Cyber threats are daunting. Not only are they complex and constantly evolving, they have the potential to impart significant financial and reputational damage to an organization. Plus, there’s no way to be 100% protected. That’s why cybersecurity is no longer just the responsibility of IT departments. Boards of Directors are ultimately liable and responsible for the survival of their organizations, and in today’s interconnected world, cyber resilience is big part of that responsibility. That means that Boards must take an active role in cybersecurity.
As Boards of Directors take on the role of cybersecurity leaders within their organizations, here are some responsibilities they should consider.
Board of Directors Responsibilities
The National Association of Corporate Directors (NACD), Director’s Handbook on Cyber-Risk Oversight outlines five principles that all corporate boards should consider “as they seek to enhance their oversight of cyber risks.”
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. As much as we have been saying this, it’s surprising how many organizations still associate information security or cybersecurity with IT. Even though most of the reporting structures come up through the IT department, it can’t be the central focus because the impacts are organization-wide. The skill-sets needed to manage the risks and deal with issues are organization-wide. The Board needs to understand that a 1:1 with IT is a mistake, and it’s been the underlying cause of many big breach events.
- Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific circumstances. With responsibility comes accountability. Executive management and board members are being held accountable for many high profile breaches, and in many cases losing their positions. Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions following the massive 2013 data breach. And more recently, Equifax's CEO Richard Smith resigned following a backlash over the massive hack that compromised the data of an estimated 143 million Americans.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the Board meeting agenda. It’s becoming more common to see Board members that have either a technological or security background. This expertise can really elevate a Boards' awareness. And more awareness is how we win against cybercriminals.
- Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. The NACD handbook specifically mentioned the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which was created to enable “organizations — regardless of size, degree of cybersecurity risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” When you’re writing your policies or developing your program, having a framework to base it on is very helpful. There’s no need to reinvent the wheel!
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. Effectively managing cybersecurity risk requires an understanding of the relative significance of organizational assets in order to determine the frequency by which they will be scrutinized for risk exposures. This is no small task. It takes considerable thought and effort, along with a great deal of cybersecurity expertise.
Regulatory Guidance and Requirements
More cyber-mature industries also have regulatory guidance and requirements when it comes to the cybersecurity responsibilities of the Board of Directors. Let’s take a look at the financial / banking industry. The Federal Financial Institutions Examination Council (FFIEC) publishes handbooks to guide their examiners and auditors in the field. According to these handbooks, here’s what examiners expect to find.
Board Responsibilities – The Program
The Board of Directors sets the tone and direction for an institution's use of IT. The Board should approve the IT strategic plan, information security program, and other IT-related policies. The Board or a Board committee should perform the following:
- Review and approve an IT strategic plan that aligns with the overall business strategy.
- Promote effective IT governance.
- Oversee processes for approving the institution's third-party providers.
- Oversee and receive updates on major IT projects, IT budgets, IT priorities, and overall IT performance.
- Oversee the adequacy and allocation of IT resources for funding and personnel.
- Approve policies to escalate and report significant security incidents to the Board of Directors.
- Hold management accountable for identifying, measuring, and mitigating IT risks.
- Provide for independent, comprehensive, and effective audit coverage of IT controls.
Board Responsibilities – Audit
- The Board of Directors and senior management are responsible for ensuring that the institution's system of internal controls operates effectively.
- The Board of Directors should ensure that written guidelines for conducting IT audits have been adopted.
- The Board or its audit committee is responsible for reviewing and approving audit strategies (including policies and programs), and monitoring the effectiveness of the audit function.
Board Responsibilities – Third-Party Service Providers
The financial institution's Board and senior management should establish and approve risk-based policies to govern the outsourcing process. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to the size and complexity of the institution. Factors institutions should consider include:
- Ensuring each outsourcing relationship supports the institution's overall requirements and strategic plans.
- Ensuring the institution has sufficient expertise to oversee and manage the relationship.
- Evaluating prospective providers based on the scope and criticality of outsourced services.
- Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services.
- Notifying its primary regulator regarding outsourced relationships, when required by that regulator.
Connecting You to Cybersecurity Expertise
The world of cybersecurity is ever-changing and cyber-attacks continue to expand in scale and scope. It’s nearly impossible to single-handedly keep up with the evolving threat environment and cybersecurity best practices, especially when many information technology teams are juggling with competing priorities with limited resources. Sage’s Cybersecurity Partnership Program provides oversight, guidance, and counsel toward meeting compliance objectives and improving the security posture throughout the organization.