5 Ways Boards Could Tackle CybersecurityPutting Cyber-Speak Into a Language Directors Understand
A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats.
The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.
"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."
The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:
- Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
- Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.
Connecting the Dots
"What we're trying to do here today is connect the dots between the operational issues that have dominated the cybersecurity discussion and the strategic issues, which are actually things businesses are focused on," says Internet Security Alliance President Larry Clinton, the report's author.
Board members and cybersecurity professionals don't necessarily speak the same language in regards to IT security. "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework," Clinton says. "They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context."
AIG's Camillo says the handbook could help insurers sell more cyber-insurance policies. "When you look at the different types of surveys that have come out [of] directors and officers, half are not looking at solutions for cyber-insurance," he says. "We hope by promoting the handbook, we can change that because the insurance industry has been particularly innovative when you look at the types of solutions that have been introduced just recently."
NACD Chief Executive Ken Daly says the handbook doesn't advocate specific insurance policies but urges boards to adopt a risk-management approach that could include addressing some cyber-risks with insurance.