Cybersecurity Is the Board's Business

Cybersecurity Is the Board's Business
Protecting against cybercrime has become a critical responsibility of the board (Photograph by bjdlzx/Getty Images)
Photograph by bjdlzx/Getty Images

Cyber attacks cost the U.S. economy an estimated $100 billion annually, according to a study by the Center for Strategic & International Studies, a public policy research institution. Beyond the cost of the actual attack, the damage to corporate reputations is impossible to calculate.

Computer security is no longer a mere technical challenge; it is a strategic business issue. Protecting against cybercrime has become a critical responsibility of the board, alongside succession planning and setting strategic direction. There is a fiduciary duty to protect a company’s assets, particularly those that are digital, and regulators have made clear they expect corporations to address cybersecurity.

All companies are vulnerable and need to be prepared for a cyber attack. Think “when,” not “if” a breach will occur. But being prepared for a cyber attack is only half the battle. Start by ensuring that someone on the board, or someone who reports to the board, is cybersecurity savvy. Here is a checklist of what your board should do before a breach occurs:

Conduct a thorough assessment of the organization’s current information security capabilities and identify internal vulnerabilities and external threats.

Review security and privacy budgets, company security policies, and roles and responsibilities of all relevant leadership.

Ensure that the company has a strategic vision and a road map that proactively protects assets and keeps pace with escalating threats and evolving regulatory requirements.

Develop a comprehensive incident response plan, with full visibility and sponsorship from senior management, that is rehearsed and stress-tested.

Confirm that the organization has the credible leadership and talent to develop, communicate, and implement an enterprisewide plan to manage cyber risk.

Implement a strong communication and education program to raise awareness and create an environment in which all employees embrace responsibility for cybersecurity.

Companies and their boards that approach cybersecurity as an enterprise risk, invest in the right capabilities, and foster a cybersecurity culture, will be better prepared to protect precious assets and stem any damage that may occur when the inevitable strikes.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE