No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Governance

Enhancing Board Oversight of Cyber Risk

by Tod Northman
December 19, 2016
in Governance
Reducing cyber risk

with co-author Joseph A. Dickinson

Following a presidential campaign dominated by talk of hacked email and unsecured servers, businesses are emphatically reminded of the potential cybersecurity danger no matter the business or industry.  Threats come from all directions.  Criminals and foreign hackers have grabbed headlines with personal financial data thefts from Target and Home Depot.  Yet a 2016 IBM-sponsored study concluded that 60 percent of all attacks come from internal sources, with the majority carried out with malicious intent and a quarter of the breaches resulting from error.  Compounding the problem, the damages caused by cyber breaches are skyrocketing: the average cost of a data breach is more than $4 million and growing annually, according to the IBM study.

As the risk grows, the board of directors role in identifying and managing the risk becomes more imperative.  The obligation to protect the business is the same as with other business risks, but in this case is overlaid with the obligation to ensure the business’s legal compliance.  The intersection highlights the opportunity – cybersecurity risk cuts across a business and requires oversight from a similarly multifaceted perspective.  The National Association of Corporate Directors’ Cyber Risk Oversight Handbook, published in 2014, identifies “enterprise-wide risk management” as an indispensable component of cybersecurity.  Boards must echo this viewpoint with a specific focus on the cyber risk management program.

Get Your Priorities Straight

Establishing ownership for cybersecurity risk is the first step.  Ultimately, the board is responsible for ensuring that the organization’s cybersecurity program is adequately resourced.  A board can delegate governance to a risk committee, but maintaining a businesswide view of the threat is critical.  The awareness of the danger must be tempered by a realistic strategy that prioritizes protection of the business’s assets. FBI Director James Comey asserted: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”  The threats are too pervasive to be eliminated; instead, businesses must determine which assets to prioritize for protection.  This undertaking must start at the board level.

In that light, a risk-based strategy focused only on prevention may divert critical resources from the needed holistic approach to protecting the business’s most important assets.  A thorough program should address cyber risks at all levels, including infiltration, propagation and exfiltration.  The board should require that management ensure regular evaluation and prioritization of assets and the cyber risks to those assets.  The board should lead the process of determining the appropriate strategy for identifying and prioritizing the risks, as well as defining the organization’s plan for which risks to accept and which risks to mitigate.

Policies and Procedures

Because internal threats, including human error, constitute such a significant portion of cyber beaches, establishing well-designed policies and procedures for handling electronic information is a critical component of any cybersecurity program.  Training employees in how to handle information yields significant benefits.  Training helps establish the organization’s culture and demonstrates the importance of good cyber practices to the organization. Directors and C-Suite leadership should also receive training and regular updates on the organization’s cyber program.

Given the frequency of breaches caused by internal sources, the organization can improve the effectiveness of the cybersecurity program by monitoring and enforcing compliance with policies and procedures.  Doing so also helps reinforce the culture of safety.  Equally important is making sure that appropriate sanctions are included in the policies to effectively deal with those employees involved with causing breaches.

Detection and Defense

The bad guys are continually adapting their methods.  Consequently, the board should require that the organization periodically evaluate the latest technologies and techniques for responding to cyber attacks and update the board on the results of those efforts.  Strategies must be business specific and based on the industry, size of business and type of information processed and stored, among numerous other factors. The board should also be involved with the evaluation of the business’s detection systems to ensure that resources are devoted appropriately to respond to the high-priority threats.

Develop an Incident Response Plan

As a key component of any cybersecurity program, businesses must establish an incident response plan.  Being prepared to respond to a cyber breach significantly helps reduce the potential damage by improving the speed and quality of response.  Some of the most damaging breaches, such as at Sony, have escalated when the target appears not to understand the threat.  This lack of understanding can often be traced to inadequate incident response planning.  Having a plan in place enables the business to respond more quickly, mitigating the impact on the data, and also helps the business to identify and initiate the necessary response to regain control.  FTC guidance released in the fall of 2016 emphasized that establishing an incident response plan is a critical aspect of any cybersecurity program.

The plan should be detailed, including identifying parties inside and outside the organization who can be called upon to help.  The board should facilitate prompt access to adequate cybersecurity expertise in advance.  The plan should also document the thresholds that would require reporting a breach to law enforcement or other regulatory bodies.  Both the FBI and the Department of Justice have cybercrime units that can be valuable allies in combating or preventing a cyber breach.

Once established, the board should regularly review the plan.  The company should consider using tabletop exercises and simulated breaches to test and improve its plan.

The plan ought to require a formal assessment of the damage from any cyber event and that assessment should be shared promptly with the board.  The board should use the assessment to evaluate and improve the incident response plan.


Tags: Data Governance
Previous Post

Blockchain: Why You Need to Evaluate Your Insurance Coverage

Next Post

Exploring the Behavior and Psychology Behind Bribery and Corruption

Tod Northman

Tod Northman

Tod NorthmanTod A. Northman is a Partner in the corporate group at Tucker Ellis LLP. He counsels clients of all sizes in a variety of industries, with a particular focus in the areas of aviation, autonomous vehicles and antitrust matters. He can be reached at 216.696.5469 or tod.northman@tuckerellis.com.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

doj outside sculpture_n

Monaco Memo 2.0: Companies Should Start Preparing Now for Future DOJ Investigations

by Miller & Chevalier
November 2, 2022

Following up on her watershed 2021 memo, Deputy Attorney General Lisa Monaco’s latest missive highlights a pair of issues that...

doj data enforcement

The DOJ Doubles Down on Data, Raising the Stakes for Proactive Information Governance

by FTI Consulting
October 19, 2022

As the DOJ signals that proactive compliance measures focused on data and analytics will be central to the agency’s future...

data spillage

Instead of Crying Over Spilled Data, Shore up Your Governance Practices

by Rich Hale
October 12, 2022

The reputational damage and compliance failures that result from a data spillage incident are well-known, and as the volume of...

Next Post
Exploring the bahvaior and psych - sai global ebook cover

Exploring the Behavior and Psychology Behind Bribery and Corruption

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT