The Board of Directors And Their Role in Cybersecurity

A cybersecurity breach to an enterprise can have dire consequences. Financial losses, regulatory investigations, loss of intellectual property, reputational costs, legal expense…the list of potential costs is extensive. As a result, cybersecurity has catapulted from being non-existent to the top of most board’s lists of concerns. The frequency of cyberattacks have rapidly increased, and to make matters worse, so have the associated costs. Clearly, the directors of today must take their responsibility seriously when it comes to ensuring comprehensive cyber-risk policies and procedures have been implemented by enterprise management, and that these policies and procedures are effectively being carried out.

Given the known risks posed by these type of attacks, it would be expected that all boards and senior management of today would be proactively taking steps to address these risks.  Unfortunately, evidence suggests that there many times are gaps between the actual exposure these cyber risks pose and the steps being taken by many corporate boards to address these risks.  Cybersecurity must be a “top down” concern that permeates throughout the entire organization, and creating this culture starts with the board.  And, although different companies may choose different paths to achieve a cybersecure enterprise, the ultimate goal is still the same-to prepare for both the inevitable attack and also for the resulting fallout and recovery from the attack.

While there may be a variety of paths to achieve cybersecurity, there are some standard practices that all boards should perform when considering actionable items.  Here are some of these practices:

1. Firmly accept the responsibility for cybersecurity

2.  Set expectations for management and others

3. Have a full understanding of the enterprise cyber risk

4. Perform an assessment of current cybersecurity policies and procedures

5.  Plan, practice, and rehearse a breach

Responsible, well-functioning boards recognize and respond to new circumstances, and this new and evolving cyber landscape definitely falls into the new circumstance category.  Proactive and aggressive board oversight for cyber-risk management is critical to prepare for, prevent, and recover from cyber-attacks, and every single board must take these responsibilities very seriously.