Cyber Governance Questions BODs Should Consider
In an era of continuous compromises, businesses are faced with the growing threat of malicious actors targeting and successfully penetrating their defenses at an alarming rate. Cyber security touches nearly every aspect of business. It affects a company’s opportunities for expansion, customers, markets and is vital to most strategic plans.
Unfortunately, cyber security concerns are not always communicated in a meaningful way. Information technology often gets “lost in translation” because it is provided in a technical dialect and not in a business context.
Here are basic questions directors should be asking when reviewing their company’s cyber security framework:
- What part of the Board should handle examination of cyber security risks? Should it be the whole Board? Should this responsibility be assigned to the Audit Committee? The Risk Committee? Should the Board create a “Cyber Committee” to exclusively deal with these issues? Should additional Board members be recruited who have specific cyber security experience?
- How often should the Board be receiving cyber security briefings? In a world where breaches are reported daily, are quarterly briefings enough? Should the Board be receiving monthly briefings? Or more (given the industry type of the company, e.g. tech, IP company)?
- Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and be available to aks questions of the Company’s senior management, CTOs, and CIOs?
- What are the greatest threats and risks to the Company’s highest-value cyber assets? Does the Company’s human and financial capital line up with protecting those high-value assets?
- What is the Company’s volume of cyber incidents on a weekly and monthly basis? What is the time taken and cost to respond to those incidents?
- What would the worst-case scenario cost the company in terms of lost business (because of downtime of systems that were attacked and need to be brought back and because of the harm to the Company’s reputation as a result of the attack)?
- What is the Company’s specific cyber incident plan, and how will it respond to customers, clients, vendors, the media, regulators, law enforcement, and shareholders? Does the Company have a crisis management plan to respond to all these various constituencies, as well as the media (both print and electronic/high activity bloggers)? Finally, has the cyber incident plan been tested (or “war-gamed”) so that it is ready to be put into place on a moment’s notice?
- What cyber security training does the Company give its employees?
- What sort of “cyber due-diligence” does the company perform with respect to its third-party service providers and vendors?
- In mergers and acquisitions context, what is the level of cyber due-diligence that is done as part of the consideration of any acquisition?
- Has the Company performed an analysis of the “cyber-robustness” of the Company’s products and services to analyze potential vulnerabilities that could be exploited by hackers?
- Finally, should the Company consider adopting, in whole or in part, the NIST cyber-security framework as a way or method of showing affirmative action to protect the Company’s IP assets?
Tom’s passion is leveraging technology to make the world a safer place. Focusing on the intersection of public safety, technology and information, Tom uses his insights and ability to dig in to where actual customer benefits lie to approach the rapidly changing technology landscape. In an evolving marketplace, his focus is always on what any technology actually provides the business. His strengths include his ability to relate with senior management and serve as a critical resource. Evidenced by his commitment to excellence and zeal for security and safety technology, Tom has earned a reputation as a sophisticated and ethical client advocate and effective sales executive. His passion is further illustrated by his involvement with the North Texas Crime Commission (Cybercrime Committee Secretary), ASIS (Technology Chairman) and Infragard. Tom is a graduate of the FBI, Plano Police, DPS, and District Attorney Prosecutor Citizen Academy’s and is a member of Plano’s CERT.