Cybersecurity Due Diligence: A Checklist for Board Members

October 4, 2023 | Tara Swaminatha | Cybersecurity

Cybersecurity Due Diligence Checklist for Board of Directors

Once considered exclusively an IT responsibility, cybersecurity due diligence is a growing concern at the board level, as managers and directors are increasingly being held responsible for taking actions to mitigate cyber threats.

In fact, cybersecurity has become a significant focus in boardrooms around the world.

A recent global survey by Proofpoint, Inc. revealed that 65% of executives believe they will be the victim of a cyberattack in the coming year, and 90% of organizations have hired a Chief Information Security Officer (CISO). Shareholders expect their boards to not only hire CISOs, but also continually engage with them to establish and monitor cybersecurity programs.

Victims of cyber breaches are affirming this responsibility of the boardroom in the courtroom in the form of derivative lawsuits. These types of lawsuits are brought by a shareholder (or group) on behalf of the corporation against the corporation's directors or officers for allegations of breach of duty and oversight regarding potential cyber threats. 

Use this blog to help your internal team understand the value of cybersecurity due diligence and learn what you can do today to get your board more involved in proactive cybersecurity planning by building a board of directors cybersecurity checklist. 

The Critical Role of the Board in Cybersecurity

The modern board has a crucial role as a proactive group of strategists working with CISOs and risk management teams to understand the impact of cyber attacks on several key areas of responsibility.

  • Fiduciary - Acting on behalf of their organization’s shareholders, board members are accountable to shareholders to take every possible step to protect the organization’s assets, including digital assets, especially those related to personal data, corporate files, IT infrastructure, etc.
  • Regulatory - Local, national, and global data privacy laws demand compliance with guidelines designed to protect personal and financial information. In fact, 2021 saw over 45 U.S. states & territories introduce cybersecurity legislation and 36 states enacted similarly focused bills (NCSL).
  • Financial - In 2022, the average cost of a data breach in the U.S. was $9.44 million, with an additional $150,000 in costs associated with stolen or compromised credentials.
  • Reputational - A data breach can cause lasting damage to a company’s image, making it less attractive to prospective customers and investors.

Board members are uniquely positioned not just to delegate responsibility, but to assume the responsibility of understanding the cyber threat landscape and driving every possible action to protect their company, shareholders, staff and customers from the potentially catastrophic effects of a cyber breach.

Brief your board on cybersecurity best practices today with ZeroDay Law’s board of director training programs.

Cybersecurity Due Diligence: A Checklist

Creating a checklist for cybersecurity due diligence is a crucial first step toward establishing a robust cybersecurity posture. By taking a systematic approach to assessing and understanding the cyber threat landscape, an organization can determine the most relevant risks and implement the most effective cybersecurity measures. These powerful outlines also support ongoing cybersecurity programs by providing a clear framework that ensures consistency, enhances accountability, identifies necessary resources and provides a starting point for periodic review.

1. Understand the Company's Cyber Risk Profile

A cyber risk profile illustrates an organization’s vulnerability to digital threats by assessing and summarizing the most relevant risks based on industry, operations, digital assets, IT infrastructure and other unique elements of the organization.

Important aspects of a cyber risk profile include:

  • Identification of cyber threats
  • Assessment of vulnerabilities
  • Evaluation of the likelihood of an attack
  • Analysis of potential impacts
  • Prioritization of risks
  • Proposals for mitigation strategies

 Cyber risk profiles provide crucial insights for risk management, resource allocation and incident response plan development.

2. Ensure a Robust Cybersecurity Framework

A cybersecurity framework provides guidelines for addressing cyber threats and protecting digital assets and information. While tailored to an individual organization’s needs and threat risks, cybersecurity frameworks serve as a structured illustration of how an organization will perform five primary functions.

  • Identifying relevant cyber threats, risks and vulnerabilities.
  • Protecting critical information and services from cybersecurity breaches.
  • Detecting cybersecurity events as quickly as possible.
  • Responding to cybersecurity incidents (IRP).
  • Recovering from logistical, financial or reputational damage from a cybersecurity incident.

The U.S. National Institute of Standards and Technology offers the NIST Cybersecurity Framework that organizations can utilize as-is or as a basis for a more company-specific program. NIST describes The Framework as “based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” Organizations can learn more about The Framework by visiting the NIST website and at the same time, get up to date on the forthcoming NIST 2.0 framework update. Organizations seeking international guidelines for cyber risk management should explore ISO/IEC 27001, a globally recognized standard for information security management systems (ISMS).

The board’s role in implementing a cybersecurity framework involves several focus areas. Key steps in the process include:

  • Strategy development and oversight
  • Risk management integration
  • Resource identification and allocation
  • Incident response plan development, oversight and communication
  • Training program development and implementation
  • Monitoring and reviewing
  • Updating programs, policies and plans

3. Train Employees on Cybersecurity Best Practices

A 2020 Stanford University study showed that employee mistakes were the cause of 88% of all data breaches. From using weak passwords to clicking on phishing email links or inadvertently downloading malware, humans are the weakest point in an organization’s cybersecurity program.

As a result, employee training is one of the most effective means of enhancing cybersecurity, and an area for which board members should eagerly and continually advocate.

The elements of an effective cybersecurity plan are selected to meet an organization’s unique needs. There are, however, several fundamental digital best practices that will help mitigate cyber risk.

  • Using secure WiFi networks
  • Creating strong passwords and two-factor authentication
  • Recognizing suspicious emails, links, and attachments
  • Developing safe Internet browsing habits
  • Learning and implementing proper procedures for handling sensitive data
  • Staying up-to-date on social engineering tactics
  • Keeping device operating systems updated

More than lessons in recognizing and avoiding cyber threats, employee cybersecurity training creates a culture of safety that makes cybersecurity everyone’s responsibility and cybersecurity best practices part of company standards.

4. Regularly Review and Update Cybersecurity Policies

Cybersecurity is a dynamic field, continually evolving to keep pace with the ever-changing cyber threat landscape. Policies that do not address the most current threats and vulnerabilities will not protect an organization from attack. Organizational shifts, including new technologies, products/services, markets or acquisitions, can create new vulnerabilities and necessitate new policies. Organizations must also ensure continued compliance with laws and regulations related to data and information security.

Experts recommend reviewing cybersecurity plans at least once per year; anytime there is a significant change to an organization’s structure, operations or IT infrastructure; and immediately after a security incident. Emerging cyber threats or relevant changes in the cyber threat landscape should also trigger a policy review.

Board members should take active roles in cybersecurity policy reviews as they will validate the strengths or illuminate the weaknesses of an organization’s cybersecurity risk management.

5. Oversee Incident Response Planning

Cyber incident response planning is the process of determining how an organization will react to and recover from a cybersecurity incident.

Incident Response Playbook

An incident response plan (IRP) helps minimize the impact of a cybersecurity incident by defining response team roles, assigning responsibilities and establishing procedures for threat detection, identification, containment, eradication and recovery.

Incident response planning is also a powerful teaching tool, as cyber incident reviews can provide insights for updating and improving security measures and preventing cyber attacks.

The board plays a vital role in overseeing incident response planning. In addition to making strategic decisions and allocating necessary resources, board members should be deeply involved in managing communications within the organization and with external stakeholders, investors, regulators and the media.

6. Advocate for Adequate Resources for Cybersecurity

Like any large-scale initiative, cybersecurity programs require resources to build, implement and maintain. And while organizations’ needs will vary, there are three primary categories of resources that provide critical support for all cybersecurity plans.

  • Human: This includes cybersecurity experts to help build and implement the programs, cybersecurity trainers to deliver employee training, and staff with a minimum basic knowledge of cybersecurity practices.
  • Technological: This category includes detection and prevention software such as firewalls, detection and prevention systems, anti-virus and anti-malware programs and encryption tools; monitoring programs and systems; and backup and recovery tools.
  • Financial: A dedicated budget is essential to ensure optimal implementation, training and maintenance, in addition to supporting response and recovery efforts when needed.

Advocating for cybersecurity resources is a crucial responsibility for board members that requires a strategic combination of education and value analysis.

Periodic reminders of how cybersecurity aligns with business goals can make resource allocation requests more credible.

Frequent updates regarding threats to the business and vulnerabilities within the business position cybersecurity as a constant priority that requires proactive thinking and funding.

Reviewing information about recent high-profile cyber incidents is a compelling strategy as it quantifies the material, operational, reputational and financial impacts of a breach.

Did you know? ZeroDay Law offers training and consulting services specifically designed for Executives and Board Directors seeking to understand the real cyber threats facing each organization in terms relevant to their roles. Learn more here.

The Consequences of Ignoring Cybersecurity

Global annual losses from cybercrime are estimated to reach $8 trillion in 2023 and are projected to rise to $10.5 trillion by 2025. (Cybercrime Magazine) And while the damages of cyber attacks typically focus on the organization, the blame for such attacks is being placed on corporate boards.

Board members must instill a sense of understanding that cybersecurity is not a cost of doing business, but an ongoing investment in the safety and security of the business, its shareholders and its customers.

Lawsuits referred to as “Caremark claims” allege that incidents result from directors breaching their fiduciary duty of loyalty by not making “a good faith effort to oversee the company’s operations.” These claims are difficult to prove but can result in personal liability for board members who do not prioritize cybersecurity.

Here are two recent examples:

  1. Uber's former chief security officer was found guilty of criminal obstruction charges for failing to report a cyber breach to the authorities. Prosecutors also allege the CSO, James Sullivan, also took steps to conceal the incident within the company.

  2. The Federal Trade Commission took action against the CEO of Drizly (an online drinks delivery business) over the company’s security failures which led to a cyber breach exposing the personal information of 2.5 million customers.

Proactivity is an imperative element of a robust cybersecurity program. Ongoing cybersecurity due diligence can take many forms, such as continuously reviewing programs and policies, exploring structural and technical changes that can create new vulnerabilities, and reviewing incident responses. These actions all provide insights that help keep detection and mitigation programs up-to-date, ensure regulatory compliance and improve future incident response programs.

Cybersecurity Due Diligence

A growing understanding of the far-reaching effects of cyber attacks has fueled a fundamental shift in how organizations approach cybersecurity.

As Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, stated, “We need a new model of sustainable cybersecurity. One that starts with a commitment at the board level to incentivize a culture of corporate cyber responsibility in which managing cyber risk is treated as a fundamental matter of good governance and good corporate citizenship.” (NACD/ISA Directors Handbook on Cyber Risk Oversight)

Interested in learning more about incident response planning, testing your existing security with tabletop exercises or training your board on cybersecurity? Reach out to ZeroDay Law today.