Boards have broad duties that they owe to their company including corporate governance and overseeing risk management.
There has been a 20.5% increase in data breaches this year compared to last year according to a recent report from the Identity Theft Resource Center. The business sector, with 33.5% of the breaches, represents approximately 60% of the compromised records. In light of the recent data breaches reported by Ebay, Target, Adobe and Wyndham, among others, corporate boards are making cyber threats a board-level issue. Boards should evaluate their company’s cyber risks and ask:
- What kind of data and confidential information does the company collect, store and handle?
- What role does IT play in the company? What is the current state of the company’s IT (hardware and software) infrastructure, budgeted IT spend, and existing and planned changes?
- Who on the board currently has primary responsibility for the oversight of IT risks?
- What is the company’s perceived level of security risk and comprehensive security strategy? What controls are in place to mitigate the risk? How does management test its resistance to attacks? What are the company’s IT security resources? Is the cybersecurity spend level appropriate?
- How does the company protect sensitive data from the risk of theft? What are the company’s internal and external data privacy policies? What privacy policies are in place for data exchanges with third parties?
- Has the company undertaken a cybersecurity assessment? When? What were the results?
- Is the company providing training to its employees about cybersecurity?
- Does the company have a cyber-incident response plan? What are the technical protocols? Does the company have a cybersecurity back-up plan?
- Who within the company is responsible for the company’s cybersecurity? Does this person work with any outside cyber experts on the company’s behalf?
- Does the company purchase insurance to transfer the cyber risks? Is there adequate insurance? Does the insurance provide the type of coverage the company needs?
- Is the company following the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (“NIST”) in February 2014? How well does the company’s cybersecurity policies match-up to the Framework’s guidelines?