The consequences of a data breach could be significant. Recognizing that directors can protect themselves from liability in the case of a breach by taking an active oversight role in their company's cybersecurity preparedness, this paper, prepared by Nasdaq Corporate Solutions and Simpson Thacher, sets out to provide boards with some practical advice about how to approach cybersecurity oversight, focusing on 10 key categories of questions.
Ensuring that the company is adequately managing its cyber risks can be difficult. To be better prepared — and to ensure that it is properly fulfilling its oversight role — the board should ask thoughtful questions. While there is no "one size fits all" approach, we suggest 10 categories of questions that boards of all companies should be asking members of management responsible for cybersecurity. In each case, directors should assess the responses to these questions and determine whether follow-up is required.
1. Leadership
Has the company identified a senior person with clear responsibility for organization-wide cybersecurity preparedness, who has support from the top of the organization?
As with any important management function, someone needs to have ultimate responsibility for cybersecurity. This person is often (but need not be) the Chief Information Security Officer.
2. Budget and Staffing
Has management given serious consideration to how much of the budget and how much staff is adequate for proper cyber risk management?
The appropriate budget and staff will depend on a variety of factors, including the industry in which the company operates.
3. Comprehensive, Written Cybersecurity Program
Has management formulated a comprehensive, written data privacy and cybersecurity program consisting of reasonable and appropriate policies and procedures?
It is essential that companies formulate a comprehensive, written data privacy and cybersecurity plan that is reviewed by and distributed to all individuals who may be involved in its execution.
4. Employee Training and EducationHas management instituted effective training programs that instruct employees on the appropriate handling and protection of sensitive data?
As with other forms of employee training, cybersecurity training programs should be meaningful, consisting of more than written policies that employees are required to review and sign. The board should ask probing questions to determine whether management has been adequately conveying to employees the company's protocol, the importance of following it and the consequences of not following it.
Has management taken steps to mitigate the cybersecurity risks associated with outsourcing business functions to third parties?
According to the 2016 Soha Systems Survey on Third Party Risk Management, 63% of all data breaches were linked to a third party. This statistic underscores that even if a company has a state-of-the-art cybersecurity program, that program is worthless if the company's vendors, who have access to the company's network and/or sensitive data, do not have similarly robust data security policies and practices. In other words, a company's cybersecurity program is only as strong as the weakest link in its vendor chain.
Does management has an effective system in place for staying abreast of and complying with evolving federal, state and international data security laws and regulations that are applicable to its operations?
Those charged with ensuring the company's data security must be aware of any federal, state and/or international laws that require them to take measures to secure sensitive data. Relevant regulations can change with some frequency, and management must have an effective system in place to track such changes and comply with all regulations.
7. InsuranceHas management given serious consideration to purchasing cyber liability insurance?
In today's environment, management should at least give serious consideration to investing in cyber liability insurance. The board should ensure that management has explored whether it makes sense for the company to purchase cyber liability insurance and should ask questions to understand management's approach to purchasing such insurance.
Has management installed adequate technology not only for preventing the downloading of malicious software but also for detecting and alerting the organization to attempted breaches?
It is essential that every company have robust security software tools and antivirus systems in place to detect attempted breaches. But this alone is not sufficient. Each company must also train security employees on the protocol for responding to automated alerts generated by this technology.
Does management have a comprehensive, written breach response plan in place?
It is critical that companies be prepared to respond to a breach quickly, effectively and calmly. To that end, companies must have a comprehensive, written breach response plan in place and be clear on what events will trigger that response plan.
10. Non-Digital Information and Physical DevicesWhat steps does management take to safeguard sensitive non-digital information?
With all the talk about "cyber," it is important to remember that safe and secure storage of non-digital data, as well as proper destruction of documents and devices, is equally essential. To the extent possible, companies should minimize the locations in which sensitive non-digital information is stored and should ensure the safe and secure storage or destruction of this data.
By asking the questions outlined above – and any other questions relevant to the company's facts and circumstances – and by exercising good judgment, directors can successfully oversee the cyber risks facing the company and the company's plan to mitigate and respond to those risks.
Nasdaq Corporate Solutions' Boardvantage MeetX board portal is designed to provide public, private, and nonprofit boards and leadership teams with greater governance management, throughout the organization. Built with security in mind, our easy-to-use and efficient software helps companies simplify the sharing of critical information via the web or tablet apps and makes meetings anywhere more productive.
Download the full report to learn more.
CONTACT INFORMATION:
business.nasdaq.com
corporatesolutions@nasdaq.com
This page was paid for by Nasdaq. The editorial staff of CNBC had no role in the creation of this page.
