- Solutions by Role
January 1, 2019
The Emerging Role of Board Cybersecurity Risk Management
Written by: Marion Lewis
Cyber crimes and data breaches are daily occurrences on media outlets worldwide. The ever-increasing army of hackers breaking through firewalls, selling credit card information, and offering up sensitive documents is, unfortunately, becoming the norm. “Boards increasingly understand that cybercrime is a risk management issue that affects the entire organization and requires board oversight,” says Spencer Stuart. With the current climate of cybercrime, board cybersecurity risk management is becoming more important when crisis planning.
Recognizing the Reality of Board Cybersecurity Risk
The first step for mitigating board cybersecurity risks is recognizing that the threat is real. Perpetrators will continue to evolve and target companies for the monetization of personal data and information. “A breach can have dire consequences for companies, including regulatory investigations, loss of intellectual property and financial risk from fraudulent transactions,” warns Spencer Stuart. “The risk might be to a company’s stature in the eyes of its customers and investors.” For these reasons, board cybersecurity and preventative measures have propelled themselves onto the boardroom agenda.
Fortunately, the board can take many steps in mitigating the risk of board cybersecurity.
- Accept Responsibility: Boards can accept responsibility for board cybersecurity by delegating duties and oversight to a standing committee or implementing a Chief Information Security Officer. “Boards should be able to equip themselves with the knowledge necessary to have meaningful exchanges with CISOs to discuss the practical pros and cons of various remedies, including how various options can affect internal governance, employee productivity, and document retention among other dimensions,” explains Forbes. Boards must also recognize that board cybersecurity is not just an IT issue, and incorporate an enterprise-wide initiative for board members, executives, and all employees.
- Set Expectations: Once board cybersecurity is recognized as an organizational threat, boards should make sure their directors set a company-wide risk management framework that outlines budget, crisis management, executive oversight, and employee practices. Harvard Business Review also suggests incorporating security screenings and discussions involving new products or services. “Incorporating security in the early stages of product development results in safer, more secure offerings and can spare companies the expense, hassle, and potential public embarrassment that accompanies retrofitting security.” The board should also ensure that they are briefed on all board cybersecurity reports, including vulnerabilities at board meetings.
- Assess The Organization’s Cybersecurity Risk: Each organization is different when it comes to recognizing board cybersecurity risk. But board cybersecurity risk often encompasses a legal component regarding state and federal laws. The board should also analyze the organizations’ most valuable assets and determine the risk if this information or data is lost.
- Evaluate Current Cybersecurity Practices: Board cybersecurity practices should be regularly evaluated for effectiveness and recent changes. Organizations can also bring in a third party to evaluate board cybersecurity practices and if the company is prepared for a potential breach.
- Plan and Rehearse: Board cybersecurity breaches fall under the category of crisis management. Therefore, board directors and committee members should be aware of their roles in the event of a board cybersecurity attack. Rehearsing the plan allows for organizations to test vulnerabilities in the plan and take a proactive approach to board cybersecurity threats.
When the Board Becomes the Target
While boards can prepare every level of their enterprise for the inherent risks of board cybersecurity, directors and executives also need to understand that they themselves are a prime target for board cybersecurity attacks. “The real irony in all of this is that it’s often the communications within the boardroom and within the C-suite themselves where the most sensitive corporate issues are being discussed,” says Forbes. “These are where the payoff for cyber penetration is highest. It’s, therefore, no surprise these are the prime targets for hackers.”
Forbes goes on to explain that directors and executives are the highest value target due to their stature in the organization regarding decision-making and closely held information that is only internally communicated. They are also prime victims because they often communicate about specific methods an organization is employing to fix hardware and software vulnerabilities. “If the hackers are able to determine the exact solutions being applied by say, the chief information security officer, not only does vulnerability remain but the firm has now unwillingly provided information about its internal decision-making process on how it is handling cyber security,” warns Forbes. “This is the grand prize for hackers.”
Board members and executives can implement practices and board portal technology to help mitigate the risk of board cybersecurity threats. Email is a constant threat for boards due to its penetrable nature. Boards and C-suite executives should refrain from sharing sensitive information, documents, and correspondence via email. “…Why not move away from sending board members sensitive materials to their personal email account?” asks Michale Yeager, a thought leader on board cybersecurity. “There are more secure ways to share documents.”
Board portals are the technology that all boards should utilize to enhance board cybersecurity practices without sacrificing security for convenience. All documents and data are stored in a highly encrypted, cloud-based platform. Redundant managed firewalls, SSAE-18 certification, and backup sites in disaster-neutral areas ensure that information is protected. Data including discussions, voting, and reporting are all encrypted in transit and at rest for your peace of mind. In addition, our tamper-proof eSign function incorporates military-grade digital signature technology that creates a legal audit trail and immediately invalidates a contract or document if any changes are detected.
Yeager also suggests incorporating multi-login credentials for secure board management software. “Consider the use of multi-factor authentication to log in remotely to a network. For example, setting up a system so that an employee cannot log in with just a password, but must also use a random number provided on a token or app or in a text.” Cybersecurity and encryption are critical defenses for boards, so make sure to incorporate 2-factor authentication (2FA) on your board portal. 2FA helps protect against phishing, social engineering, and password brute-force attacks and secures logins from attackers exploiting weak or stolen credentials.
Your board management software should also consider the importance of enterprise-wide risk management with internal granular permissions. Permissions should be available almost everywhere, including agenda items, document folders, polls, voting, and financials. Remote wiping capabilities mitigate board cybersecurity risks if a device is lost, stolen, or compromised.
It is essential that boards recognize their role in board cybersecurity for their organization and work to prevent catastrophic data breaches. Boards should also utilize board portal software to securely house and encrypt documents, data, and communication to keep sensitive information out of the hands of board cybersecurity perpetrators.
Are you interested in learning more about how Govenda, an award-winning board portal platform, can help mitigate your board cybersecurity risk? Let’s start a conversation today!