Quick Links
Connect us
Directors Databank
Become a faculty
Blog
Become an Awards Assessor
Publications
Contact Us
Preparing the Board of Directors to Manage Evolving Cybersecurity Risks
In today's digital world, organisations are heavily reliant on technology to conduct their business. Adhering to cybersecurity hygiene is essential to protect against cyber threats, reduce risks, and ensure operational sustenance. Cybersecurity policies, frameworks, and practices are essential measures for a security-resilient organisation. Yet, some underestimate the significance of cyber controls, perceiving this hygiene as diverting the budget to non-business essential areas or slowing growth. These misconceptions are far from the truth.
WHAT IS THE EXTENT OF CYBERSECURITY RISKS?
Today organisations face constant cybersecurity threats from malicious actors, with their biggest security risk coming from people within, with the threat actors striking through low security aware employees.
Social engineering techniques like phishing, smishing (SMS), vishing (voice) entice a victim to share sensitive information, download a malicious file that installs virus on their device. An organisation can have the best security tools in place, but a single phishing fall allows threat actor to infiltrate the systems, take it for ransom. The threat actors can attack an organisation's systems through stolen credentials from 3rd party system, supply chain attacks, gain access through a un-patched remote server, systems reached end of life, cloud vulnerabilities.
'You cannot defend against an unknown risk' is an old adage. A board plays a key role in staying ahead of the game and safeguarding against the evolving cybersecurity threat landscape.
Cyber-attacks can potentially freeze an organisation's systems, disable access for users, disrupt the operations, expose corporate data, client's confidential data to hackers, make it available on 'dark web'.
What is the potential impact of Cybersecurity Risk Exposure?
As per SEBI LODR regulation for top 1000 listed companies in India, Risk Management Committee (RMC) is responsible to monitor, review cybersecurity activities, and mitigate such risks.
How can the Board of Directors Prepare to assess Cybersecurity Risks?
While responsibility for cybersecurity is shared across the organisation, accountability lies with executive leadership and the Board of Directors (BoD). The Risk Management Committee (RMC) oversees the company's cybersecurity readiness by addressing the following key questions regarding its strategy, policies, and practices:
1. Cybersecurity Strategy, and Governance: What is the company's cybersecurity strategy, governance structure? How does this ensure accountability?
2. Risk Management, and Controls: What are the company's key cybersecurity risks? How are these assessed and mitigated? How are third-party vendors assessed for cybersecurity risks? How effective are these controls?
3. Incident Response, Communication, and Crisis Management: What is the incident response, crisis communication strategy in the event of a major cybersecurity incident? How often have these been invoked? What are the lessons learned?
4. Regulatory, and Industry standards Compliance: Which are the cybersecurity, data privacy regulations, standards to be complied (CERT, Digital Personal Data Protection Act)?
5. Technology, and Tools: Which technologies are used to protect the critical assets? How do these tools detect cyber threats, remediate them? What steps have been taken to secure all endpoints, networks, devices?
6. Cybersecurity Culture, and Education: How often do employees and Executives receive cybersecurity training? What are the actions to embed cybersecurity culture? What % of employees are cyber trained, certified?
7. Board Engagement, and Cybersecurity Expertise: Is the BoD briefed regularly on cybersecurity threats, major incidents? Has BoD been trained on cybersecurity concepts, have access to cybersecurity expertise? Are cyber updates a part of board meeting agendas?
8. Systems Resilience, and Business Continuity: What is the company's RTO, RPO (Recovery Time, Recovery Point Objectives) in the event of a major cyber incident? What is the strategy for data backup, Disaster Recovery (DR), how often are these tested?
9. Cybersecurity Budget, and Resources: What is the Cybersecurity budget as % of total IT spends? Is the budget and resources adequate to mitigate threat landscape?
10. Cyber Insurance: Is there a cybersecurity insurance, what does it cover, exclude, how was the coverage determined? What is the financial exposure due to cybersecurity incidents? Which cyber risks transferred through insurance?
Back to HomeAuthor
Mr. Prashant Dhume
former Senior Managing Director, Accenture, Certified Independent Director, specializing in ERM, IT Strategy, Cyber Security, and Managed Services
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
