There was a time when 28 percent of organizations made no presentations to their corporate boards about security, and nearly one in three corporate boards had no involvement in cybersecurity threats.
The stats above wouldn’t be all that shocking if they were from years past. But in actuality, they are from a 2015 CIO Cybercrime Report.
In part one of this article series, we examined “What Every Board Member Needs to Know about Security.” Now, we’ll examine the board’s role in security compliance.
Step 1: Be Honest about Security’s Role
Honesty is critical. A well-briefed board must understand that it is simply not possible to stop every threat to an organization. It is not cost-efficient or even possible to eliminate all possible threats, so being prepared and having a plan in place will minimize damage and risk.
Step 2: Brainstorm Risks and Benefits
Conduct a cybersecurity assessment. Brainstorm with the board to assess risks to the organization and discuss the potentially damaging outcomes of a breach, taking into account the organization’s overall business strategy and objectives. Nothing tells the board the importance of good security better than understanding the consequences of not having it in place.
A strong risk assessment identifies threats to assets, vulnerability to and likelihood of occurrence, and potential impact.
The risk assessment should also look at what’s in place today by asking the following questions:
Do you have advanced security technologies?
- Application aware firewalls/network access control, endpoint DLP, mobile device management, network DLP, SSO/Identity federation, SIEM, advanced malware response, tools for securing public cloud, multi-factor authentication, and MSSP
- Are you ensuring confidentiality and integrity by encrypting (using modern technologies) all data: laptops, hard drives, mobile devices, email?
- Are you preventing data loss of all your data: laptops, hard drives, mobile devices, email?
- How well do you understand and control the security tools, processes and procedures from your cloud service provider?
- Have you considered an end-to-end perspective on security across the cloud, mobility and various architectural layers?
What safeguards are in place to detect, but not necessarily prevent, a security breach?
- How confident is the technical team that they can identify a breach within a reasonable amount of time? Does the management team know which government, whether federal or local, that needs to be contacted when a breach occurs?
It’s also worth brainstorming ways to showcase solid security plans as a key differentiator in the marketplace, making investors and customers comfortable that your organization is protecting their data.
Step 3: Follow the Rules and Regulations
Almost nothing is as important as understanding the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy, as well as their socio-cultural environment (particularly for multi-national organizations). Companies in non-compliance can face heavy fines.
A recent PricewaterhouseCoopers cybersecurity study included this chilling regulatory fact: “As regulations evolve, compliance is becoming more challenging and increasingly costly. The European Union’s Data Protection Directive, for instance, includes a proposal for fines of up to 5 percent of a company’s global revenue. This also lays the foundation for civil litigation.”
Though not as regulated, a good additional source for driving security is the particular set of principles, objectives and business requirements for information processing that an organization has developed to support its operations.
Step 4: Understand the Repercussions of Cybercrime
The board must be told that cyberattacks will hurt the brand and the company’s reputation with customers, suppliers, investors and more. The backlash of a serious breach also can impact future deals, including mergers and acquisitions, investor confidence and more.
And, according to the PricewaterhouseCoopers U.S. State of Cybercrime Survey, the financial impact can be significant. They cite costly class-action lawsuits as one potential outcome, which would reflect on the Boards’ fiduciary responsibility to preserve corporate financial value.
Step 5: Implement Safeguards
Cybersecurity insurance is an important mitigation step against financial losses for your company. In fact, even Warren Buffet is getting into the cyberinsurance arena as Berkshire Hathaway Specialty Insurance launched two new products this October. Berkshire Hathaway’s Professional First Network Security & Privacy and Professional First Professional Liability and Network Security & Privacy policies will cover third-party exposures resulting from data security and privacy breaches, breach expense and extortion threats, media liability and business interruption.
The PwC study also showed that cybersecurity insurance can act as a regulatory hedge against cyber-risks. They recommend having a risk committee ask questions regarding coverage for directors’ and officers’ liability, commercial general liability, prior acts, and property and casualty insurance.
Safeguards also involve knowing what to say and do if a breach occurs. One safeguard includes the simple step of implementing two-factor authentication to mitigate potential risks from employees, contractors and hackers.
The following questions are critical to ask when a security breach occurs:
Do you know how to respond to a breach or other security incidents?
- Is there a plan?
- Has it been tested?
- Are there pre-planned responses depending on the incident and severity that will be sent to employees, shareholders, media, lawyers, customers, law enforcement and partners?
- Is a security expert firm on retainer to help with the response?
- Do you perform tabletop exercises (TTX) or how do you test this plan?
Cybersecurity risks are continuously evolving. Companies must continuously monitor for exposure to risks, regularly assess the company’s preparedness, and make any necessary adjustments to mitigate risks.