Does your board exercise proper oversight over cybersecurity risks? Directors and officers have fiduciary duties to protect the assets of their companies. This obligation covers digital assets, including corporate information, applications, and networks. The scope of the obligation is defined, in part, by laws and regulations that impose specific privacy and security obligations on companies.
The threats to digital assets are real, and companies are increasingly grappling with how best to manage network infiltrations, denial-of-service attacks, and other cyber-threats. In this context, a new report found that while boards are engaged in risk management, the link between cybersecurity risks and enterprise risk management remains poorly understood.
The report, How Boards & Senior Executives are Managing Cyber Risks, is based on a survey conducted by Carnegie Mellon CyLab. This is the third survey that CyLab has conducted and its findings reveal that, for many companies, boards do not have sufficient information to properly oversee the management of cybersecurity risks.
CyLab identified the following areas as specifically lacking:
- Reviewing budgets, security program assessments, and top-level policies;
- assigning roles and responsibilities for privacy and security;
- and receiving regular reports on breaches and IT risks.
The report also noted that little attention is focused on risks related to vendor management and observed:
the low response for vendor management is concerning because it indicates that the privacy and security of data at cloud and software providers and outsource vendors are receiving little oversight.
In comparing findings across industries, CyLab found that the financial sector has some of the strongest privacy and security practices in place, while energy and utilities had some of the weakest governance practices.
The report concludes with a set of recommendations to boards and senior management. These recommendations include:
- "Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance t heir reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility."
- "Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans."
- "Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident."
- "Require regular reports from senior management on privacy and security risks."
- "Require annual compliance audits and test incident response, breach notification, disaster recovery, and crisis communication plans."
Data breaches, and loss of user data and other sensitive information, pose significant legal and reputational risks for companies. All companies should ensure that they have the systems and policies in place to manage risks to digital assets. These systems need to be regularly evaluated and properly resourced: this requires top-level attention from senior management and the board.