How to Strengthen Your Board’s Cyber Security Posture: Part II

How can procedure enable boards to strengthen their cyber security posture to stay agile in the face of risk?

Cybersecurity is an increasing threat. Yet, putting the right procedures in place can help alleviate that burden. This begins with receiving the right information, relaying the correct tone in the boardroom and overviewing procedures for the best possible security outcomes. To read part one of this series which explores 5 essential cyber security considerations the board of directors click here.

READYING THE BOARD FOR A STRONGER CYBER SECURITY POSTURE: 

According to a Spencer Stuart survey of audit committee members,  ‘only 21% of directors agree their company has cybersecurity risk well under control’ while ‘66% of senior IT executives’ report to the board only “occasionally”.

While it is common knowledge that the board will have to superintend the fallout of a cyber-attack, there are still large instances where boards are unaware of basic but critical information. In order to better steer the board towards a stronger cyber posture, EY in their 2019 Centre for Board Matters, noted that ‘one of the most important things  a board can do is set the proper tone and align with management on the appropriate risk appetite related to cybersecurity’. It is therefore very important than between discussions of risk management and strategy boards are informed by the latest information.

 Directors need to forcibly put in place a system of reporting and training from management teams and especially those groups involved with cyber security. At a time of unprecedented technological change, managing digital risk is still a collective responsibility.

4 KEY WAYS DIRECTORS CAN IMPROVE THEIR KNOWLEDGE OF CYBERSECURITY 

  1. Discuss in depth about the company’s risk posture: PWC recommend discussing the following elements to kick of a much-needed discussion; the company’s cyber strategy, the types of cyber threats facing the company, the most important digital assets within the company, the results of the most recent risk assessment and any planned mitigation actions.
  2. Attend external programs: Attending conferences on cyber risk oversight can aid directors to learn about new developments and best practice for board members.
  3. Discuss regularly with management: While this is a no brainer, it is critical that boards interact with management on their own learnings about cyber security.
  4. Exchange regularly with third parties: PWC note that for boards to really enhance their knowledge of cybersecurity they should invite additional opinions to improve their knowledge of all things cyber. For example, external consultants can update the board with their periodic assessments of the organisation’s cyber security risk. According to an U.K. Cyber Security Breaches government survey published this year, ‘three-in five businesses (59%) have actively sought information or guidance on cyber security from outside their organisations in the past year.

 PROCEDURE AND REVIEWING MANAGEMENT’S RESPONSE PLAN

An essential activity boards need to undertake is to review management’s response plan in the event of a breach. This plan should contain information that outlines who are the key decision makers and what actions should be undertaken. 

Here are some key questions to consider to prime your board procedure:

 QUESTIONS TO SHAPE BOARD PROCEDURE

  • What are the most valuable assets within the enterprise?
  • Is there an existing enterprise-wide risk management framework in place? (The question of is it adequately staffed and budged for is also crucial in this instance)
  • What are potential vulnerabilities within the company in terms of its network? (For example, third party access).
  • How are cyber-attacks uncovered in real time?
  • What is the company’s response plan in the event of a cyber-attack? How often is the response plan tested?
  • What relationships does the company have with third parties in order to respond efficiently to a breach? How can these relationships be developed further?
  • Has the board completed a mock cyber security incident? If not consider completing one to aid cyber security procedure. This should be done regularly and encourage key stakeholders to get involved.
  • Consider creating a team within the organisation who are responsible for the rapid response to a cyber incident.

COMMUNICATION PROCEDURES

Also critical after a cyber breech is the public announcement to stakeholders. The board need to have in place a communication plan that will breakdown when and how the clients are notified as well as staff and external bodies. The board also need to oversee the plan of when the police are notified. In more serious instances it is recommended also that the board utilise a forensic digital team to review the evidence of the breech. Therefore, the board need to also determine if this team will report to management or to the board.

SECURITY, NOT COMPROMISES

One critical step for boards to take to ensure higher security protection involves securing the highly confidential information they have at their fingertips. By adopting a board portal, like DiliTrust Exec, board members can trust that their data (stored locally on servers in Europe, the Middle East and Canada), is GDRP compliant and ISO 27001 certified. To find out more information about how secure the DiliTrust Exec board portal is, please contact a member of our team today.

Read part one of this cybersecurity blog series which outlines 5 essential cyber security considerations for the Board of Directors here.