Cybersecurity is a critical business issue, and one which executive leadership and boards of directors should be factoring into risk management decisions. Indeed, some regulations are now requiring companies to demonstrate that they have adequate cybersecurity oversight from their boards.
We spoke with Melissa Ventrone of Clark Hill, a NetDiligence Breach Coach® firm, about board oversight of cybersecurity and the board’s responsibilities for ensuring its effectiveness—in particular during incident response.
Why is board oversight of cybersecurity an important issue?
There continues to be a plethora of litigation from shareholders around the supposed failure of oversight and fiduciary responsibility in connection with cybersecurity issues. From a legal and reputational perspective, that is a concern for board members. In addition to preventing litigation, incident response planning with the board (along with discussions of cybersecurity threats and risks) can help everyone prepare for an incident. Familiarity with cybersecurity concerns and positions is especially helpful when it comes to high pressure decisions like paying a ransom.
How involved can a board be in cybersecurity oversight?
Board members have an inherent interest in this topic as it impacts many layers of a business. However, the board is there to exercise oversight, and during an incident it should not be caught up in the minutiae of the response, nor should board members be directing response activities. This could slow down response time during an incident and could actually lead to greater harm. For example, if a hospital board delays the response while considering whether to pay the ransom, lives could be lost.
Instead, it is more important that boards make sure that their positions on cybersecurity risks and responses are known and understood. The implementation of policies and plans detailing how cybersecurity risks should be handled or discussions on board priorities when dealing with cybersecurity are critical to company-wide decision making. Typically, we don’t see boards getting too involved in cybersecurity. If anything, we hear complaints that there is not enough oversight from the board on these issues.
What can boards do to better educate members about cyber incident response?
The board should understand the organization’s threat posture amid the cyber threat and privacy landscape, including potential liability and financial impact. They can participate in tabletop exercises and simulations to understand the potential scenarios and what actually happens during incident response, as well as the organization’s protocols for each, including how the board gets notified. During these exercises, the board and the organization can outline the parameters for the response protocols, including whether to pay a ransom, and if so, under what parameters.
Board members should receive ongoing updates from the organization about what cybersecurity personnel are doing to identify or monitor and respond to threats and how they are making sure these measures are effective. The board should be aware not just of the threats, but of important assets and the investments being made in cybersecurity, as well as how the organization is handling third-party vendors with regard to risk management. Of particular importance, these exercises and discussions should allow the board to determine how and when they expect to be updated during an incident.
Ultimately, the goal is to distill the board’s risk management matrix in the context of a cyberattack so that people leading the incident response can execute on the board’s intent.
To learn more about Melissa Ventrone, visit the Clark Hill website.
To learn more about Mark Greisiger, visit this page.