In a recent article by the Wall Street Journal states that “Corporate boards are seeking greater insight into cyber security risks in the aftermath of the recent breach at Equifax Inc. The hacking attack on the credit-reporting firm last summer was a defining moment for directors, say technology and corporate-governance experts.
As cybercriminals damage company reputations and cause tens of millions in remediation and legal costs, some boards are increasing cyber security oversight and weighing how to delegate responsibilities among directors. Others are pushing for more meetings with corporate security chiefs.”
All of the above seems to be true, but many board members seem to be “silently” struggling with oversight, which is one of the board’s most important responsibilities.
A sound Cyber Strategy or compliance plan should be designed from the risks identified to deter and resolve cyber attacks as well as to address any possible repercussions, such as damage to the reputation of the enterprise.
Here are some key elements and things to consider when developing a Cyber Strategy, which can also be used by board members in their oversight role.
- Board level engagement.
- Monitor the news for other cyber incidents or perceived threats.
- Challenge management assumptions related to cyber security and the strategy.
- Management should engage the board.
- Provide the board with highlights of worthy news around cyber.
- Let the board know about the challenges; and most importantly,
- Communicate successes.
- The strategy should be business driven and consider the extended enterprise.
- Ensure there is good tone from the top. Does the messaging and conduct convey the importance of good cyber hygiene?
- Have a sound and defined communication plan.
- Internal and external communications.
- Don’t boil the ocean! Ensure a risk based approach is used to identify threats or vulnerabilities. Some key components include…
- What are the most valuable intellectual property and customer-based informational assets that need to be protected; and on a scale of 1-10, how do we categorize and rate these assets in terms of importance to the business that we are in?
- Where are these assets housed (in-house, in the US, in another country, or in “the cloud,”)?
- Are all assets (despite differing values or classification) housed on the same network server, thus rendering them subject to a cyber attacker laterally moving within our network?
- Are we conducting due diligence of our third-party or outsourced vendors to make sure they cannot be a source of a cyber attack against our firm by having too much access to our network, or can respond to and recover from a cyber-attack against their own network?
- Do the vendors with whom you have indemnity agreements have cyber insurance with sufficient limits of liability in place and in effect?
- Keep in mind that as technology advances, and today it does advance fast, so do the threats; it is harder than ever to protect business processes and information – so this is not a “set it and forget it” exercise.
- Understand the internal controls in place and ensure they are designed appropriately.
- Consider the human element.
- Don’t ignore physical security threats – Access!
- Training must be a process.
- Have targeted follow-up to reinforce the learning objectives.
- Have documented incident response (investigation) and crisis management plans.
- Walk through these plans frequently and tweak them as necessary.
- If there is an incident, and there will be one – use root cause analysis to get to the origin of the incident and remediate accordingly.
- Consider compliance and regulatory requirements.
- Have cyber and other insurance coverage’s reviewed by a competent professional – if you have no coverage I strongly encourage getting some.
- At the end, your strategy or plan must be consumable and scalable – said differently, it must be operationalized or embedded throughout the entire enterprise.
I welcome your thoughts and suggestions.
I also wanted to thank Theodore M. Schaer, who is a partner and the Chairman of the Cyber Liability, Privacy and Data Security Department at Zarwin Baum Devito Kaplan Schaer Toddy P.C. located in the Philadelphia office for his contribution to this writing.
Have a great weekend!
Jonathan T. Marks, CPA, CFF, CFE