Yesterday’s post outlined  some major issues in cyber security.  From a governance standpoint, in the face of heightened cyber risk, what are the obligations of a board of directors? 

• Make sure that management develops a “breach plan” that identifies the level of cyber risk you are willing to undertake, and that outlines your legal, contractual and regulatory obligations if a breach occurs.  Identify your legal and public relations team. Determine insurance coverage.  Do you have a plan as to what to say to your customers? 
• Do not automatically turn over cyber security to your CIO; they are generally not prepared.  If you are large enough, consider establishing a new position of CISO (“Chief Information Security Officer”). 
• Identify your key protectable elements of information, the “crown jewels, ” and focus on protecting those;  it is not possible to protect everything (there are too many devices plugged into the internet and too many unknown portals into your company). 
• Apply a goodly portion of your IT budget to both defense against hacks and, perhaps more importantly, immediately discovering hacks so they can be contained. 

Setting up such a system requires a deep dive by the board, initially, in order to establish preparedness.  For ongoing monitoring, consider establishing a risk management committee chaired by in-house counsel, reporting through the CEO to the board.  Arrange for quarterly reports, and deal with cyber security risks as part of enterprise-wide risk management.