Boards are responsible for ensuring that the company has established risk management programs appropriate for the material risks facing the company and for overseeing how company management implements those programs. Boards have recognized their responsibility for overseeing the management of credit risk, liquidity risk, and operational risk. Addressing cybersecurity risks should be included as one of those responsibilities. Boards that ignore, or minimize, the importance of cybersecurity risks are not doing their job. As many IT professionals advise, it’s not a matter of “if” a company will face a cybersecurity breach, but “when.”

There has been a 20.5% increase in data breaches this year compared to last year according to a recent report from the Identity Theft Resource Center. The business sector, with 33.5% of the breaches, represents approximately 60% of the compromised records. In light of the recent data breaches reported by Ebay, Target, Adobe and Wyndham, among others, corporate boards are making cyber threats a board-level issue.  Boards should evaluate their company’s cyber risks and ask:

1. What kind of data and confidential information does the company collect, store and handle? 
2. What role does IT play in the company?  What is the current state of the company’s IT (hardware and        software) infrastructure, budgeted IT spend, and existing    and planned changes?
3. Who on the board currently has primary responsibility for the oversight of IT risks?
4. What is the company’s perceived level of security risk and comprehensive security strategy?  What controls are in place to mitigate the risk?  How does   management test its resistance to attacks?  What are the company’s IT security resources?  Is the cybersecurity spend level appropriate?
5. How does the company protect sensitive data from the risk of theft?  What are the company’s internal and external data privacy policies?  What privacy policies are in place for data exchanges with third parties?
6. Has the company undertaken a cybersecurity assessment?  When?  What were the results? 
7. Is the company providing training to its employees about cybersecurity? 
8. Does the company have a cyber-incident response plan?  What are the technical protocols?  Does the company have a cybersecurity back-up plan? 
9. Who within the company is responsible for the company’s cybersecurity?  Does this person work with any outside cyber experts on the company’s behalf? 
10. Does the company purchase insurance to transfer the cyber risks?  Is there adequate insurance?  Does the insurance provide the type of coverage the company needs?
11. Is the company following the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (“NIST”) in February 2014?  How well does the company’s cybersecurity policies match-up to the Framework’s guidelines? 

By going through this exercise, Boards of Directors can evaluate and understand their company’s cyber liability exposure and work towards ensuring that their company is properly protected.