As data breaches become more common, companies and organizations are adopting the mindset that it is no longer “if,” but “when” a security breach will occur. These incidents are both expensive and detrimental to a company or organization. A 2015 IBM study put the average consolidated total cost of a data breach at $3.8 million, a 23 percent increase over the previous two years.
As your board secures and guides the future of your company or organization, board leaders need to take an active role in cybersecurity. It is the board’s fiduciary duty to make sure your cyber assets are managed and protected.
Education: No longer just an IT matter
First and foremost, your board needs to have a clear understanding of cybersecurity risks as they relate to your company or organization. This is more than an IT issue. The board should have full knowledge of your risk profile and the legal implications of your company’s specific circumstances in the event of a breach. Board members should stay informed about evolving cyber threats and developments. The management of your cyber risk should become a regular topic on board meeting agendas.
Through senior teams and board committees, the board should take the lead in reducing the risk of a data breach or cyber attack. Management needs to understand the board’s expectations for a system or company-wide plan. It should become part of the culture, and the effort must be supported by the board through adequate staffing and appropriate budgetary resources. Policies and internal controls must be in place and incident response plans should be practiced. Employees must hear about your cybersecurity initiatives and the roles they will have in supporting them.
While risks can originate from external sources, a majority of data security threats are internal and may not always be intentional. Do not overlook the potential for physical breach opportunities through mobile devices, laptops, reception areas, and physical plant security entrances. Employees, third parties, vendors and service areas which are outsourced may offer access to company networks, employee or customer data and other sensitive information. A comprehensive vendor management program should include a requirement to conduct due diligence on potential business associates, in advance of and during the contract terms. This can provide leadership with insights into potential vendor risks. Agreements with third party vendors should include specific requirements related to information security and data retention measures.
Covering Your Risk
Cyber insurance coverage is complex and constantly evolving. Boards must understand that any company or organization relying on technology is vulnerable, but a robust policy can help you fare better in the event of an attack or security failure. Coverage needs will depend on your company or organization’s level of risk. It is crucial that boards understand what is covered by their policy. One advantage of having cyber insurance is that the policy may require implementation of rigorous compliance procedures, better corporate cyber risk policies, and stringent preventive measures.
Your board should be well aware that data breaches have and may lead to lawsuits. Legal counsel should be advising the organization on compliance and risk management operations. In the event of a failure or breach, legal counsel should be on call. Hiring outside counsel can prove to be beneficial as the law firm can assist in securing information security, computer forensics, public relations, and crisis management firms needed to address, analyze, and recover from the attack. Utilizing legal counsel for data security is important because legal communications between your company and its attorneys are subject to attorney-client privilege, meaning they are generally protected from the discovery process and do not need to be turned over during an investigation or a lawsuit.
Reputation Risk Starts in the Board Room
Information security has become one of the most challenging issues facing companies and organizations. A data failure or security breach can lead to litigation and a loss of business.
A company or organization’s reputation is valuable, possibly more valuable than its tangible assets. Your board can make a difference by being proactive and making security an essential part of corporate governance.