Seven Cybersecurity Questions Bank Boards Need to Ask
Some cyber-risk insurance policies could prove insufficient in the event of large-scale attack.
The framework released by the National Institute of Standards and Technology should serve as an important tool for banks in meeting regulators heightened expectations for managing cyber risk.
Congress should impose national data security standards on retailers in order to ward off cyberattacks and ensure the safekeeping of sensitive customer information, according to Carrie Hunt of the National Association of Federal Credit Unions.
Recent cyberattacks against several big businesses show that a wide variety of industries are engaged in a nearly nonstop battle against hackers who seek to steal intellectual property, data and funds. All of us should be sobered by the fact that the personal information of nearly half of all American adults has been exposed in the last year or so, according to a recent report from CNNMoney and the Ponemon Institute.
The financial services industry is already focused on cybersecurity. But continued and growing vigilance is necessary to protect sensitive data and systems.
Against this backdrop, corporate board members are increasingly required to play an active role in ensuring that cybersecurity is a priority of top company managers. While there are numerous questions that board members should ask of senior management, here are seven particularly pertinent ones.
What is your management team's familiarity with cybersecurity?
The board should make sure that sufficient expertise exists within the company to effectively assess cyber risk and establish that the chief executive is knowledgeable enough to understand the cyber risk level that he or she is accepting on behalf of the company's shareholders. In addition, the board should inquire whether other key personnel, including business line heads, product and channel managers, risk officers, audit personnel, information technology managers and the general counsel are equipped to gauge cyber risks and understand relevant legal requirements.
Have the company's data "crown jewels" been identified and are they properly protected?
If management does not know what data is critical to the organization's ability to function, where those assets are located or how they are accessed, it is unlikely that company can figure out what data to protect and how to protect it. To paraphrase Sun Tzu, prior to understanding the intentions and capabilities of your enemies, you must first "know yourself."
Can the management team articulate its cyber risks and explain its approach and response to such risk?
Management should periodically explain to the board its assessment of cybersecurity risks and articulate its plan to address them by choosing to accept, avoid, mitigate, or transfer such risks. Boards would do well to have at least one member capable of assessing both cyber risks and the appropriateness of the company's defenses and planned responses.
Full appreciation of cyber risk includes understanding how cybersecurity and physical security may intersect. A company's chief information security officer and chief security officer should work together, along with other corporate leaders, to assess risk holistically. The integration of cyber and physical security will become even more significant with the rapid growth of the Internet of Things devices that communicate with each other and the Internet via wireless connections.
Has management assigned clear roles and responsibilities for identifying, evaluating, monitoring, and responding to cybersecurity incidents?
Without knowing who is supposed to do what and when, it is unlikely that an organization will effectively manage a crisis. Board members and management should organize informal exercises that allow them to analyze policies and procedures in a range of cyber scenarios in order to clarify roles and stress-test response and recovery plans.
What are the company's crisis communications plans in the event of a cyber-attack?
An inept communications response to a data breach can be more damaging to a company than the breach itself. Company leadership should have a detailed plan in place about how information will be released in the event of a cyberattack or attempted attack. Management should also keep in mind that a one-size-fits-all communications plan may not work for all the parties who need to be informed in the event of an attack, including regulators, investigators, customers and shareholders. More tailored but cohesive and coordinated communications plans for each of these audiences may be needed.
Is your company properly managing third-party vendors?
Third-party vendors present unique risks to an organization. They often provide portals into a company's technology platforms that attackers may exploit. Management needs to have procedures and capabilities in place to assess cyber-risks presented by third-party vendors and service providers. As company asks these questions of themselves, they should ensure that vendors meet their standards.
Are your company and its vendors members of an information sharing and analysis center, such as the Financial Services Information Sharing and Analysis Center?
If a hack occurs, management will face questions about the steps the company took to avoid a breach and respond to it as quickly and effectively as possible. ISACs and similar organizations provide companies with an opportunity to gain more awareness of the changing threat environment and steps that might be taken to reduce risk.
High-profile data breaches, system intrusions and disruptions at several large businesses are just the most recent in a decades-long series of attacks by cyber criminals and other actors with hostile intent. Hackers' efforts are increasing in frequency and sophistication, and cybersecurity now needs to be on the radar screen of every board member.
Not only does almost every company possess sensitive information, companies in the aggregate also constitute networks that expose additional vulnerabilities and proprietary information that must be protected. This will only happen if management and board members must make cybersecurity a top priority.
Former Minnestoa governor Tim Pawlenty is the chief executive of the Financial Services Roundtable. Frank J. Cilluffo is the director of the cybersecurity initiative at George Washington University.