Ebay. Wyndham. Target. Adobe. You’ve read the news about major companies being compromised by hackers and viruses. Is your company ready for the cyberattack that is undoubtedly coming?
It helps matters to elevate cyberthreats to a board-level issue. Sound a little “in the weeds” for a board meeting? Not at all. Consider how few companies can afford to be cavalier about a cyberattack's ability to erode shareholder value rapidly and dramatically. Loss of customer confidence, direct remediation costs, third party loss liability, government fines and penalties, theft of critical company intellectual property and more are all on the table.
Before I go further, let me clarify that I’m not suggesting that all boards of directors should include someone who is a cyberexpert. I am suggesting that boards implement and document a reasonable process designed to surface a company's particular cyber vulnerabilities. Boards can then ensure that management is taking a systematic approach to addressing these vulnerabilities.
As encouragement, consider the Security and Exchange Commission's (SEC) position on this topic by recalling its October 2011 publication of cyber liability disclosure guidance. This guidance specifically asked companies to consider whether they need to disclose information about potential cyber liability exposure. In addition, since 2009, the SEC has mandated disclosure concerning the board's role in the oversight of enterprise risk management. There can be no doubt that enterprise risk management has to address cyberthreats.
Below are some questions to use as a starting point for a board's oversight of the cyberthreat portion of a company's enterprise risk management program.
A. What kind of data do we collect, store or handle? Do we need all of it? Old credit card numbers and other out-of-date data should be purged in accordance with an appropriate document retention policy.
B. When was the last time the company had an independent party conduct a cybersecurity assessment? When is the next scheduled time?
C. What type of training are we giving the company's employees on this topic? For example, an employee could inadvertently compromise his or her company's internal network if untrained on matters like password management and public Wi-Fi use. Especially pernicious are hackers who use social engineering to breach a company's gates. Special training on this last point is warranted.
D. When is the last time we tested our incident response plan? When will be the next time? This response plan should include the company's technical protocols and backup plans. It should also include a communication plan for employees, clients and the press.
E. Who at the company is ultimately responsible for the company's cybersecurity? Can this person (or committee) access the company's board of directors? And is the person speaking with the board able to communicate complex topics accurately, patiently and effectively?
F. Do we buy insurance to transfer cyber risk away from the company? What metrics are being used when determining limits? Are we working with an insurance broker who has specialized expertise when it comes to cyber liability (and errors and omissions) insurance? Does the broker have enough direct and current experience to be on top of this rapidly evolving insurance market?
The goal of this exercise is two-fold: (a) actually understanding a company's cyber liability exposure and (b) setting the stage for any needed improvements. This process will allow a board to understand—and where necessary challenge—the steps the company has taken and deliberately declined to take. Without such a process, the board has no ability to oversee this element of enterprise risk management and ensure that resources are being directed appropriately.