What is the role of the cyber-risk committee?
Cyber-risk is an enterprise-wide risk that corporations are wisely placing on the high-priority list, now and for the long term. Such issues as mobile technology, cloud computing, social media, increasing incidences of breaches, corporate espionage and hacks that shut down operations have made cyber-risk impossible to ignore.
Perhaps what today's corporations are struggling the most with is scrambling to decide how best to handle cyber-risk. Size of corporation, IT budgets and other issues are major factors in how corporations approach cyber-risk matters. Some companies are realizing that they need a tech-savvy board director to guide them. Many other companies are realizing that even that isn't enough to help protect against cyber-attacks and manage potential data breaches.
The trend in corporate cyber-protection is more of a 'boots on the ground' approach, which includes forming a cyber-risk committee that takes the reins and responsibility for all cyber-risk matters. Rather than form a wholly new committee, some corporations delegate the responsibility to the audit committee. Cyber-risk committees play a major role in cyber-protection. It's important to note that forming a cyber-risk committee doesn't alleviate the pressure or responsibility for the board or audit committee in their roles to protect against cyber-attacks.
Defining the Cyber-Risk Committee
A cyber-risk committee may be defined as a sub-group of a board of directors that identifies, evaluates and monitors all cyber-risk management activities and determines how they align with the overall corporate risk profile.
The Role of the Cyber-Risk Committee
According to the EY Center for Board Matters, cyber-risk management requires three things:
- Clarity of the cyber-risk management program.
- Confidence in the adequacy of the program.
- Assurance in the information they receive.
Because cyber-risk is an enterprise-wide risk, it requires enterprise-wide oversight. Cyber-risk committees need to encourage the board to give cyber-security issues a high priority and to prioritize them with strong oversight as part of good governance. In addition, cyber-risk committees need to be communicating regularly with the audit committee to help them understand specific risks and who is accountable for them.
Managing a Cybersecurity Program
As cyber-risk matters began to rear their ugly heads in years past, corporations took a piecemeal approach to managing cybersecurity until they were able to figure out more comprehensive and appropriate approaches. Today's cyber-risk programs require a more mature approach.
Cyber-risk committees should be the authority on cybersecurity matters. They need to know where risks may come from and how those risks could affect the business. They also need to understand the IT assets that connect to the organization's greater network.
The evolution of cyber-risk concerns is sparking a similar evolution of concerns in the regulatory arena on national and global fronts. Cyber-risk committees need to stay abreast of new regulations. Currently, there are 12 congressional committees that have some jurisdiction over cybersecurity. The future will likely hold some new national mandates around cybersecurity.
Cyber-risk committees need to be as forward-thinking as possible. This means being continually willing to challenge the effectiveness of current cyber-risk management programs. It also means that they need to support cyber-risk initiatives as they continue to evolve. This responsibility includes such tasks as promoting a culture that's aware of risks and developing a holistic risk management strategy. The committee's efforts will have an impact on the corporate budget, so they also need to be able to strike a balance between the cost of the program and the value that it provides.
Before legal mandates become the norm, the industry will continue to attempt to regulate itself. The AICPA currently offers a voluntary program called the Cybersecurity Risk Management Framework that helps corporations to find the gaps in their programs and remediate them. This tool incorporates a concentrated set of criteria for cyber-risk committees to identify how adequate their processes and internal controls are.
Data breaches require a rapid response where the board and managers will need to respond within hours. Cyber-risk committees should be able to report to the board on how they intend to stage rehearsals for data breach responses, including tabletop exercises. Their reports to the board should include when they or the IT teams conducted breach rehearsals, what they learned from them, and make recommendations for what to change moving forward.
In addition to working with the board, cyber-risk committees will need to review management's response plans, so they know who is responsible for making decisions after a breach and what actions the corporation needs to take. Possible actions may include:
- How and when to make a public announcement.
- How and when to notify customers.
- When or if to notify law enforcement.
- Bringing in a forensic group and who they would report to.
- Making an FBI report.
The pervasive nature of cyber-risk requires boards, managers and audit committees to accept some responsibility for cyber-risk.
Board and Management Duties Around Cyber-Risk
Managers should be keenly aware of the corporation's risk profile. As it relates to cyber-risk matters, management should be sure to align the cyber-risk security program to the corporation's risk profile in detail. Cyber-risk committees should also make sure that managers have the appropriate skills, resources and approaches in place to minimize the chance of a cyber incident. The cyber-risk committee, along with the board, serves as a check and balance to make sure that risk isn't out of alignment in relation to the board's strategic planning.
Cyber-risk committees should prime boards on how cyber-risks could impact the business and should be able to provide assurance that the corporation can mitigate any potential damages caused by a breach.
While cyber-risk committees may be quite familiar with related technical terms, they should be cognizant of the board's breadth of knowledge and understanding of technical jargon as they pursue providing technical training and education for the board.
Working in conjunction with the board and the General Counsel, cyber-risk committees should evaluate the D&O insurance policy to make sure that it provides the proper protection.
Cyber-risk committees should also work with the board to develop appropriate cybersecurity policies and create requirements for various roles such as the CIO, managers, board and audit committee in relation to cybersecurity matters.
Audit Committee Duties Around Cyber-Risk
When companies have audit committees and cyber-risk committees, they need to communicate regularly with one another about cybersecurity trends, regulatory developments in the industry and potential major threats. Both committees need to engage in regular conversations with technology-focused organizational leaders.
There is currently no standard or accepted corporate approach to addressing cyber-risk problems. With clear signs of new legal requirements looming in the near future, boards will need to rely on guidance from within the industry and their relationships with known and respected individuals to stay ahead of the pace of forming solid cybersecurity practices and protocols.
