Cyber resiliance for non-executives: new guidance published
Rowena Ironside's advice on how to approach this key risk
The boardroom is where the buck stops for risks of all types, from health and safety and disaster recovery to financial and regulatory compliance. These risks are familiar to executives and change relatively slowly over time.
Cyber risk however is a new threat. It is evolving rapidly and exposes organisations to threat actors from across the world, from nation states to long established criminal enterprises.
Because the risk of sophisticated cyber-attacks has arisen so recently, most board members don’t have hands-on experience of managing this risk in their executive career. Therefore they have never developed the antennae needed to ask the right questions - and to sense if the executive in charge knows what they’re talking about.
How should you think about this risk as an NED, trustee or governor? Rowena Ironside, Chair of WOB UK and a tech industry veteran, proposes the following five questions as a starting point:
1. Does every member of the board know what the organisation’s ‘crown jewels’ are? These are the assets which, if compromised, could put the future of the organisation at risk. They might be intellectual property, customer data or a physical asset like a production facility. Hint: Your budget for cyber resilience should reflect the importance of these assets to the long-term survival of the organisation, along with your risk appetite.
2. Does the main board have good visibility on cyber risk management? Even if the detailed oversight of risk management is delegated to a board committee, the full board needs to be discussing this issue once or twice a year.
3. Does the organisation practice its incident response procedures at least once a year; and have you as a non-executive participated in these cyber-breach scenarios? The board will often be on the front line managing press, shareholders and other stakeholder relationships if a serious breach occurs.
4. Do you know what cover your insurance policies provide for cyber breaches? Both for the organisation and for the directors and officers? This is a developing area of insurance and you should not assume anything, so ask some questions now.
5. Does the threat analysis for your organisation extend to the supply chain? As well as mapping all your internal digital assets, you need to understand that your cyber perimeter extends to suppliers and subcontractors; and that breaches can originate in software suppliers and air conditioners as well as via more direct and obvious routes.
In the UK, the National Cyber Security Centre has various great resources to assist executives and boards to keep up with the evolving challenge of cyber resilience. They have just released their latest guidance, the Board Toolkit.
My final tip - if you want to understand how you personally can be the source of a cyber breach read the excellent short story “Whaling for beginners”