Cybersecurity and the duty of care: a top 10 checklist for board members

more+
less-

Visibility on information security, including cybersecurity as well as physical security aspects, is increasingly permeating corporate life.  The relatively new SEC requirements for public disclosure of cybersecurity incidents are just one example. 

As directors prepare to fulfill their duty of care in an informed way, what are the issues that matter today?  The following checklist was created to help outside directors understand the cybersecurity issues that matter to boards today based on information from panel discussions and individual directors: 

 

1.  Who’s in charge?  Who is the company’s Chief Privacy Officer and Chief Information Security Officer?  What are the charters and functions of each position, and what is the interaction between the privacy compliance and information security teams?  Is there a check-and-balance on the Chief Information Officer – for instance, is the CISO and CTO one and the same person, or are these responsibilities divided, and does the CISO report to the CIO or have an alternate potential reporting route?

2.  What is the role of board oversight?:  Who is the lead director on information security and is that position informal or formal?  Is at least one outside director sufficiently technically educated to be able to lead board discussions and questions on information security?  Does information security oversight rest with the Audit Committee and, if so, is it part of the Audit Committee annual work plan?  Does the Audit Committee in practice actually regularly review information security issues?

3.  Who are your likely adversaries?  Who is most likely to want access to the company’s systems?  What level of sophistication, geographic scope and motives (e.g. economic/embezzlement, identity theft, trade secret theft) may these adversaries have?

4.  Does the company have an incident response plan?  What are the protocols for informing customers, suppliers, internal constituencies and regulatory bodies (including SEC reporting) on information security incidents?  Has the company identified relevant internal and external (such as technical, legal, public relations) core team members?  Has the company set up liaisons with law enforcement authorities?

5.  What are the BYOD protocols?  Is the company a bring-your-own-device (BYOD) environment?  If so, what the level of safeguards is applied to such devices?

6.  What does the network map of the company look like?  What data is stored on which servers and controlled by whom?  Does the company triage/organize server storage functions?  What information security functions are provided by contractors, and what is the level of assurance in the integrity of those contractors?

7.  Has the company assessed the inside threat?  What access and administrative rights exist?  Does the company have a policy on thumb/USB drives or other mass storage devices and use/scanning?  Does the company monitor internal networks for inappropriate file access or sharing?

8.  What is the interplay between physical and cyber security?  Does the company actively manage both physical and cyber security?  What physical security measures are used to enhance cybersecurity?  What procedures exist for terminated employees’ deactivation?

9.  How does the company interact with suppliers, customers and partners?  To what extent does the company provide products “downstream” that if compromised or misused would affect the company?  How is the company assured that third-party solutions, including software, are free of issues and include indemnification for potential flaws?

10. What insurance does the company carry for cybersecurity?  What are the policy limits and exclusions on insurance coverage?