Seven Cybersecurity Questions Bank Boards Need to Ask

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.americanbanker.com/bankthink/seven-cybersecurity-questions-bank-boards-need-to-ask-1070339-1.html

Recent cyberattacks against several big businesses show that a wide variety
of industries are engaged in a nearly nonstop battle against hackers who
seek to steal intellectual property, data and funds. All of us should be
sobered by the fact that the personal information of nearly half of all
American adults has been exposed in the last year or so,according to a
recent report from CNNMoney and the Ponemon Institute.

The financial services industry is already focused on cybersecurity. But
continued and growing vigilance is necessary to protect sensitive data and
systems.

Against this backdrop, corporate board members are increasingly required to
play an active role in ensuring that cybersecurity is a priority of top
company managers. While there are numerous questions that board members
should ask of senior management, here are seven particularly pertinent ones.

What is your management team's familiarity with cybersecurity?

The board should make sure that sufficient expertise exists within the
company to effectively assess cyber risk and establish that the chief
executive is knowledgeable enough to understand the cyber risk level that
he or she is accepting on behalf of the company's shareholders. In
addition, the board should inquire whether other key personnel, including
business line heads, product and channel managers, risk officers, audit
personnel, information technology managers and the general counsel are
equipped to gauge cyber risks and understand relevant legal requirements.

Have the company's data "crown jewels" been identified and are they
properly protected?

If management does not know what data is critical to the organization's
ability to function, where those assets are located or how they are
accessed, it is unlikely that company can figure out what data to protect
and how to protect it. To paraphrase Sun Tzu, prior to understanding the
intentions and capabilities of your enemies, you must first "know yourself."

Can the management team articulate its cyber risks and explain its approach
and response to such risk?

Management should periodically explain to the board its assessment of
cybersecurity risks and articulate its plan to address them by choosing to
accept, avoid, mitigate, or transfer such risks. Boards would do well to
have at least one member capable of assessing both cyber risks and the
appropriateness of the company's defenses and planned responses.

Full appreciation of cyber risk includes understanding how cybersecurity
and physical security may intersect. A company's chief information security
officer and chief security officer should work together, along with other
corporate leaders, to assess risk holistically. The integration of cyber
and physical security will become even more significant with the rapid
growth of the Internet of Things — devices that communicate with each other
and the Internet via wireless connections.

Has management assigned clear roles and responsibilities for identifying,
evaluating, monitoring, and responding to cybersecurity incidents?

Without knowing who is supposed to do what and when, it is unlikely that an
organization will effectively manage a crisis. Board members and management
should organize informal exercises that allow them to analyze policies and
procedures in a range of cyber scenarios in order to clarify roles and
stress-test response and recovery plans.

What are the company's crisis communications plans in the event of a
cyber-attack?

An inept communications response to a data breach can be more damaging to a
company than the breach itself. Company leadership should have a detailed
plan in place about how information will be released in the event of a
cyberattack or attempted attack. Management should also keep in mind that a
one-size-fits-all communications plan may not work for all the parties who
need to be informed in the event of an attack, including regulators,
investigators, customers and shareholders. More tailored — but cohesive and
coordinated — communications plans for each of these audiences may be
needed.

Is your company properly managing third-party vendors?

Third-party vendors present unique risks to an organization. They often
provide portals into a company's technology platforms that attackers may
exploit. Management needs to have procedures and capabilities in place to
assess cyber-risks presented by third-party vendors and service providers.
As company asks these questions of themselves, they should ensure that
vendors meet their standards.

Are your company and its vendors members of an information sharing and
analysis center, such as the Financial Services Information Sharing and
Analysis Center?

If a hack occurs, management will face questions about the steps the
company took to avoid a breach and respond to it as quickly and effectively
as possible. ISACs and similar organizations provide companies with an
opportunity to gain more awareness of the changing threat environment and
steps that might be taken to reduce risk.

High-profile data breaches, system intrusions and disruptions at several
large businesses are just the most recent in a decades-long series of
attacks by cyber criminals and other actors with hostile intent. Hackers'
efforts are increasing in frequency and sophistication, and cybersecurity
now needs to be on the radar screen of every board member.

Not only does almost every company possess sensitive information, companies
in the aggregate also constitute networks that expose additional
vulnerabilities and proprietary information that must be protected. This
will only happen if management and board members must make cybersecurity a
top priority.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!