The board should ensure that cyber risk is an element of the broader risk framework and that exposures are recognised, assessed for impacts based on clearly defined metrics such as response time, cost and legal or compliance implications, and planned for to attract investment commensurate to a risk-based assessment.
Key questions for an organisation’s board of directors
Recognising and managing risk is a crucial part of the role of an organisation’s board of directors and senior management. To enable boards to do this, organisations must have an appropriate framework to identify and manage risk on an ongoing basis.
Given the magnitude and prominence of cyber risk for most organisations, informed oversight of risk involves the board being satisfied that cyber risks are adequately addressed by the risk management framework of the organisation. Important controls include ensuring the organisation has appropriate safeguards in place against malicious cyber activities, and that recovery capabilities are adequate.
Risk management framework
Given the rate of change in the cyber risk landscape, and the speed at which a business can be severely compromised (potentially within hours or days); the board should consider whether periodic reviews (that are more frequent than for other risks forming part of the risk management framework) should be adopted.
Identifying cyber risk
Different businesses will be exposed to different cyber risks and different potential consequences. It is important for the board to reflect on risks relevant to the particular business of the organisation. Without understanding the nature of the risk and its consequences it is difficult for a board to set a suitable risk tolerance for the risk and to ensure that cyber risks are adequately dealt with by the organisation’s risk management framework.
Although boards may not require general technology expertise, for many companies it may be advisable to have one or more directors who have a strategic understanding of technology and its associated risks, or who have a background in cybersecurity.
In some circumstances, the board should consider the use of external cyber experts to review and challenge the information presented by senior management.
Monitoring cyber risk
Trying to identify a cyber risk may pose particular challenges. Organisations at the forefront of good practice are using intelligence-driven solutions to deal with this challenge.
For some organisations malicious cyber activities may be devastating to the organisation’s business operations, therefore, it is important to consider what might lead to the provision of more detailed information on the risk to senior management and the board.
Controls
Despite significant advances in cybersecurity technology; products, lack of staff awareness of safe cyber practices, social engineering or negligent behaviours remain a major source of cyber issues.
Boards should satisfy themselves that there is sufficient investment in staff awareness training given its prominence as a source of risk—and because a collective effort against cyber threats will better serve an organisation.
The board should be satisfied that critical information assets of the organisation are appropriately secure. There should be transparency surrounding the location of all critical assets (including third-party partners and service providers), how they are protected and how protection is being assured.
Response
Boards should ask themselves:
- If and when a problem arises, what processes are in place for communicating effectively, internally and externally, and managing the situation?
- Has there been a sufficient level of scenario planning and testing to ensure that response plans are valid and up to date, including with third-party suppliers and dependants?
Boards may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.