Yesterday’s post outlined some major issues in cyber security. From a governance standpoint, in the face of heightened cyber risk, what are the obligations of a board of directors?
- Make sure that management develops a “breach plan” that identifies the level of cyber risk you are willing to undertake, and that outlines your legal, contractual and regulatory obligations if a breach occurs. Identify your legal and public relations team. Determine insurance coverage. Do you have a plan as to what to say to your customers?
- Do not automatically turn over cyber security to your CIO; they are generally not prepared. If you are large enough, consider establishing a new position of CISO (“Chief Information Security Officer”).
- Identify your key protectable elements of information, the “crown jewels, ” and focus on protecting those; it is not possible to protect everything (there are too many devices plugged into the internet and too many unknown portals into your company).
- Apply a goodly portion of your IT budget to both defense against hacks and, perhaps more importantly, immediately discovering hacks so they can be contained.
Setting up such a system requires a deep dive by the board, initially, in order to establish preparedness. For ongoing monitoring, consider establishing a risk management committee chaired by in-house counsel, reporting through the CEO to the board. Arrange for quarterly reports, and deal with cyber security risks as part of enterprise-wide risk management.