February 16th, 2017
In the wake of numerous high profile cyber attacks against global businesses, including Sony, Target, and eBay, investors and boards alike are realizing that data breaches are an ever-present threat. Investors expect that company boards will assume a leadership role in addressing risks and controlling damage from these cyber incidents. Information security leaders should also understand what boards and investors expect from them in translating the business value of security
An article from the Council of Institutional Investors called “Prioritizing Cybersecurity” explores investors top five cyber security questions they are asking company boards, and how the board can effectively respond.
- How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
With this question, investors want to learn how well informed the directors are regarding the company’s cyber risk profile. Investors are best reassured when the board is updated frequently about information security risks.
- Has the board evaluated and approved the company’s cybersecurity strategy?
Investors expect the board to have a full understanding of the company’s strategy for minimizing the financial and material impact of a cyber incident. A good strategy includes protecting the most critical data and assets from operational, financial, reputational, and legal harm. It should include preventative, detective, and corrective measures. The board must also be familiar with management’s incident response procedures, including simulation drills and a strong communications plan.
- How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
Cyber security often requires a multi-disciplinary approach across multiple management levels. Board members are responsible for reviewing the backgrounds and qualifications of everyone accountable for cybersecurity. Investors look for an organizational structure with clearly delineated responsibilities and sufficient management oversight.
- How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
The board has the authority to establish standard performance metrics based on the company’s size, industry, and risk profile. An additional benchmark is to compare performance to that of similar companies. Investors want to know how the company’s security efforts perform according to the company’s own metrics, as well as how they compare to other companies.
- When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?
Investors want the board to fairly and accurately report on the company’s cyber risk profile and security performance. The SEC asks that companies disclose cyber incidents, but provides few guidelines regarding when such a disclosure is required. The board can proactively communicate the process used to assess damage from cyber incidents on the company’s data and assets. Transparency about this process reassures investors of the company’s cyber health.
Boards and investors can develop a more productive partnership through better communication. Board members should seek to understand the investors’ concerns, and the investors should make equal effort to understand the board’s decisions and actions.
Secure Digital Solutions offers TrustMAPP®, a platform that facilitates this type of communication and information sharing with boards by information security leaders. Contact our team to learn more about TrustMAPP® solution.