Many boards feel like they are in the slow lane on the fast-paced super-highway of cyber security. In fact, only 11 percent of public company boards reported a high-level understanding of cyber security, according to a survey conducted by the National Association of Corporate Directors.
As a reminder, I recently wrote that we may see some new disclosure regulations that would require boards to disclose the level of cyber security expertise on the board.
I’ve also written about ways for a board to get a handle on cyber risk.
PcW has released a particularly useful report that discusses “cybermetrics” –metrics that are especially useful for boards trying to gauge a company’s level of cyber security and make decisions about it.
Let’s look at some of the interesting insights from that report.
A common misstep boards can make when it comes to cyber security is for the board to focus on an incomplete set of metrics. For example, as the PwC report points out, looking only at systems that protect personally identifiable information (PII) is just a fraction of the cyber risk facing many companies today.
The implications of system failures outside of PII, in fact, are so massive in some cases that it has been elevated to the Department of Homeland Security for those sectors that are deemed to be “critical infrastructure.”
(My colleague Lauri Floresca discusses network and business interruptions as a cyber risk facing corporations today in more detail here.)
The PwC report starts by urging boards to drive clarity and accountability when it comes to understanding which specific person or department at the company is in charge of anything related to cyber security.
The report also discusses best practices around protocols, including making sure that the information provided to the board is in a user-friendly format.
PwC recommends a holistic approach to cyber security, and says directors should have an understanding of the following baseline metrics:
- The protocols that exist to protect the company’s most valuable and sensitive information;
- The necessary IT upgrades the company is or will be considering;
- The current and desired state of the cyber security program; and
- Benchmark data on IT health: budgets and actual security investments
- Cyber liability insurance policy coverage.
Cyber liability insurance coverage is becoming a necessity. It can also be a complex road to navigate. As the report points out:
Directors should understand the company’s position on cyberinsurance coverage, and if applicable, what the policy covers (and, more importantly, what it doesn’t cover), levels of coverage, policy limits, and other relevant matters. It can be useful to understand how a company’s policy benchmarks against other companies, particularly in its industry. Cyberinsurance is a nascent and evolving industry, making it more important that companies thoroughly understand their policies.
It may be useful to check out the guidance on the ins and outs of placing cyber liability insurance provided by my Woodruff Sawyer colleague Lauri Floresca; you can read more about this here and here.
Beyond Baseline Metrics
PwC suggests another category of metrics the board might want to ponder beyond the baseline metrics it receives. This set of metrics relates to a company’s business and sector, and includes items like:
- Systems infrastructure;
- Assessments of third-party access to data;
- The state of mobile computing at the company;
- Big data considerations;
- Social media considerations;
- Cloud computing risks; and
- IT security and international travel.
It’s worth noting that while the PwC report focuses mainly on what audit committees can do to manage cyber security, some corporations have asked their already-existing, standing risk committee to handle cyber security issues. Other corporations have formed a specific technology or cyber risk committee to focus solely on this emerging area of risk.
Whatever direction you go, diligent boards are definitely moving into the fast lane when it comes to understanding the cybermetrics that matter. They are also carefully documenting their role when it comes to the oversight of this critical risk.
The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: email@example.com.