Today, it has been accepted that Cyber Security is not just an IT risk but something which impacts the enterprise as a whole. This is now getting reflected in the importance accorded to issues related to cyber security within the enterprise.
The board members are also aware that Cyber Risk Oversight is now an important addition to the long list of their duties. However in NACD's latest survey of more than 1000 public-company directors, only 13% of respondents said they were very satisfied with the quality of information they receive from management on cyber-risk and related IT risks and less than 2% reported high satisfaction with the amount of information provided by management on those topics.
This leaves a staggering 85% of the board members not satisfied with the level of reporting. Clearly an area of improvement which needs to be addressed on priority.
The board members however do not need day to day operational details rather they need to sense some key parameters to gauge the overall performance of the company, almost similar to how a patient's pulse rate and blood pressure are used as indicators of general health by the physician.
To help define these key parameters and refine the level of reporting, a suggested list of items to be reported to the board is enumerated below:
a) Cyber Risk Register [a component of Corporate Risk Register] must be reported to the board. The Cyber Risk Register must contain information regarding:
i.Critical cyber risk areas having regulatory or compliance impacts based on each line of business [LOB].
ii.Changes in geography specific legislations which may impact operations due to changed regulatory requirements.
iii.Exposure to cyber risk due to 3rd party [suppliers / vendors / contractors].
iv.Plans [or action taken] for mitigation / transfer of Cyber Risk including Cyber Insurance.
v.Plans for when things fail [Incident Response & Recovery Plans], including the role of board members must be discussed and recorded.
b) Security expenditure as a percentage of the overall IT expenditure, categorized under the following heads:
i.Capital expenditure for upgrades / enhancements planned.
ii.Operational expenditure - Security Operations, Training & Awareness
iii.Staffing - Employees, Contractors
c) Record of briefings made to the board and status of action points.
While this list is by no means exhaustive, it is a starting point. Hopefully the readers will contribute and the list will grow.