As anyone sitting on a public company board these days know, overseeing cybersecurity risk has been at or near the top of the agenda for some time. “Most would consider cybersecurity as table stakes to run an organization these days,” says Colleen Birdnow Brown, who sits on numerous public company boards, serving as chair of the Innovation and Technology Committee for True Blue; chair of the Audit Committee for Spark Networks; and Audit Committee member at Big5 Sporting Goods. Every company can, and some would argue will, be hacked. “If you don’t have top cybersecurity, you will be hit harder and therefore suffer competitively,” she says.
Brown will be speaking at the Cyber Risk Forum on Feb. 24th in San Francisco. She will sit on the panel, “How Resilient Is Your Company? 4 Steps to Bolster Your Business Continuity Plan” with Shawn Edwards, Chief Security Officer for RSA. We spoke with Brown about the board’s role in business continuity and the kinds of information they should be getting from CEOs on cybersecurity plans.
If cyberattacks are now ubiquitous—a matter of when, not if—how would it help to have a business continuity plan that covers a cyber attack, and what might that look like in practice?
I think continuity is different than disaster recovery during a cyber breach. Continuity is generally focused on all revenue generating areas, while disaster recovery is looking at the implications of an incident on the company’s technology, infrastructure and reputation. A plan for managing through an event, recovering business functions and regular testing are key components of what this would look like.
How has SEC guidance changed regarding business continuity and what does this mean for boards?
The SEC has identified cyber risk is not a passing trend, but an increasingly embedded risk that is here to stay! SEC view for the board in this area continues to evolve, but it is clear they have put boards on notice that they are expected to dig in, demand greater visibility and be held accountable for oversight. There has yet to emerge a common accepted approach expected by the SEC.
For many directors, the language of cybersecurity is a foreign one—how much do they really have to know to be able to fulfill their oversight role?
You have to know if your CEO understands and takes the leadership role in cyber security as noted in the tone at the top, effective disclosures and control escalation. Avoid a false sense of confidence. Demand that policies and procedures be tested; know what kind of data we are keeping and where it is stored. Do we have cyber insurance? What does it cover specifically? Formalize and document governance practices, engage experts, monitor periodic testing and reporting. The expectation of the board should be thoughtful and rigorous supervision of cybersecurity planning and incident response.