Once considered exclusively an IT responsibility, cybersecurity due diligence is a growing concern at the board level, as managers and directors are increasingly being held responsible for taking actions to mitigate cyber threats.
In fact, cybersecurity has become a significant focus in boardrooms around the world.
A recent global survey by Proofpoint, Inc. revealed that 65% of executives believe they will be the victim of a cyberattack in the coming year, and 90% of organizations have hired a Chief Information Security Officer (CISO). Shareholders expect their boards to not only hire CISOs, but also continually engage with them to establish and monitor cybersecurity programs.
Victims of cyber breaches are affirming this responsibility of the boardroom in the courtroom in the form of derivative lawsuits. These types of lawsuits are brought by a shareholder (or group) on behalf of the corporation against the corporation's directors or officers for allegations of breach of duty and oversight regarding potential cyber threats.
Use this blog to help your internal team understand the value of cybersecurity due diligence and learn what you can do today to get your board more involved in proactive cybersecurity planning by building a board of directors cybersecurity checklist.
The modern board has a crucial role as a proactive group of strategists working with CISOs and risk management teams to understand the impact of cyber attacks on several key areas of responsibility.
Board members are uniquely positioned not just to delegate responsibility, but to assume the responsibility of understanding the cyber threat landscape and driving every possible action to protect their company, shareholders, staff and customers from the potentially catastrophic effects of a cyber breach.
Brief your board on cybersecurity best practices today with ZeroDay Law’s board of director training programs.
Creating a checklist for cybersecurity due diligence is a crucial first step toward establishing a robust cybersecurity posture. By taking a systematic approach to assessing and understanding the cyber threat landscape, an organization can determine the most relevant risks and implement the most effective cybersecurity measures. These powerful outlines also support ongoing cybersecurity programs by providing a clear framework that ensures consistency, enhances accountability, identifies necessary resources and provides a starting point for periodic review.
A cyber risk profile illustrates an organization’s vulnerability to digital threats by assessing and summarizing the most relevant risks based on industry, operations, digital assets, IT infrastructure and other unique elements of the organization.
Important aspects of a cyber risk profile include:
Cyber risk profiles provide crucial insights for risk management, resource allocation and incident response plan development.
A cybersecurity framework provides guidelines for addressing cyber threats and protecting digital assets and information. While tailored to an individual organization’s needs and threat risks, cybersecurity frameworks serve as a structured illustration of how an organization will perform five primary functions.
The U.S. National Institute of Standards and Technology offers the NIST Cybersecurity Framework that organizations can utilize as-is or as a basis for a more company-specific program. NIST describes The Framework as “based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” Organizations can learn more about The Framework by visiting the NIST website and at the same time, get up to date on the forthcoming NIST 2.0 framework update. Organizations seeking international guidelines for cyber risk management should explore ISO/IEC 27001, a globally recognized standard for information security management systems (ISMS).
The board’s role in implementing a cybersecurity framework involves several focus areas. Key steps in the process include:
A 2020 Stanford University study showed that employee mistakes were the cause of 88% of all data breaches. From using weak passwords to clicking on phishing email links or inadvertently downloading malware, humans are the weakest point in an organization’s cybersecurity program.
As a result, employee training is one of the most effective means of enhancing cybersecurity, and an area for which board members should eagerly and continually advocate.
The elements of an effective cybersecurity plan are selected to meet an organization’s unique needs. There are, however, several fundamental digital best practices that will help mitigate cyber risk.
More than lessons in recognizing and avoiding cyber threats, employee cybersecurity training creates a culture of safety that makes cybersecurity everyone’s responsibility and cybersecurity best practices part of company standards.
Cybersecurity is a dynamic field, continually evolving to keep pace with the ever-changing cyber threat landscape. Policies that do not address the most current threats and vulnerabilities will not protect an organization from attack. Organizational shifts, including new technologies, products/services, markets or acquisitions, can create new vulnerabilities and necessitate new policies. Organizations must also ensure continued compliance with laws and regulations related to data and information security.
Experts recommend reviewing cybersecurity plans at least once per year; anytime there is a significant change to an organization’s structure, operations or IT infrastructure; and immediately after a security incident. Emerging cyber threats or relevant changes in the cyber threat landscape should also trigger a policy review.
Board members should take active roles in cybersecurity policy reviews as they will validate the strengths or illuminate the weaknesses of an organization’s cybersecurity risk management.
Cyber incident response planning is the process of determining how an organization will react to and recover from a cybersecurity incident.
An incident response plan (IRP) helps minimize the impact of a cybersecurity incident by defining response team roles, assigning responsibilities and establishing procedures for threat detection, identification, containment, eradication and recovery.
Incident response planning is also a powerful teaching tool, as cyber incident reviews can provide insights for updating and improving security measures and preventing cyber attacks.
The board plays a vital role in overseeing incident response planning. In addition to making strategic decisions and allocating necessary resources, board members should be deeply involved in managing communications within the organization and with external stakeholders, investors, regulators and the media.
Like any large-scale initiative, cybersecurity programs require resources to build, implement and maintain. And while organizations’ needs will vary, there are three primary categories of resources that provide critical support for all cybersecurity plans.
Advocating for cybersecurity resources is a crucial responsibility for board members that requires a strategic combination of education and value analysis.
Periodic reminders of how cybersecurity aligns with business goals can make resource allocation requests more credible.
Reviewing information about recent high-profile cyber incidents is a compelling strategy as it quantifies the material, operational, reputational and financial impacts of a breach.
Did you know? ZeroDay Law offers training and consulting services specifically designed for Executives and Board Directors seeking to understand the real cyber threats facing each organization in terms relevant to their roles. Learn more here.
Global annual losses from cybercrime are estimated to reach $8 trillion in 2023 and are projected to rise to $10.5 trillion by 2025. (Cybercrime Magazine) And while the damages of cyber attacks typically focus on the organization, the blame for such attacks is being placed on corporate boards.
Lawsuits referred to as “Caremark claims” allege that incidents result from directors breaching their fiduciary duty of loyalty by not making “a good faith effort to oversee the company’s operations.” These claims are difficult to prove but can result in personal liability for board members who do not prioritize cybersecurity.
Here are two recent examples:
Proactivity is an imperative element of a robust cybersecurity program. Ongoing cybersecurity due diligence can take many forms, such as continuously reviewing programs and policies, exploring structural and technical changes that can create new vulnerabilities, and reviewing incident responses. These actions all provide insights that help keep detection and mitigation programs up-to-date, ensure regulatory compliance and improve future incident response programs.
A growing understanding of the far-reaching effects of cyber attacks has fueled a fundamental shift in how organizations approach cybersecurity.
As Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, stated, “We need a new model of sustainable cybersecurity. One that starts with a commitment at the board level to incentivize a culture of corporate cyber responsibility in which managing cyber risk is treated as a fundamental matter of good governance and good corporate citizenship.” (NACD/ISA Directors Handbook on Cyber Risk Oversight)
Interested in learning more about incident response planning, testing your existing security with tabletop exercises or training your board on cybersecurity? Reach out to ZeroDay Law today.