Board members of both public and private companies have a fiduciary responsibility to establish and oversee business policies that drive a company’s financial growth and performance, including how their organization manages cybersecurity threats. Not only can a company be put at risk by cybersecurity breaches, but a director can also be held personally liable in some instances. Therefore, boards must understand the impact a cybersecurity incident can have on the organization and take steps to limit its exposure.
To minimize the opportunity for a cybersecurity breach and limit liability, boards should consider asking their IT professionals the following questions:
- What data do we have? Boards should understand the types of data the company collects, its value to the company and potentially to others, who owns it and who in the organization is strategizing how it should be protected.
- What is our cybersecurity strategy? It’s critical to understand what measures are being taken to protect data, brand reputation and shareholder value. Boards should understand how often internal cybersecurity controls are reviewed and if they’ve been tested.
- What are our detection capabilities? Many breaches are not detected immediately after they occur. In some cases, it can be weeks, months or even years before the incident is detected. It is the responsibility of the board to understand what steps the organization is taking to quickly detect a cybersecurity incident and minimize damage.
- Do we have an incident response plan? Companies should have plans in place for various types of threats. Once an incident occurs, it will be too late to develop a mitigation plan. The steps organizations take in response to an incident are critical to reducing the impact.
- Is our cybersecurity investment adequate? Companies should evaluate their protection and risk tolerance levels to allocate a cybersecurity budget.
- Do we have cyber insurance? Cyber insurance can protect companies against liabilities related to a data breach and other cyber-related incidents.