Benefits for the board of co uctin ersecurity audit: the question for directors is not whether to become involved in cybersecurity risk management but how to appropriately oversee their company's initiatives. Gain confidence by doing a cyber 'tabletop exercise.'.

• Author: Oelrich, Patricia A.
• Position: DUTIES OF DIRECTORS

Boards everywhere are asking what they should be doing about cyber-security. Ensuring the adequacy of a company's cybersecurity program is a critical part of a director's risk oversight responsibilities, yet most board members may not be as familiar with the components of a cybersecurity program as they are with operational and financial issues.

Driving awareness of cybersecurity and physical security threats and linking them to risk, governance and compliance is critical to providing the directors the information necessary to fulfill those duties. The vulnerabilities that threat actors can exploit are being attacked in an increasingly sophisticated manner and represent a significant strategic threat to the security of our nation, its economy and the welfare of its businesses. The specifics are constantly changing, so the board should be alerted to how a company keeps up with the changes.

Board members can't be expected to understand all the technical nuances of cyber and physical security, just like any other part of the business operations, but they should know the basics: what the vulnerabilities are, what measures are in place to minimize the potential for a breach or attack, and what response and recovery plans are in place should an attack be successfully executed. As most cybersecurity experts continually reinforce, a cybersecurity breach is not a matter of "if" but "when."

Assessing the risks

While complete assurance can never be provided in this arena, companies should take all reasonable and appropriate steps to safeguard the enterprise, customers and stakeholders. Each company should have a cybersecurity plan that protects their infrastructure and data. The first important step is to understand the critical assets that need to be protected. Most organizations have limited resiliency and can't protect all assets 100 percent. Boards should ask the question: How has the company determined what the most critical assets are? Then they need to ask what is the risk profile the organization needs to have operating in cyberspace and how do we mitigate against those risks. Look at it from a business project perspective and ask what are the companies' key projects and focus spending on the areas that are most important to the organization.

Pepco Holdings Inc. (PHI), an electric utility holding company, faces daily intentional and unintentional cyber, physical and human threats to our critical infrastructure. To address these threats, our...