Recent global cyberattacks have rudely reminded corporate America that cybersecurity risk management must be at the top of the board of directors' corporate governance agenda. Companies have no choice but to prepare proactively, while directors must understand the nature of cybersecurity risk and prioritize its oversight.
Preparation, monitoring, emergency response and disclosure are topics that boards should consider regularly to properly oversee cyber risk management.
Preparation should include a detailed emergency response plan. Ideally, this plan should be updated frequently and periodically tested with cyberattack simulations to ensure that both technology and personnel are adequate to the task. Key employees should understand their precise roles, and management should clearly establish the company's priorities in responding to an attack. A shared understanding of goals and values will help to guide employees and outside consultants as they make real-time decisions in the midst of developing situations. Pre-incident retention of response resources such as technology experts, lawyers, and public relations consultants are important steps to streamline crisis response.
Increasingly sophisticated cyberattacks are, unfortunately, a fact of life in today's business environment. The challenge for directors is to oversee management's efforts to address risk and to do their best to ensure that the company is prepared to weather a cyberattack. Cybersecurity consulting firms can be helpful in developing, updating, and stress-testing corporate response plans. In certain industries, a board may wish to have a director who is knowledgeable about cybersecurity, or to create a separate technology committee whose responsibilities include risk oversight.
Directors should be aware that cyberattacks are increasingly malicious and dangerous as national security issues become ever more entwined with the functioning of American commerce. Boards should ensure that company insurance policies are adequate to cover previously unknown cyber threats, as well as extortion and even physical harm to employees.
State-of-the-art defenses, monitored continuously and updated frequently, possibly with ongoing assistance from outside technological consultants, are essential. Employees at all levels should be trained to follow cybersecurity best practices and protocols in order to recognize threats in the early stages. Prompt recognition and action can forestall...