Cybersecurity Compliance Q&A for the Board

Large-scale cybersecurity breaches have led to lawsuits against boards and executives, with the argument that security breakdowns should be considered members' failure to uphold their fiduciary duties. There are no common guidelines for defining board-level cybersecurity compliance. Congress, the Department of Justice, the executive office, and other regulatory bodies have weighed in, creating confusion.

Boards can no longer ignore cybersecurity as a strategic discussion and should be aware of how companies are positioned to address critical risks. Not only is this a way to avoid personal liability, it's just good business.

How can the CIO or CISO properly interact with the board?

Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand, but that level of granularity is not necessary for the board. Because cybersecurity is directly tied to overall company strategy and business operations, the board should understand how cybersecurity failure could impact the business. A death-by-PowerPoint approach to communicating with the board is less than optimal. A discussion is better.

The CIO or CISO should encourage the board to ask questions!

Specifically, board members will ensure the right level of involvement by asking the following three questions:

1. How could critical business processes be affected by a breach?

Most companies have a mind-boggling number of systems that can be breached. It would take days for a well-informed board member to walk through a list of the systems with IT to determine if they are properly secured. The better approach is to realize that no matter how well IT secures systems, the company can be hacked. With this in mind, board members are better off asking the following questions to ensure critical business processes have been identified and prioritized:

• How will our customers be impacted by a breach? Will a breach in our systems lead to a breach in a customer system?
• How will critical operations be impacted by a breach? Is there an opportunity for a catastrophic situation?
• How will our employees be impacted by a breach? Will critical private information be exposed?
• How much intellectual property will we lose? Will we lose competitive advantage if our IP is exposed?

Answering these questions will ensure business and IT have a clear understanding of the critical business process areas that should be closely monitored for cybersecurity weaknesses.

This is the first step in fulfilling board fiduciary duties.

2. How well are business and IT prepared to respond during a breach?

The second step in fulfilling board fiduciary duties is to ensure business and IT have a clear understanding of how to respond during an incident. A detailed discussion on the different tools and techniques leveraged during a breach would fix board level insomnia. Instead, the CIO or CISO should encourage the board to ask the following questions:

• Do we have a cybersecurity response team comprised of both IT and business participants? Do they have clearly defined roles and responsibilities?
• Has a cybersecurity response plan been developed and tested? Are there clearly defined checklists the response team can use?
• Does the response team understand how to use the response plan? Do team members have a plan for addressing unforeseen situations?
• Is there an internal and external communications plan? Are there templates for specific communications based on what is breached?
• When should the plug be pulled? When should all systems be shut down?
• Is there a process for bringing the systems back online?

While most board members may not understand the inevitable jargon some of the answers will contain, members must have a comfort that a clear set of recovery guidelines have been developed, deployed, and understood. Most importantly, the board should clearly understand when they need to get involved.

3. How can compliance prevent a breach

A cybersecurity breach is not the time to discover that basic compliance policies and procedures are not being followed. While IT is responsible for establishing strong cybersecurity protection, business is accountable for compliance. Regardless of how well protected, all systems are a fingertip click away from being breached.

The third step to ensuring the board’s cybersecurity fiduciary duties are properly fulfilled is asking questions about critical cybersecurity compliance components. Questions include:

• Who owns cybersecurity? Is it Internal Audit?
• Do employees clearly understand their role in cybersecurity compliance? Do they have the right training? Do they have the right reminders?
• Does IT regularly test employee compliance? Does Internal Audit participate?
• Is Internal Audit involved in testing the cybersecurity response plan?
• Are there clear guidelines for how customers, suppliers, and employees access our systems? Is compliance tested on a regular basis? Has legal counsel updated our contracts to include the appropriate cybersecurity breach liability clauses?

The answers to these questions will generate more, but most importantly, the board of directors will obtain a clear understanding of cybersecurity compliance awareness across the company.

The board’s responsibility is to ensure a company is properly prepared to operate efficiently and effectively. A cybersecurity breach can bring a company to a halt and expose all of senior management to significant personal liability. Boards that rely solely on IT to provide cybersecurity protection are open to significant risk. Asking the right questions about cybersecurity preparedness not only protects board members from liability, but helps ensure a company is prepared for the inevitable breach.

Trenegy helps companies develop and deploy realistic cybersecurity strategies with a focus on mitigating risk.