In a recent survey of its members, the National Association of Corporate Directors (NACD), which provides information resources to more than 15,000 corporate directors in the U.S., found that just 11 percent of corporate directors believe their boards have a high level of understanding of the risks associated with cybersecurity.
This is alarming, given how high the stakes are for corporate exposure to cyber-risk. McKinsey & Company estimates that over the next five to seven years, $9 trillion to $21 trillion of economic-value creation worldwide depends on the robustness of corporations’ cybersecurity environments.
In an effort to help companies fight this battle, NACD published the Cyber-Risk Oversight Handbook, which identifies five principles all corporate boards should consider as they work to improve their oversight of their organization’s cybersecurity strategy:
Consider the whole enterprise. Directors should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. “Nearly a third of the outside directors we surveyed said they are dissatisfied with the quality of information that management provides regarding cybersecurity and IT risk,” said NACD CEO Ken Daly. “NACD urges boards to recognize cybersecurity as an enterprise-wide risk-management issue that should be part of every board discussion.”
Know the law. “Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances,” according to the NACD report. Many highly regarded law firms have developed specialty practice groups in this area and can provide counsel to directors on the range of legal issues in play.
Also see these related posts:
5 Things Corporate Legal Execs are Seeking in Data Security
4 Cyber Threats Confronting Law Firms and Corporate Legal
6 Key Ingredients to a Law Firm Data Security Plan
Access to expertise. Board members should have adequate access to cybersecurity expertise, suggests the NACD handbook, and discussions about cyber-risk management should be given regular time on every board meeting agenda. Third-party technology partners, such as the LexisNexis Managed Technology Solutions team, can help provide important cybersecurity strategy guidance and services.
Commit the resources. The NACD recommends that directors should set an expectation that is loud and clear: corporate management will establish a cyber-risk management framework and then allocate adequate staffing and budget to carry out the tactical work to be done. The cybersecurity battle can only be waged with sufficient resources committed to the fight.
Manage the risks. Board members should engage management in a discussion of cyber-risk factors and identify which risks to “avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach,” according to the NACD report.
The cybersecurity threat is real and substantial, but corporate directors can play an important role in effective cyber-risk management by insisting their companies follow a few guiding principles in laying out their defense plans.
* * *
If you enjoyed this post, you might also like:
Encryption for Lawyers in Plain English [#ABATECHSHOW Recap]