PRIORITIZING CYBERSECURITY

Similar documents
FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

Who s next after TalkTalk?

The Procter & Gamble Company Board of Directors Compensation & Leadership Development Committee Charter

Information Technology

Information Security Services

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Board Governance Principles Amended September 29, 2012 Tyco International Ltd.

How quality assurance reviews can strengthen the strategic value of internal auditing*

Audit Committee Charter

Cybersecurity The role of Internal Audit

Delphi Automotive PLC. Corporate Governance Guidelines

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Audit, Risk Management and Compliance Committee Charter

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Operational Risk Management Program Version 1.0 October 2013

Oceaneering International, Inc. Audit Committee Charter

2015 Report on the Current State of Enterprise Risk Oversight:

QUANTUM MATERIALS CORP. AUDIT COMMITTEE CHARTER

White Paper on Financial Institution Vendor Management

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Securing Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud

Sustainability reporting What you should know kpmg.com

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

AMPLIFY SNACK BRANDS, INC. AUDIT COMMITTEE CHARTER. Adopted June 25, 2015

The ADT Corporation. Audit Committee Charter. December 2014

FFIEC Cybersecurity Assessment Tool

IT Risk & Security Specialist Position Description

The primary purposes of the Audit Committee shall be to:

Does Fraud Matter? ASIS Middle East Security Conference and Exhibition Dubai, February 16, Torsten Wolf, CPP Head of Group Security Operations

IMMUNOGEN, INC. CORPORATE GOVERNANCE GUIDELINES OF THE BOARD OF DIRECTORS

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

The Business Continuity Maturity Continuum

Business Resiliency Business Continuity Management - January 14, 2014

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF LIVE NATION ENTERTAINMENT, INC.

OECD PROJECT ON CYBER RISK INSURANCE

The Procter & Gamble Company Board of Directors Audit Committee Charter

MAXIM INTEGRATED PRODUCTS, INC. CORPORATE GOVERNANCE GUIDELINES. (Adopted by the Board of Directors on April 6, 2007)

Securing the Microsoft Cloud

The PNC Financial Services Group, Inc. Business Continuity Program

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

Charter of the Audit Committee of the Board of Directors

FACT SHEET: Ransomware and HIPAA

Risk management systems of responsible entities: Further proposals

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Audit Committee Charter

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

ALLEGIANT TRAVEL COMPANY AUDIT COMMITTEE CHARTER

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

Cybersecurity and Privacy Hot Topics 2015

PIONEER NATURAL RESOURCES COMPANY AUDIT COMMITTEE OF THE BOARD OF DIRECTORS CHARTER

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

Corporate Governance Code for Banks

Cyber Security for the Private Sector: What Companies and Their Lawyers Need to Know

The PNC Financial Services Group, Inc. Business Continuity Program

Sajan, Inc. and Its Subsidiaries. Audit Committee Charter. As of August 1, 2014

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

SECURITY RISK MANAGEMENT

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Enterprise Security Tactical Plan

CIBER, INC. CORPORATE GOVERNANCE PRINCIPLES DOCUMENT

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

WEATHERFORD INTERNATIONAL plc AUDIT COMMITTEE CHARTER Approved: September 25, 2015

CONDUCTING A RISK ASSESSMENT

How To Manage Risk

SYNACOR, INC. AMENDED AND RESTATED AUDIT COMMITTEE CHARTER. As adopted by the Board of Directors on November 16, 2011

Risk Management Policy

The Role of Internal Audit In Business Continuity Planning

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

The Role of Internal Audit in Risk Governance

Transcription:

April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards

Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies and their investors are coming to terms with a grim reality: Data breaches, or cyber incidents, are no longer a matter of if but when. Having put to rest rose-colored notions of eliminating this threat, investors are looking to boards for leadership in addressing the risks and mitigating the damage associated with cyber incidents. Cybersecurity is an integral component of a board s role in risk oversight. Directors have the authority, capacity and responsibility to make pivotal contributions in this area by ensuring adequate resources and management expertise are allocated to robust cyber risk management policies and practices, and ensuring disclosure fairly and accurately portrays material cyber risks and incidents. To achieve these objectives, directors need not develop advanced technical expertise. Nor do directors need to support unrestrained capital spending on any project with a cyber prefix. Directors need to: understand management s cybersecurity strategy; learn where cybersecurity weaknesses lie, and; support informed, reasonable investment in the protection of critical data and assets. This publication is intended to help investors communicate one central message: Effective cybersecurity risk management starts with the board. Users should expect companies of various sizes, industries and cyber risk profiles to bring different strategies, in varied stages of implementation, in response to this massive and growing challenge. 2

Five Investor Questions for Portfolio Company Boards How are the company s cyber risks communicated to the board, by whom, and with what frequency? Ensuring that directors are well informed on the company s unique cyber risks is the first, and perhaps most important, step boards can take toward effectively managing this challenge. Although solutions vary, investors should be encouraged by answers that cite regular, not intermittent, board updates. Not all boards retain outside help for keeping the board fully informed on cybersecurity. In cases where boards rely exclusively on internal resources, investors should feel free to ask about the reason for that approach, carefully consider responses and share their views. Has the board evaluated and approved the company s cybersecurity strategy? Boards should evaluate and approve a strategy affirming the company s commitment to minimizing the likelihood that a cyber incident would have a material impact on the business. The strategy should prioritize protecting the organization s most critical data and assets, including data that would result in operational, financial, reputational and legal harm if stolen or damaged during a cyber attack. The strategy should involve not only preventative controls, but also detective and corrective controls. It also should protect sensitive information on how those controls are carried out. Investors should take particular note of whether this strategy: reaches as far as the company s third-party business partners, vendors and supply chain, where data security is often most vulnerable; recognizes board authority to hire and fire a third party to assess the company s cyber risk management efforts; includes thorough incident management procedures; clarifies circumstances under which management must inform the board of a cyber incident; grants the company s cybersecurity team the authority to nimbly adapt to rapidly evolving and unforeseen cyber threats; and includes periodic consideration of whether cyber insurance is a viable, costeffective risk transfer mechanism. Investors should expect boards to be familiar with management s incident response plan. For example, is the board confident that management has the right relationships with third-party experts who may need to be tapped to assist with an incident? Similarly, 3

has the board been briefed on the frequency, and results of, any incident simulation drills conducted by management? Is the board confident that management has a strong communications plan at the ready for when a material cyber incident occurs? How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs? Cyber risk management is an enterprise-wide challenge that cuts across many sides of an organization and many fields of discipline. Investors should look for indications from directors that the company is organized to accommodate this reality. At the management level, companies commonly create cybersecurity working groups involving key executives (e.g. CEO, general counsel, chief financial officer, chief technology officer, chief information officer, and chief information security officer) to set the tactical agenda for identifying and responding to cyber risks. In addition to the organizational structure, investors should expect that directors have reviewed the backgrounds and qualifications of the management members who are accountable for the company s cybersecurity program. Ultimately, boards should understand where management-level responsibility and authority have been granted or delegated. Investors should look for a clear delineation of board-level oversight responsibilities in the company s board committee charters and proxy statement risk oversight disclosures. How does the board evaluate the effectiveness of the company s cybersecurity efforts? Investors should feel comfortable with boards using their discretion to select cybersecurity performance measures that suit the company s size, industry and cyber risk profile. Investors should look for companies to employ multiple performance criteria spread among broad categories such as: rudimentary metrics measuring the quantity and/or scale of vulnerabilities, attacks and/or incidents detected and/or resolved efficiency metrics measuring the resources expended to detect and/or resolve vulnerabilities, attacks or incidents against an estimate of the damage and/or disruption potentially averted compliance metrics achieving and maintaining compliance with recognized best practices and/or regulatory requirements Benchmarking against peers may be helpful in measuring cybersecurity performance. Significant disparity with peers may signal that the company s existing strategy is illsuited to its size or industry, is not being carried out effectively by management or personnel or involves security controls and/or technology that have not been deployed or configured properly. Investors should be encouraged if boards indicate they are 4

gathering quantitative and qualitative information on how well the company is performing on cybersecurity relative to similar firms, including competitors. When did the board last discuss whether the company s disclosure of cyber risk and cyber incidents is consistent with SEC guidance? Investors should welcome indications from directors, and particularly audit committee members, that they are aware of investors desire for fair and accurate reporting on material cyber risks and material cyber incidents. SEC guidance calls on companies to disclose these risks and incidents, but provides no bright-line test to clarify when disclosure is mandatory. Therefore, it is important for investors to share with boards any concerns they have with narrow interpretations of what constitutes material cyber risk or conservative approaches to estimating the costs of cyber incidents. Investors will have greater confidence that the company is not withholding information if it proactively communicates the process by which it assesses damage caused by a cyber incident and the methodology it uses to account for cyber incidents affecting data and assets. Communicating such a process will not reveal sensitive information about a company s cybersecurity efforts. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information