Board Responsibilities for Cybersecurity

February 24, 2016

Cyber risk has taken its place next to credit risk, liquidity risk and operational risk as a pressing threat to a company’s health. Board governance is becoming a focus in shareholder lawsuits, and disclosure obligations have made their way to the board level. The board needs to set the tone for enhancing cybersecurity.

Various committees, including the risk, executive, operating, or audit committee, can be given oversight responsibilities. A cybersecurity subcommittee of the audit committee can assist in overseeing management’s activities by reviewing a continuously upgraded and comprehensive cybersecurity plan.

A good cybersecurity plan takes into account both inside and outside attacks. Planning starts with a thorough assessment of the hardware, software and processes of the entire system. Analyze IT resources, intellectual property concerns, data architecture, physical perimeter security and concerns specific to the company’s particular industry, and map out your particular threat landscape. Consider questions such as: What assets might be especially valuable or vulnerable? What regulatory issues are involved? What security measures are in place? Have employees been trained in data security fundamentals? Is there a viable plan should a breach occur?

Cybersecurity should be reviewed by the board at least quarterly, and board members should be expected to attend each meeting. They should be able to invite members of management, technology personnel, auditors and others to attend and provide information. Members, as necessary, should hold executive sessions and private meetings with the company’s IT professionals.

Read full article at:

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top