Reporting Cyber Risk to the Board

Today, it has been accepted that Cyber Security is not just an IT risk but something which impacts the enterprise as a whole. This is now getting reflected in the importance accorded to issues related to cyber security within the enterprise.
The board members are also aware that Cyber Risk Oversight is now an important addition to the long list of their duties. However in NACD's latest survey of more than 1000 public-company directors, only 13% of respondents said they were very satisfied with the quality of information they receive from management on cyber-risk and related IT risks and less than 2% reported high satisfaction with the amount of information provided by management on those topics.
This leaves a staggering 85% of the board members not satisfied with the level of reporting. Clearly an area of improvement which needs to be addressed on priority.
The board members however do not need day to day operational details rather they need to sense some key parameters to gauge the overall performance of the company, almost similar to how a patient's pulse rate and blood pressure are used as indicators of general health by the physician.
To help define these key parameters and refine the level of reporting, a suggested list of items to be reported to the board is enumerated below:
a) Cyber Risk Register [a component of Corporate Risk Register] must be reported to the board. The Cyber Risk Register must contain information regarding:
    i.Critical cyber risk areas having regulatory or compliance impacts based on each line of business [LOB].
    ii.Changes in geography specific legislations which may impact operations due to changed regulatory requirements.
    iii.Exposure to cyber risk due to 3rd party [suppliers / vendors / contractors].
    iv.Plans [or action taken] for mitigation / transfer of Cyber Risk including Cyber Insurance.
    v.Plans for when things fail [Incident Response & Recovery Plans], including the role of board members must be discussed and recorded.
b) Security expenditure as a percentage of the overall IT expenditure, categorized under the following heads:
    i.Capital expenditure for upgrades / enhancements planned.
    ii.Operational expenditure - Security Operations, Training & Awareness
    iii.Staffing - Employees, Contractors
c) Record of briefings made to the board and status of action points.
While this list is by no means exhaustive, it is a starting point. Hopefully the readers will contribute and the list will grow.
Happy Reporting.

Rate this article: 
Average: 2 (10 votes)
Article category: 

There are 3 Comments

Positioning Compliance as an element of risk, the entity's compliance posture should be included.
Management's key concern: Do we have any unmitigated risk that might be realized unexpectedly and damage our reputation.
Other reporting elements: The CFO will always ask what we are getting for our investment, so - Costs, value, benefits need to be measured and reported.
Management also needs decision-drivers (where efforts need an investment, or maybe more simply a nudge from management)

Yes, however in my opinion compliance as an activity is well the confines of the enterprise and should be handled at the CxO level [as you pointed out at CFO level].
So will the board be interested in this detail?
Looking for opinions / comments.

The real question is how do board members make sense of the dashboard? At the basic level a board member needs answers to the following questions:
1. How do I know if we are spending too much money, too little money of just enough money to ensure the correct cybersecurity posture.
2. How do I know if the measures that have been put in are effective?
3. How do I know if I have a problem that I will be able to recover?

Is the confidence to be based upon the fact that someone has presented a dashboard? What will make a board member *believe* a dashboard?