are advised to consider actions in four areas to facilitate effective oversight, including integrating cybersecurity considerations into the company’s strategic decision making and corporate culture and reevaluating the board oversight structure. Suggested areas of oversight are accompanied by relevant benchmarking and suggested “next step” action items.
See also “The Cyber Savvy Boardroom” and additional resources on our Cybersecurity/Data Privacy page.
This post first appeared in the weekly Society Alert!