Preparing a 'Cyber Balance Sheet' to Engage the Board
A key issue that senior management is trying to address is how best to update a board of directors about cyber risk. The challenge is to not miss the forest for the trees. There are several components that can be readily quantified for boards, such as the number of software patches implemented, “spear phishing” attacks thwarted, or personnel trained. Yet, are those the most important elements to bring to the attention of a board of directors?
Every organization has unique cyber vulnerabilities, and boards want to know what preparatory steps an organization has taken before an incident happens. For example, what is your governance structure? Do you have a Chief Information Security Officer (CISO)? If so, who does that CISO report to?
While there are a multitude of approaches, one framework for briefing the board is to prepare a “cyber balance sheet” of assets and liabilities.
The first step is to discuss your organization’s most important assets and how cyber risks can affect them. This can be achieved by:
- Cataloging your company’s crown jewels. For pharma companies, this may be your intellectual property. For health care companies, patient records. For retail companies, credit card and other financial data.
- Reviewing specific cybersecurity defenses. Once this inventory is complete, what specific steps are you taking to protect your crown jewels? Examples might include end-to-end encryption, two-factor authentication for remote access, and “detonation” software to detect malware.
- Evaluating vendor networks. One of the key takeaways from the cyber breaches of 2014 is the importance of taking steps to protect your vendor network. Are you conducting risk-based diligence and IT audits on your key vendors? Are they required to notify you immediately in the event that their systems are breached? Do they have their own cyber insurance?
The second step is to assess your liabilities. Given the current threat environment, what are your greatest vulnerabilities? For many companies, the first vulnerability is data sprawl — the extraordinary proliferation of personal devices, tablets, servers, and cloud-based solutions. A second area of potential vulnerability comes with mergers and acquisitions (M&A). Do you have a reasonable system in place to assess the cyber risk posed by a potential acquisition target?
The third step, after you have catalogued your assets and assessed your liabilities, is to assume that your systems are breached. Many experts assert that it is not a question of “if” but rather “when.” In that scenario, what would you do? Have you tested your incident response plan? Do you have a forensic investigation firm already engaged on a retainer? Have you developed relationships with senior officials at the Department of Homeland Security, the FBI, the Treasury, and with important state and local law enforcement officials?
It is, to put it mildly, a daunting task for all of us.
This article stems from a discussion about directors and officers liability at Marsh’s first annual D&O Panel Symposium in April.