Boards of directors have a new source of advice on how to manage cyber risk for the firms they oversee.
It comes from the World Economic Forum, which released a report called Principles for Board Governance of Cyber Risk that outlines six principles boards should follow to make companies more resilient to cyber-attacks.
“The board needs to understand cyber risk, and its role in governing this threat, to perform its oversight function effectively,” the report says. “It continues to be important for members of the board of directors and industry professionals to increase their knowledge of how to address cybersecurity within their organizations.
“As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organizations must address cybersecurity.”
The six principles are:
- Cybersecurity is a business enabler
In brief, cybersecurity is more than just an IT issue. Effective organizational cybersecurity directly contributes to both value preservation and new opportunities to create value for the enterprise. So the board has to hardwire cyber-risk considerations into key operational and strategic decision-making processes, including the adoption of cyber risk as a recurring agenda item for full board meetings;
- Understand the economic drivers and impact of cyber risk
Leaders should measure cyber risk (empirically and economically) against strategic objectives, regulatory and statutory requirements, business outcomes and cost of acceptance, mitigation or transfer. The board should review and approve the organization’s cyber-risk appetite, or tolerance, in the context of the company’s risk profile and strategic goals. That gets done in part by management developing key metrics to measure overall cyber-risk management performance;
- Align cyber-risk management with business needs
The C-suite should report to the board on the cybersecurity implications of their activities, including relevant cyber risks, risk ownership and alignment to the enterprise cyber-risk management program.
- Ensure organization design supports cybersecurity
Set expectations that cybersecurity and cyber-risk functions are to receive adequate staffing and funding and monitor the efficacy of these determinations. The board should also inspire a cybersecurity culture.
- Incorporate cybersecurity expertise into board governance
The board should build relationships with internal stakeholders who can provide expertise to guide
strategic cybersecurity decisions, up to and including ensuring cyber expertise is represented on the board. At the same time the board should also seek out third-party advisers and assessors – who report to the board regularly – to ensure effective oversight of management.
- Encourage systemic resilience and collaboration
Cyber resilience demands that organizations work in concert. Not only should board members develop peer networks to share best practices, but the board should also ensure management has plans for collaboration with industry groups and information-sharing platforms. At the same time, the board should ensure that management takes into account risks stemming from third parties, vendors and partners.
The report is a collection of guidance from the World Economic Forum, the World Economic Forum, the National Association of Corporate Directors (NACD) the Internet Security Alliance (ISA) and PricewaterhouseCooper.
Meanwhile, the new head of the U.K.’s National Cybersecurity Centre last week said boards there don’t take cybersecurity as seriously as they should. ZDNet quotes Lindy Cameron saying in a speech that cybersecurity should be viewed with the same importance to CEOs as finance, legal or any other vital day-to-day part of the enterprise.
“The cybersecurity landscape we see now in the U.K. reflects huge progress and relative strength – but it is not a position we can be complacent about. Cybersecurity is still not taken as seriously as it should be, and simply is not embedded into the U.K.’s boardroom thinking,” said Cameron during a speech at Queen’s University, Belfast.