Sharpening the board's role in cyber risk oversight | Deloitte US | Center for Board Effectiveness has been added to your bookmarks.
Sharpening the board's role in cyber risk oversight
The importance of having strong dialogue with management
Cyber risk has become one of the top enterprise-wide risks facing companies. From a governance perspective, one of the board’s most important tasks is to verify that management has a clear perspective on how the business could be most seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimize the likelihood of an incident—and the ability to mitigate the damage should one occur.
Cyber risk oversight
Boards can take various approaches to fulfill their cyber-risk oversight duties. For example, some boards have a separate entry on their risk map to monitor cyber risk and make it a full board responsibility. Others keep oversight within the domain of the audit or risk committee. Whichever applies, cyber risk should be on board or committee agendas annually if not more frequently.
Management’s duty is to align the cyber risk program to a detailed business risk profile. This profile should reflect an understanding of likely attackers, their objectives, which assets are most at risk, and the impact of those assets being compromised. When alignment is off, it’s the board’s duty to challenge management to construct a more tightly aligned program. In their over-sight role, boards need to know the right questions to ask and how to monitor the effectiveness of management’s plans and responses. Such questions can include: "Who is the appropriate executive to be leading cyber risk management?"; "What are the greatest cyber threats our organization faces?”; and “What are the ‘crown jewels’ that we must protect, including data and other assets?”.
The following are other issues for boards to consider when developing processes for cyber-risk oversight:
- Assessing cyber program costs
- Developing board-level metrics and benchmarking
- Participating in wargaming exercises
- Determining the voice of the organization during a cyber incident
Read the article to dive deeper into these issues.