Board Oversight of Cyber Risk
Board oversight of cyber risk continues to grow in importance. With such a large part of today’s market value concentrated in digital assets, a cyberattack is one of the greatest dangers facing a company today. The average cost of a data breach today is $3.9 million inclusive of legal fees, fines, lost productivity, crisis response efforts, remediation, and so on. However, these hard costs are only one part of the cyber risk equation. The loss of intellectual property, competitive insights, or consumer trust can often be the greatest source of long-term damage in the wake of a data breach.
Cyber risk oversight–and its technical concepts and vocabulary–can feel foreign to directors. At an average age of 63, the vast majority of today’s board members didn’t encounter cyber risk during the course of their careers–at least not at the level that today’s organizations must operate. However, directors must recognize the similarities between cyber risk and other types of risk oversight, which they’ve long managed. Each member of the board is ultimately responsible for getting themselves up to speed and acquiring the language necessary to ask the right questions.
How Your Board Can Better Oversee Cyber Risk
Prioritize protection around the company’s greatest assets: As with any form of risk management, it’s a game of prioritization. You can’t protect everything equally, and it’s the board’s job to ensure management has concentrated the strongest cybersecurity protections around the company’s most valuable assets. Every board should start with an inventory of the company’s digital assets and third-party relationships. Guiding the board should be the question: “What’s the worst thing this company could lose?” Knowing what data and relationships exist is an indisputable first step. The board can’t protect what it doesn’t know about.
Don’t overlook the human factor: The “human factor” is all too often overlooked in board discussions of cyber risk. Consider the fact that 91% percent of successful hacks originate from phishing emails (i.e., fraudulent emails designed to extract valuable information from employees). Today’s boards should press management to explain what is the company doing to teach employees about the most common cyber risks and how to report them. Although difficult to measure, a cyber awareness training program is often one of the most impactful things the board and management team can implement on the road to cyber resilience.
Prepare for the worst with an incident response plan: The loss of proprietary data or sensitive customer information would be debilitating for any company. However, it’s the damage to an organization’s brand, reputation, or consumer trust that can have the greater long-term negative effects. Boards should consider these four elements of a cyber breach response plan.
Managing Cyber Risk Challenges
How should boards be managing cyber risk challenges? They should be following these guidelines for secure communication:
Eliminate email communications: Given the sensitive information they often possess, board members and C-Suite executives are among the most attractive targets for hackers and other cybercriminals. For these reasons, today’s board members should be using a secure, encrypted messaging platform for all communications. This platform should be as seamless to use as text messaging but also capable of sharing sensitive files.
Secure the collaboration process: The flow of information at today’s organizations is hardly linear, and the same goes for the board. How is your board sharing sensitive documents, whether internally or externally with consultants or trusted third parties? Today’s boards must have access to secure tools that support the way they collaborate.