Diligent recently took the opportunity to outline key steps to help firms’ boards prepare for cyber risks and regulations.
With cybersecurity increasingly at the forefront of business operations, it can no longer be left for periodic meetings of the full board.
It now merits committee attention throughout the year, on par with finance, compensation, and audit. “Taking cyber and putting it in a dedicated location with focus is really important,” Atkins said. In Fortune 500 companies, 12% of them have a tech committee, reflecting this trend.
Strategies for board cyber expertise
Boards need to fully understand the complex terrain of cybersecurity standards and the new SEC rule on cybersecurity disclosures. “We can only expect a lot more scrutiny. So, it’s going to be important that you’re actually doing cyber briefings to the board and that you’re engaging in this,” Atkins emphasised. Adding at least two cyber-certified board members and making IT and InfoSec leadership part of the board can be crucial steps. Venables encouraged leaders to treat this as a “first-class business risk” and not be intimidated by technological complexities.
Training opportunities for board members and executives
Board members and executives wishing to enhance their cybersecurity knowledge can also enroll in the Diligent Cyber Risk & Strategy Certification course. This course utilises interactive eLearning content and tabletop exercises to help improve oversight of enterprise-wide cyber risks.
Engagement with internal security teams
Active engagement with internal security teams, including the CISO and IT team, is crucial for comprehensive oversight. Both Stafford and Venables stressed the importance of board members deepening their understanding of risk and security and engaging actively, much like they would for other critical risks.
Risk assessment and readiness evaluation
Boards should regularly assess how good, resilient, and at risk they are at security. Tools like red and purple team exercises can help with these assessments. Mandia advised taking a close look at business resilience as well, including the ability to operate manually in case of a cyber breach.
Inclusion of supply chain in risk oversight
The integration of mergers, acquisitions, and the supply chain into risk oversight is essential. About 40% of breaches come through the supply chain, noted Atkins, making it one of the most vulnerable areas. This also extends to small company acquisitions that may lack sufficient cyber protection.
Ensuring cyber basics
Effective cyber oversight also entails examining the company’s practices and processes, including employee training, timely administration, and the use of cutting-edge tools. “Staying ahead of things really comes down to you as a board member knowing the right questions to ask,” Stafford explained.
Engaging third-party support
Finally, boards should consider engaging third-party cyber firms for additional support. Regular evaluation of these external resources is vital. Stafford advised on this aspect while Atkins warned, “Do not abdicate your decision-making to the outside experts. You’re there as a director. It’s up to you to make the business judgment and make that call.”
Read the full post here.
Copyright © 2023 RegTech Analyst
Copyright © 2018 RegTech Analyst