In the last issue of this column, we discussed the five steps to building board cyber security. The improved board oversight of the company’s cyber climate is growing regulatory teeth. In the USA, the SEC is about to finalise mandates on cyber security risk management and governance. Periodic disclosures, risk assessment, formal procedures, and most interestingly, disclosure on the board’s cyber savvy and oversight strategies will be required.
This is part of a global trend of regulators setting solid rules for disclosure of company cyber protections and putting boards in the bull’s eye for assuring the issues.
As an example, a few years ago, only a handful of the top economies imposed corporate data protection laws. Today, over 160 nations enforce these rules – and most can reach out to you no matter your domicile. How do you, as a board, protect the company (and yourself as a director) from cyber-tech liabilities? Here are some pointers for board of directors:
·The board can start by learning just what current cyber security regulation your company faces from regulators, governance, and your stock exchanges. Ask information security and legal staff for a summary of these rules, items regulated, required protections, oversight and disclosures, and penalties. You need good legal counsel on this, because the regulators, jurisdictions, and specific laws your company faces are as unique as a fingerprint – but the board still needs to be aware of them. What all things you are doing to keep up to date so that you make informed risk decisions? How may you achieve this? In the United States, we recommend the New York State Department of Financial Services Cyber Security Resource Centre as a good primer.
A final board cyber question, and an urgent one is how well you are personally protected from liability when the hackers break through. Directors and executives insurance coverage may or may not keep up with the fast-moving cyber liability events. A GB&A insurance brokers’ update finds that a greater number of carriers are incorporating carve-outs, especially for data privacy incidents. Vendors are acutely aware of the potential for increased liability. Still, most current claims based on data breakdowns don’t establish new liabilities, but instead cover “garden variety D&O claims, according to insurance sources. Ask your D&O broker to give your policies with an updated cyber-liability once over.
Muneer is a Fortune 500 consultant, startup investor and co-founder of the non-profit Medici Institute
@MuneerMuh
Ralph is global board advisor, coach and publisher