Reflecting just how far cybersecurity has now risen up the business agenda, in December 2014, BIS issued “Cyber Security: balancing risk and reward with confidence (Guidance for Non-Executive Directors)”.
The guidance stresses that regulators, investors, employees, customers, partners and lenders expect boards of directors to handle cybersecurity risks, therefore it is essential that all NEDs properly understand the associated risks and available counter-strategies.
Almost all businesses are at risk, so “every board needs to understand the key areas of vulnerability, the mechanisms to block external attacks and the means of detecting and addressing any breaches.”
Accordingly, the guidance recommends NEDs should ask themselves, their fellow board members and the Audit or Risk Committees of their companies at least 25 questions. They include the following:
- Does the board regularly discuss the level of cyber risk it is prepared to take, and how much it is prepared to invest in managing that risk?
- Can we invite representatives from other areas of the business to participate in board level cyber risk management discussions (e.g. HR, legal)?
- Do we really know who is responsible for cyber risks in the company?
- Do I fully understand cyber updates and how that information was generated?
- Outside of meetings, do I regularly speak to the CIO, Head of Audit or CISO to understand the company’s threat profile, controls and processes?
- Which board members are fluent in the risks and opportunities of the digital age? Are we actively educating and supporting colleagues?
- Are we confident the business is prepared for a major breach?
- Are we measuring the degree to which we are meeting the board’s cyber risk appetite?
- Is our operational risk and internal audit plan providing cover across different areas of cybersecurity (e.g. cyber incident response review), or is it just focused on IT operations?
- Have we identified and understood the value of our company’s critical information and data assets? What is that small percentage of information within our business that makes it competitive?
- Do we receive a regular update showing the threat to our business and critical data assets?
- What assurances do we have that adequate technical controls and processes (e.g. the ‘basics’) are in place to protect these assets?
- Do we have assurances that our staff, suppliers, cloud providers, contractors, overseas subsidiaries and partners can be trusted to safely access our critical information and data assets?
- Have we considered in detail the potential resulting consequences to our business, both now and in the future, from the loss or disruption to our critical information and data assets?
- Do we have a complete map of our network and connections to the internet, the operating systems and applications in use, and the number of users with administration rights?
- Which recommendations in penetration testing reports have not been acted on, why not and for how long have they been outstanding?
Read the full report here.