Boards Can't Ignore Cyber Security
The cyber tipping point has arrived. It's taken some time, but recent events confirm that cyber responsibility has officially shifted to the board of directors and top management of companies in today’s data-driven economy.
In its new cybersecurity regulation, New York State's powerful Department of Financial Services squarely put responsibility for cybersecurity on the shoulders of directors and senior officers, requiring them to approve a mandatory cybersecurity policy and certify regulatory compliance.
And earlier this year, Yahoo revealed its general counsel resigned following an internal investigation that concluded that its recent data breach "was not properly investigated and analyzed at the time, and the company was not adequately advised with respect to the [associated] legal and business risks." Yahoo's CEO agreed to forgo her annual bonus and equity grant because the breach took place during her tenure; and recently it was announced she’s leaving the company.
Without a doubt, accountability for cybersecurity has expanded way beyond the IT staff to the highest levels of corporate America. Today's directors and senior officers need to become educated as to cybersecurity risks and exercise documented and active, informed, and engaged oversight over cyber issues.
For private company directors, the stakes can be especially high, particularly in the M&A and IPO contexts, where poor cyber risk management can kill or devalue a deal, and the failure to appreciate and/or disclose material cyber-related risks can lead to claims of material misrepresentation or omission in registration statements and during road shows.
Here are some recommended first steps directors and senior officers should take to satisfy their emerging responsibilities.
Know what Questions to Ask
Consistent with their escalating cyber responsibilities, today’s directors and officers need to increase their knowledge of their entity’s cybersecurity risk profile. Hard questions need to be asked concerning cyber issues, including the identification, location and security of mission critical and protected information, the company’s state of compliance with relevant laws and regulations, its cybersecurity programs, policies and practices, vendor management, and the potential financial impact of a security incident.
Cybersecurity should be included as an item on board meeting agendas, and serious consideration should be given to creating a formal cybersecurity committee. Since total reliance on the company’s “IT guy” or gal and general counsel for unbiased and comprehensive analysis of the company’s cyber risk profile may not be reasonable, retaining a third party cybersecurity consultant and counsel should be considered.
Directors and officers must treat the company’s cyber risks in the same manner they treat other corporate risks. The level of risk the enterprise should mitigate, absorb, and transfer needs to be weighed. In many cases, insurance for cyber risks may be a very wise choice.
Determine Current Cybersecurity State
It’s impossible to determine if an entity is cyber ready without first understanding its current state of cybersecurity. This starts with a risk assessment, and then a gap analysis against its desired state. The desired state may be driven by regulation, industry standards, consumer expectations, corporate brand and reputation, and/or a multitude of other factors. Once it ascertains the delta between the current and desired states, the company can prioritize its remedial efforts and decide on a plan to achieve its cyber readiness goals.
Prepare an Incident Response Plan
Research confirms that companies with a current and practiced Incident Response Plan (IRP) fare much better in the wake of a cybersecurity incident than unprepared companies. Entities are urged to form a team of internal and external resources -- including legal, compliance, IT, human resources, public relations/communications, privacy, and finance -- to develop and rehearse an IRP that is well tailored to the company’s specific cyber risk profile. The plan should be regularly reviewed and updated as necessary. An appropriate IRP should be developed and rehearsed before a cyber incident occurs.
Employee Training and Awareness
Cyber incidents traceable to negligent and noncompliant employees continue to plague today’s enterprises. All employees need to be educated as to the crucial role each of them plays in protecting the company’s information assets.
In addition to providing regular, interactive and mandatory education training programs, companies should develop processes to inform employees of emerging threats and schemes that pose risk to the company. Directors and officers should not exempt themselves from cybersecurity training and should prioritize a top-down a culture of cybersecurity readiness.