The recent reported cyber attacks during the ongoing UK general election period is a reminder why board members should raise their awareness of cyber security and to ensure that cyber security risk is appropriately recorded in the strategic risk register in view of the threat to long-term sustainability.
The scope of cyber security, which is broad, technical and constantly evolving could be overwhelming for many board members particularly in view of their relatively limited day to day engagement with their respective organisations. In view of this continuing challenge, it is imperative that board members focus on the primary issues in order to enable them to discharge their responsibilities effectively in relation to cyber security including ensuring that strong defences are maintained.
Some of the key issues that the board should be aware of are as follows:
Enhance board focus
Putting cyber security more frequently on the board agenda is a critical element of an effective cyber security strategy as it signals that this is a key business priority for the organisation. The board should therefore support proper investment in security measures that are tailored to the needs of the organisation.
Furthermore, the board should ensure that the audit committee or other relevant committee pays sufficient attention to cyber security risk and the adequacy of the identified mitigating actions.
The board should ensure that there is specific and clear operational responsibility for cyber security in the organisation. Similarly, the board should consider whether it is appropriate for a board member to be allocated specific oversight responsibility for cyber security.
Regular review
The board should schedule a regular review of the implementation of the cyber security strategy including the adequacy of the cyber security policy.
The board should be able to have meaningful conversations with senior management about the ongoing approach to the management of the cyber security risk. The board should ensure that the cyber security risk program strengthens the organisation’s resilience to cyber attacks.
In particular, the cyber security strategy should be clear, relatable and easily understandable by all board members particularly those with a non-technical background.
The board should consider whether independent expert review of the cyber security risk program would be appropriate including the frequency of such a review.
Cyber threats
The increasing interconnecting network of systems driving the digital operations of many organisations has also heightened vulnerabilities arising from the wide-ranging connectivity.
The board needs to have a good understanding of the threat landscape and the cyber threats facing the organisation and what the impact could be. The board needs to be aware and kept abreast of current and emerging vulnerabilities (security gaps) in the organisation’s digital landscape.
Strategic implications
Due consideration of the cyber security implications should be integrated in discussions about strategic options, new products and services and any other major new initiatives. The board should ensure that the pursuit of the strategic objectives should not undermine its ambition to enhance cyber security resilience.
Critical information assets
The board should ensure that the organisation’s information assets have been classified according to their sensitivity and value to the strategic objectives and protected accordingly. In order words, the most valuable information assets are appropriately prioritised in terms of cyber security.
Security controls
The board should be mindful that the cyber security risk program is appropriately balanced with proactive and reactive measures. The proactive design of strong defences into the organisation’s ways of working should not downplay the need for similar robust arrangements to detect and respond swiftly to any possible cyber attacks.
The board should be reassured that the defences are multi-layered and tailored to the profile of the relevant risks.
Incident response plan
The board should recognise that cyber security incidents are likely to happen irrespective of the robustness of its risk management program given the dynamic nature of cyber security. Consequently, it is critical that a planned response to such incidents must be in place in order to strengthen organisational resilience.
The board should ensure that the incident response plan is appropriate and sufficiently comprehensive including specifying key responsibilities, sequence of necessary steps, key elements of the response and the breach escalation approach.
The board should also be aware of the outcomes of periodic testing of the incidence response plan and subsequent improvements to fix identified vulnerabilities.
Culture
The board should recognise the importance of a positive culture of cyber security awareness as a critical defence to cyber attacks. The board should not underestimate the significance of human and cultural factors to foster strong defences.
Regular training
The board should ensure that there is ongoing training for staff in order to ensure that they have a good working knowledge and understanding of the key security controls and processes relevant to their respective roles to protect the organisation from cyber threats. Importantly, the board should seek ongoing assurance that staff are aware of their specific responsibilities in relation to cyber security.
Cyber insurance
The board should consider cyber insurance to mitigate the direct losses in relation to a cyber attack. The board should be aware that the likely cost of such insurance would probably be informed by the perceived robustness of its cyber security risk program.
Supply chain partners
The board should be aware of the cyber security risk arising from third-party suppliers and partners in the increasingly interconnected world and ensure that robust protections are in place to address the likely vulnerabilities.
Capability and capacity
Although senior management is responsible for implementing the cyber security risk program, the board needs to obtain assurance that the organisation had adequate capability, capacity and sufficient resources to address the cyber security threats and to deliver the cyber security strategy including the ability to respond quickly to the loss of relevant specialist staff.
The board should assess whether its succession planning should also consider the competency of the board in relation to cyber security and whether additional cyber security expertise is required.
Benchmarking
The board should ensure that the organisation’s approach to cyber security is consistent with good practice in accordance with any relevant benchmarks or frameworks. In addition, the board should ensure that lessons learned from publicly reported cyber breaches are embedded in the risk program.
In conclusion, as cyber security risk is dynamic, the board should ensure that the organisation is responsive to emerging and changing risks.