📋 Principles of Cyber risk oversight – Board role 📌

Cybersecurity is a significant enterprise-wide strategy and risk issue that affects virtually all levels of an organization’s operating activities.

Several characteristics combine to make the nature of the threat especially formidable: its complexity and speed of evolution; the potential for significant financial, competitive, and reputational damage; and the fact that total protection is an unrealistic objective.

A company’s board plays an important oversight role and is well-positioned to guide management in the development of an effective cybersecurity risk program.

📌 Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue

📌 Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances

📌 Board should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas

 📌 Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing & budget

📌 Board-management discussions about cyber risk should include which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach

Key actions boards can take as they oversee security risk:

•  Set the tone that cybersecurity is a critical business issue; the time and effort the board spends on cybersecurity signifies if it is a priority for the company.
• Confirm that the company’s new technology and business arrangements are designed with security in mind from the beginning by embracing a “Trust by Design” philosophy.
• Understand the company’s value at risk in euro terms.
• Understand the company’s processes to identify, assess and manage third-party and supply chain risks.
• Make sure the cybersecurity risk management program is independently and appropriately assessed by a third party and the third party should report back to the board.
• Have comprehensive knowledge of the company’s ability to respond and recover, which should include simulations and arranging protocols with third-party specialists before a crisis hits.
• Have a thorough understanding of the cybersecurity incident and breach escalation process and protocols within the organization, including when the board should be notified.
• Stay attuned to evolving board and committee cybersecurity oversight practices and disclosures, including asking management for a review of the company’s cybersecurity disclosures over the last two to three years with peer benchmarking.

If you need Board & C-level support and coaching on Cybersecurity or for any other questions on risk management, IT security & IT governance, contact us at: contact@digisoter.com or +32 2 318.12.71 www.digisoter.com