5 Ways Boards Could Tackle Cybersecurity

Putting Cyber-Speak Into a Language Directors Understand
5 Ways Boards Could Tackle Cybersecurity

A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats.

See Also: Live Webinar | Taking the Challenges Out of Identity Security

The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.

"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."

The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:

  1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
  5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.

Connecting the Dots

"What we're trying to do here today is connect the dots between the operational issues that have dominated the cybersecurity discussion and the strategic issues, which are actually things businesses are focused on," says Internet Security Alliance President Larry Clinton, the report's author.

Board members and cybersecurity professionals don't necessarily speak the same language in regards to IT security. "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework," Clinton says. "They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context."

AIG's Camillo says the handbook could help insurers sell more cyber-insurance policies. "When you look at the different types of surveys that have come out [of] directors and officers, half are not looking at solutions for cyber-insurance," he says. "We hope by promoting the handbook, we can change that because the insurance industry has been particularly innovative when you look at the types of solutions that have been introduced just recently."

NACD Chief Executive Ken Daly says the handbook doesn't advocate specific insurance policies but urges boards to adopt a risk-management approach that could include addressing some cyber-risks with insurance.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.