Corporate boards are under pressure to make data security a key priority in an age where it is not whether but when a data security incident will happen. A cybersecurity strategy must be in place to prioritize and protect the organization’s critical data and information systems and to manage the risk of data security incidents.
R What is the corporation’s risk tolerance? R What sources of cybersecurity risk apply to the organization? Has adequate due diligence been conducted to assess the risk? R What assets, information and data are at risk? R Where does accountability for data security reside within the corporation? R Does the organization have a coordinated and integrated cybersecurity strategy? Have silos been eliminated from the management of the strategy and data breach response plan? Have people been assigned appropriate ownership and responsibility and are they held accountable for their responsibilities? R Are security incidents and the cost of responding to them measured? R Have policies on security, information sensitivity and ethics been documented and communicated within the organization? R Are security initiatives adequately funded in light of the corporation’s risk tolerance? R Is there a plan in place to evaluate the ongoing effectiveness of the cyber risk program? R How will the organization’s security initiatives be disclosed? Questions counsel should be prepared to answer in advising the board: Your cybersecurity strategy must: • assign roles and responsibilities to different groups within your organization, • coordinate and integrate group activities to guard against gaps in security; and • ensure that these groups are held accountable for their responsibilities. Corporate governance and data issues The cybersecurity strategy must include an evergreen data breach response plan – so that the organization is ready to respond – not just prepared for a data security incident. Your plan must also provide the framework to drive a coordinated and integrated response to a data breach. Your company’s board of directors is responsible for overseeing the implementation of the organization’s cybersecurity strategy, including its data breach response plan, and should receive regular reporting on the integrity of the organization’s data and information systems and related risks. Your cybersecurity strategy Corporate boards are under pressure to make data security a key priority in an age where it is not whether but when a data security incident will happen. A cybersecurity strategy must be in place to prioritize and protect the organization’s critical data and information systems and to manage the risk of data security incidents. Osler, Hoskin & Harcourt llp Toronto Montréal Calgary Ottawa Vancouver New York | osler.com © Copyright 2016 Osler, Hoskin & Harcourt LLP. All rights reserved Risk • Operational • Reputational • Regulatory • Litigation Reporting & Accountability • Shareholders • Regulatory Authorities • Public/ Stakeholders Oversight/Coordination Planning Reporting & Accountability Oversight & Accountability Reporting on planning and response coordination EXECUTIVE TEAM For example: • Chief Executive Officer • Chief Risk Officer • Chief Privacy Officer • General Counsel BOARD Framework for board oversight, accountability and organization coordination DATA BREACH SECURITY/ CONTROLS HR IT PRIVACY PLANNING AND RESPONSE COORDINATION