Corporate Cybersecurity
Adding Cyber Security to
Corporate Risk Management
Corporate boards and senior management
like to focus on business. They love the numbers, the strategy and the success
of a business operation. They have a passion for it and that is why they are
sitting on board or managing a global company.
They do not like to talk as much about
risks, much less plan for them. When it comes to information governance and
protecting the company from hackers and cyber-intruders who can harm the
company, corporate leaders inevitably turn to their information technology
specialists.
This dynamic has to change. Information
governance is now part of the corporate risk management fabric. If you look at
all the data breach incidents, one significant omission is the failure of the
company to have in place an incident response plan to escalate and minimize any
damage.
Even more than an incident plan is
needed these days – companies have to devote resources and attention to
assessing data vulnerabilities and protecting against hackers and other
intruders. At the same time, companies face serious internal risks created by
BYOD policies and practices, as well as simple employee mistakes.
Cyber risks have become a fundamental
focus for investors, and the SEC requires disclosures of material events
relating to cyber intrusions. So far, few companies have made such disclosures
.
Corporate boards have to become proactive
in this area – they need to ask the tough questions.
§ Does the company have
an incident response plan in place to reduce the impact of a security breach?
§ Are the key
stakeholders assigned specific roles in this process?
§ Does the board have a
reporting mechanism in place to monitor these occurrences and ensure that the
company responds appropriately to such an incident?
It is easy to focus on the crisis
management scenario without adequately investing in the up-front measures to
protect a cyber intrusion. Companies have to spend more on the proactive
approach to minimize risks. This is a familiar refrain when addressing a number
of risks but when you consider the financial and reputational damage from a
cyber attack, a company has to prioritize cyber risks.
Cyber security is not just an issue that
should be relegated to the information technology specialists. Board members
and senior managers have to become more familiar with technology issues in
order to manage these risks. Reporting lines and authorities have to be made
clear well in advance of cyber attack so that the risks can be managed.
Finally, once a governance structure is
put in place to address these issues, the company has to devote time and energy
to test its incident responses. Companies will quickly learn some strategies
that work and some that do not. Call it a cyber-fire drill but such exercises
are well worth the time and attention in order to avoid disastrous events.
In addressing cyber risks, companies
often ignore the risks created by their vendors. Companies have to assess the
risks that vendors create for their companies. It is too easy to ignore vendor
risks and focus on internal risks. A vendor-created cyber security risk
complicates risk management and a response and usually spills into lengthy and
complex litigation.
No comments:
Post a Comment