Corporate directors recognize cybersecurity as a major threat to their companies, but a recent survey suggests that they may not be emphasizing training and other measures that could improve their ability to mitigate cyber risks.
The Risk Assistance Network and Exchange (RANE) and the Nasdaq Center for Board Excellence recently surveyed boards and executive team members of publicly traded companies and nonprofit organizations about their cyber security awareness. According to the survey, ransomware attacks were the top concern of respondents. Cyber breaches that resulted in stolen information were also high on the list of concerns, as were social engineering, phishing and business email compromises and cyber breaches that resulted in destruction or manipulation of data.
Unfortunately, the survey found that even with all these concerns, only 59 percent of respondents said that cybersecurity training was offered to their board. Additionally, 25 percent of those surveyed said their board does not have a methodology for quantifying cybersecurity risk. And although a majority of respondents said their organization carries cyber liability insurance, only 9 percent said their policy ensures full resilience against business interruptions. These findings suggest that some corporate boards may not be handling cybersecurity in the best possible way.
Boards Could Use More Cybersecurity Training
Since most directors agree that cybersecurity threats are constantly evolving, it’s encouraging that a majority of respondents who said their board had not yet received cybersecurity training was in favor of it. It’s much more difficult to guard against cyber threats without the latest knowledge about what to look out for.
Updating cybersecurity training is particularly important now that employees are asking many companies to incorporate work-from-home options as they request workers return to the workplace after Covid-19 shutdowns. Boards will need to develop strategies to better educate themselves and their workforce about cybersecurity risks that could cripple operations.
Furthermore, most companies should consider conducting an annual cybersecurity risk assessment that checks for potential vulnerabilities in a company’s IT systems and outlines procedures that will be followed in case a data breach or ransomware attack occurs. Disclosing that the company has taken such steps to mitigate damages from a cyber attack will help it avoid higher fines or legal judgements in the case of a cybersecurity lapse.
Companies should expect greater scrutiny regarding cybersecurity risk disclosures since the commission is recommending tighter mandatory cybersecurity requirements for financial services companies and members of Congress are lobbying for tougher breach notification requirements for companies in “critical industries.” Boards will need to pay extra attention to cyber vulnerabilities because efforts will be made to hold them responsible for any damages to the company or its shareholders should a cybersecurity event occur.
Upgrade Technology and Insurance Coverage
After completing a cyber security risk assessment, companies should document how any vulnerabilities that were uncovered were addressed. Appropriate resources should be spent to make software upgrades to enhance IT security.
Companies should review their cyber liability insurance and increase their coverage where appropriate—adding provisions to cover business interruptions and customer claims. Also make sure to review the company’s Directors & Officers insurance policies for cyber exclusions. If your current D&O policy has exclusions of certain cyber-related damages and claims, make sure you beef up your cyber liability insurance to cover those areas as best you can.