SpearTip | February 20th, 2019

Cybercrime has quickly become the single greatest threat to most businesses, with damages projected to top $6 trillion by 2021 , just three short years away. Directors need to prioritize cybersecurity and make the topic a substantive issue during all conversations. The following questions are essential for Directors of all organizations, large and small, in order to better understand the cybersecurity landscape.

Should cybersecurity require full Board oversight, considering it is truly a business issue?

At SpearTip, our answer is always a resounding “yes.” However, the issue comes down to your Board’s structure and comfort level with evaluating cybersecurity and all it entails. Should the entire Board choose not to oversee cyber risk, then at least guarantee the committee responsible delivers regular, comprehensive reports to the whole Board at every opportunity. Additionally, the audit committee for most Boards is commonly overloaded. Consider creating a new committee for cyber risk, composed of Members with the most relevant experience.

Who should be a part of the cybersecurity discussion?

Getting the right information begins with getting the right people in the room. The CEO and CFO are givens, as are the organization’s business, technology and risk management leaders.

The CISO should play a critical role and be made to feel comfortable enough to candidly discuss shortcomings and risk factors, as well as successes and current measures being taken. In most organizations, the CISO is responsible for only information technology and not operational technology (OT), which leaves a critical gap.

Whomever, oversees OT also needs to be included in all discussions to better ensure full cybersecurity measures are being addressed.

How can Directors improve their cybersecurity knowledge?

The cybersecurity landscape is changing by the minute, so you should never stop expanding your knowledge base. Consider the following activities to keep from falling behind:

  1. Hold in-depth internal discussions about how cyber risk is being addressed. Topics should include: organizational cybersecurity strategy, the types of threats you are facing now and anticipate facing in the near future, and what’s being done to protect your organization’s “crown jewels.”
  2. Engage law enforcement, such as the FBI and other cyber security experts, to present common vulnerabilities, growing attack trends and the overall threat environment. Use this information for updating and shaping cyber risk management practices and procedures at all levels of your organization.
  3. Attend external programs and conferences focused on cyber risk, as well as connecting with industry peers and professional groups, for best practices that can be shared across company lines.

How can our Board understand if we’re adequately prepared for a breach? 

Preparedness for a cyber breach is essential if you are to survive an attack. Ask management to present your organization’s incident response and crisis management plan on a regular basis and demand updates, upgrades and modifications with every report.

If there’s no plan in place, call for management to deliver a timeline with full program development and testing deliverables. Should you have no plan, you’re placing your entire organization, your vendors and your customers in a position of extreme and unnecessary risk.

Be sure to conduct a comprehensive pre-breach assessment to determine if you are currently breached and have yet to discover the problem.

Also, be sure to, include breach notification and escalation procedures in your plan, along with Board and regulatory notification timelines, and a thorough strategy on informing stakeholders and individuals whose information may have been compromised.

Lastly, have management participate in Table Top testing exercises with external technical and legal teams to provide a more thorough understanding of how management, and the organization as a whole, will respond to a cyber crisis.