With the goal of providing corporate directors with guidelines to improve their cybersecurity oversight, American International Group (AIG), the National Association of Corporate Directors (NACD), and the Internet Security Alliance (ISA) has released the latest issue in NACD's Director's Handbook Series, Cyber-Risk Oversight. 

In the handbook, five key steps are addressed that corporate boards must consider when assessing cyber risk at their organizations, including board composition, liability implications, disclosure issues, access to expertise, and risk-appetite calibration.

"Recent breaches in both the public and private sectors have put the issue of cybersecurity on every board's agenda," said Larry Clinton, ISA's president and CEO. "This handbook is a natural extension of ISA's mission to create private sector standards and practices that integrate both the technological and economic aspects of cybersecurity." 

Adds Mark Camillo, head of cyber products for the Americas Region for AIG: "The complexity of cyber threats has grown dramatically over the past decade. As the intricacy of attacks increases, so does the risk they pose to corporations. Conscientious and comprehensive oversight at the board level is essential." 

Read on for a look at the five steps corporate boards must consider when assessing their organization's risks, according to the Cyber-Risk Oversight guide. To download the guide in full, go here.

Step 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 

Cyber risks should be evaluated in the same way an organization assesses physical security of its human and physical assets and the risks associated with their potential compromise. In other words, cybersecurity is an enterprise-wide risk management issue that needs to be addressed from a strategic, cross-departmental, and economic perspective—not just handed off to IT, a department that in most organizations is strapped for resources and budget authority. 

What's more, some of the highest-profile data breaches to date have had little to do with traditional hacking, the Cyber-Risk Oversight guide points out. For example, spearphishing—a common e-mail attack strategy that targets specific individuals—is a leading cause of system penetration. Product launches or production strategies that use long, international supply chains can magnify cyber risk. Similarly, mergers and acquisitions requiring the integration of complicated systems, often on accelerated timelines and without sufficient due diligence, can increase cyber risk. 

Directors should engage management in a discussion of the following questions on a regular basis:

  • What are our company's most critical data assets?
  • Where do they reside? Are they located on one or multiple systems? 
  • How are they accessed? Who has permission to access them?

Step 2: Directors should understand the legal implications of cyber risks as they relate to their company's specific circumstances.  

Although the corporate liability with respect to cyber attacks is evolving, boards should be mindful of the legal risks posed to the corporation, and potentially to directors on an individual or collective basis, according to the Cyber-Risk Oversight guide. For example, high-profile attacks may spawn lawsuits, including shareholder derivative suits alleging that the organization's board of directors neglected its fiduciary duty by failing to take sufficient steps to confirm the adequacy of the company's protections against breaches of customer data and their consequences. 

Particular areas of consideration for directors include maintaining records of boardroom discussions related to cyber risks, and determining what to disclose in the event an incident occurs. Board minutes should reflect that cybersecurity was present on the agenda at meetings of the full board and/or of key board committees, depending on the allocation of oversight responsibilities.

Step 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.  

While "IT risk" is a broad term that encompasses many different types of risk, director confidence about their boards' understanding of cyber risk is low. As a result, some companies are considering whether to add cyber and/or IT security expertise directly to the board via the recruitment of new directors. 

Nominating and governance committees must balance many factors in filling board vacancies, including the need for industry expertise, financial knowledge, global experience, or other desired skillsets, depending on the company's strategic needs and circumstances. Whether or not they choose to add a board member with specific expertise in the cyber arena, directors can take advantage of other ways to bring knowledgeable perspectives on cybersecurity matters into the boardroom, including:  

  • Scheduling "deep dive" briefings from third-party experts, including specialist cyber-security firms, government agencies, industry associations, etc.;
  • Leveraging the board's existing independent advisors, such as external auditors and outside counsel, who will have a multi-client and industry-wide perspective on cyber-risk trends; and
  • Participating in relevant director education programs, whether provided in-house or externally.

Step 4: Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework.  

Directors should seek assurances that management is taking an appropriate enterprise-wide approach to cybersecurity.  

The steps to an integrated approach for managing cyber risk:

  • Establish ownership of the problem on a cross-departmental basis. A senior manager with cross-departmental authority, such as the chief financial officer, chief risk officer, or chief operating officer (not the chief information officer), should lead the team.
  • Appoint a cross-organization cyber-risk management team. All substantial stakeholder departments must be represented, including business unit leaders, legal, internal audit and compliance, finance, HR, IT, and risk management.
  • Meet regularly and develop reports to the board. Executives should be expected to track and report metrics that quantify the business impact of cyber-threat risk management efforts. Internal audits to evaluate cyber-threat risk management effectiveness should be conducted as part of quarterly reviews.
  • Develop and adopt an organization-wide cyber-risk management plan and internal communications strategy across all departments and business units. While cybersecurity obviously has a substantial IT component, all stakeholders need to be involved in developing the corporate plan and should feel "bought in" to it. 
  • Develop and adopt a total cyber-risk budget of sufficient recourses. Cybersecurity is more than IT security, thus the budget for cybersecurity should not be exclusively tied to one department. 

Step 5: Board-management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.  

Total cybersecurity, the Cyber-Risk Oversight guide points out, has become an unrealistic goal: All are at risk. As with other areas of risk, a company's cyber-risk tolerance must be consistent with its strategy and, in turn, its resource allocation. As such, directors and management teams will need to grapple with questions including:

  • What data, and how much data, are we willing to lose or have compromised? 
  • How should our cyber-risk mitigation investments be allocated among basic and advanced defenses?
  • What options are available to assist us in transferring certain cyber risks? And …
  • How should we assess the impact of cyber events?

To download the Cyber-Risk Oversight guide in full, go here.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Shawn Moynihan

Shawn Moynihan is Editor-in-Chief of National Underwriter Property & Casualty. A St. John’s University alum, Moynihan has earned 11 Jesse H. Neal Awards, the Pulitzers of the business press; seven Azbee Awards, from the American Society of Business Press Editors; two Folio Awards; and a SABEW award, from the Society of American Business Editors & Writers. Prior to joining ALM, he served as Managing Editor/Online Editor of journalism institution Editor & Publisher, the trade bible of the newspaper industry. Moynihan also has held editorial positions with AOL, Metro New York, and Newhouse Newspapers. He can be reached at [email protected].