We are thrilled to be able to share this guest post by our colleague, Ann Ladd. Thanks, Ann for this great post!
A continuing series highlighting developments in privacy and security.
We predict that 2015 will see even more:
- Headline-making cyber breaches in multiple industries
- Class action lawsuits for data losses
- Activist shareholders calling for removal of directors who failed to anticipate the risks
- SEC announcements
- Evolving legal and regulatory standards in the U.S. and abroad
- Enforcement actions by the FTC and States’ Attorneys General
- Consumer demand
- Demand from supply chain partners
Given the increasing frequency of cybersecurity incidents, and the growing impact of those incidents on business, a board of directors’ oversight activities should include ensuring the adequacy of a company’s cybersecurity measures. The issues are complicated, and there are no simple solutions. But there are things Boards and management can do to begin to quantify and mitigate the risks.
ACTIONS TO TAKE NOW
- Adopt a framework for weighing risks and developing plans. Consider using the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. While not a requirement or mandate, it may become the standard against which legal and regulatory reviews are measured.
- Assign roles. Appoint a board member or committee with responsibility to oversee cybersecurity. Convene leaders from IT, HR, Legal, Operations and other relevant areas to discuss risks and mitigation strategies. Assign clear lines of communication and authority to deal with a cybersecurity emergency or breach.
- Educate yourselves. Understand the legal, regulatory, contractual and other data protection and cybersecurity requirements applicable to the business and industry. Understand the contingencies and risks. Get regular reports from your CIO, security personnel and appropriate Board committees on preventative measures and on the occurrence and handling of any security incidents.
- Commit adequate resources. Based on the risks and requirements of your specific business, understand who is handling cybersecurity on a day to day basis. Assess whether your resources are adequate.
- Evaluate and improve vendor management. If third parties have access to protected data, or provide critical infrastructure for your operations, ask whether their people, processes and technologies measure up against your standards. Do you have contractual and other protections in place? Are you auditing to maintain ongoing compliance? Are your vendors required to notify you if they experience a breach that impacts your data? If the answer is no to any of these, make plans for improvement.
- Provide training. A good data protection and cybersecurity program includes employee training and awareness. It cannot be ‘one and done’- it needs to be regular and ongoing.
- Consider insurance. Cyber insurance is readily available and may help mitigate some risks.
- Repeat! Cybersecurity issues are here to stay. Addressing cybersecurity is not just an IT issue, it is a core business risk that Boards and executive leadership needs to understand and oversee.