Lots of Questions

“Cyber security is no longer just an IT issue; it is an enterprise risk-management issue, and your board has to be involved.”  

You can find variants of this statement in almost any business-related cyber-security discussion (including some I have penned myself). The board oversight role also is embedded in every cyber-security protocol framework. 

I am on several boards, and I advise several others. But I have been struggling with trying to determine what a good board should do to satisfy its responsibilities regarding cyber-security oversight. My Steptoe partners Jason Weinstein and Mike Vatis—whose expertise includes cyber-security compliance programs and incident response—authored the cyber incident scenario on p. 42. It is interesting to me—and it seems wholly appropriate—that a board’s role in its incident response scenario is simply to be informed. 

Whether the board succeeds or fails in its oversight is probably best judged by how well prepared the organization is for the event and how it responds. At a very basic level, the board’s ultimate success or failure can be judged by whether it asks the right questions. 
In its recently issued report, Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom, KPMG outlines a number of the concerns currently on board members’ minds. Am I asking the right questions? Are we doing enough? These are just a couple. As that report and a plethora of others have noted, we definitely can do better. 

The National Association of Corporate Directors has published a very instructive handbook, Cyber-Risk Oversight. It outlines five core cyber-security principles for directors and lists questions boards should be asking to satisfy these principles.

• Principle 1: Directors need to understand and approach cyber security as an enterprisewide risk management issue, not just an IT issue.
• Principle 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
• Principle 3: Boards should have adequate access to cyber-security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board’s meeting agenda.
• Principle 4: Directors should expect management to establish an enterprisewide cyber-risk management framework with adequate staffing and budget.
• Principle 5: Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

The corporate directors group lists about two dozen core questions that boards should ask about their company’s cyber-security regime. They really fall into three general buckets of questions:

1. What is the nature of our potential cyber threats? What are the cyber-security risks that confront the company? What are our most valuable assets that could be subject to these threats? How will we know if we have been attacked? Who are our likely adversaries? What testing have we done? What exposures do our business partners create for us?
2. What are we doing about it? What are the leading practices for cyber security, and where do our practices differ? Do our practices distinguish between general security and protection for our mission-critical assets? What vulnerabilities do we have for our mobile workforce? Is there any cyber-security related disagreement between management and our IT team? Do our business partners have cyber controls and policies in place? Are we monitoring their adherence to those controls and policies in any way? What do we do to evaluate the cyber regimes of potential acquisition targets during the M&A due diligence process? Do we have cyber insurance? Is it adequate? Do we participate in a group that shares information about identifying threats? What do we do with information we gain from that group? Do we have a robust training program? What else are we doing to raise firmwide cyber awareness? What do we do when we identify cyber-security deficiencies? Have we found any such deficiencies during the last year? What did we do about it?
3. What is our incident response plan if there is an attack? Do we have a plan? Under the plan, when will law enforcement and other relevant government entities be notified? What was our most significant cyber-security incident in the past quarter? What was our response? What constitutes a material cyber-security breach? What are we doing to stress test our plan?

In the unfortunate (but all too common) event that your company experiences a breach of cyber security, your leadership should be asking questions during and after the response that not only can help drive the immediate response but also may help to inform what adjustments should be made going forward. How did we learn of the breach? Did we discover it, or were we informed (or threatened) by an outside party? What was the impact of the breach? What have we done to contain the damage? What were the weaknesses in our system that allowed it to occur? What can we do to make sure this type of breach does not happen again?

Lots of questions, I know. I’m just glad that, when it comes to cyber-security issues, I get to ask more questions than I have to answer.