Cyber Risk Governance: Bridging the gap between institutional shareholders, governance, risk, cybersecurity and legal experts
Important Information about a Conference and White Paper
On Thursday morning, March 16, I will deliver a talk called “Getting in the Game of Cyber Risk Governance” at a conference at the High Line Hotel in New York. We’ll also host a panel called “Cybergovernance Standards: Empowering Boards to Engage in Cyber Risk Oversight” that will be moderated by a key advisor, General Don Cook, USAF (ret.). He’s an outside director of USAA Federal Savings Bank, Crane Corporation, and U.S. Security Associates.
Panelists will include George Arnold and Brian Finch. George is currently CEO of Tercio Solutions, and is a former Chairman of ANSI, VP of Policy for ISO, and NIST Director of Standards Coordination. Brian Finch is a partner with Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C. He’s also a member of the Homeland Security Defense and Business Council and an expert on the Department of Homeland Security SAFETY Act.
If you are interested in attending, followers of Cybergovernance Journal receive a 30% discount. I hope to see you there!
White Paper on Cyber Risk Governance
We’ve created a new white paper for the Skytop Strategies conference. Entitled “Cyber Risk Governance: Getting in the Game,” it reduces two years of thought into a single, coherent synopsis of our views on cyber risk and what needs to be done about it. Simply sign up on the Cybernance web site to receive a free PDF of the white paper.
The top concern of business continuity professionals, according to the sixth annual Horizon Scan Report, was cyberattacks. 88 percent of the organizations surveyed indicated that they are “concerned” or “extremely concerned” about the effects of a significant cyber breach. After the past decade or so of massive breaches and development and deployment of innovative technologies, we seem to have made little progress in mitigating cyber risk.
In early 2015, we at Cybernance began commenting about the accelerating impact of cyber breaches and the roles and responsibilities of those who are forced to address this challenge. Our focus was based on three views not in vogue at the time:
- Cybersecurity is not just a technical problem; it’s a governance problem that needs attention across the entire enterprise.
- Companies and board members face increasing risk from cyberattacks, including potential personal liability for directors.
- Standardized data about internal defenses is critical in organizing efforts to combat cyberterrorism and cybercrime.
Point 1 is now widely held. Point 2 has become more evident, especially with the downward impact on Yahoo’s valuation as Verizon is acquiring the company. And as the insurance industry works to develop better predictive analytics for cyber risk, Point 3 begins coming into focus.
Getting in the game of cyber risk governance to improve our individual and collective cyber resilience means that many stakeholders and groups must own their specific responsibilities:
Boards of Directors
The fiduciary duties of boards include mitigating risk, and that now includes risk of cyber breaches. Astute directors are increasing their cybersecurity expertise and more actively engaging in overseeing growth in cyber resilience.
The C Suite
Executive management can no longer hold IT and security groups solely responsible for cyber readiness. Wise leaders see that cyber risk mitigation must be part of the overall strategic agenda going forward.
Cyber liability has grown in recent years to become a major source of risk for many organizations, and for many, it is the single largest risk. Smart general counsel staff realize that addressing cyber risk must be a key priority.
In their role of identifying, assessing, forecasting, and mitigating various forms of risk, intelligent risk managers incorporate cyber risk into their analyses and implement loss control and insurance programs that address cyber concerns.
As boards actively engage in oversight, internal auditors are implementing internal control systems for managing cyber risk that enable them to assure the Audit Committee that appropriate actions are being taken.
IT and Security
Insightful CIOs and CISOs recognize that cybersecurity is an enterprise-wide risk. They work with key stakeholder groups to foster a culture of security across the organization and create a general sense of ownership and responsibility.