“Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks,” U.S. Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar has stated.
He warned that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril… Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.”
This is the new reality for every board member and executive across the country.
Cyber risk management must encompass all enterprise data. Securing digital information demands proper oversight and requires organizations to make a cultural pivot from being reactive to eminent threats to proactively planning for them.
This ought to begin from the boardroom itself.
Today’s board members are on the move. As they travel to serve on multiple boards and find themselves scattered between cities on business, board packets and sensitive communications are being sent to directors, often in an unsecure manner.
Alarmingly, this includes an array of varying personal and professional email accounts and free file-sharing services not managed by the information technology (IT) department of the credit union they serve.
These generic communication tools have bolstered productivity, yet they have undeniably increased security risks due to this lack of adequate oversight.
The breach of boardroom security is one of a credit union’s greatest threats, and involves its most sensitive data. The CEO, chairman, and the full board are the first to receive the most valuable information assets relating to the credit union: its strategic goals, financial position, and operational plans.
This is information which invariably includes commercially sensitive details, creating heightened threat levels. All organizations, public or private, need to be secure and managed diligently.
Yet, the composition of the board—especially those with nonexecutive directors—may be extremely diverse, with members in different locations and time zones.
This necessitates the use of technology to facilitate the dissemination of information and increases the speed of decision-making necessary to do business today, which consequently leads to significant data vulnerability.
Having a significant volume of communications occurring outside the organization’s IT firewall demands special efforts be made to reduce cyber risk.
Malicious activity can come from outside or inside any organization, each requiring a different set of precautions and protocols.
Directors are often travelling or working away from the office. By using both personal and corporate laptops, tablets and smart phones, and sometimes consumer file-sharing sites, these devices are linked together increasing their interdependence exponentially.
Social engineering in which hackers manipulate people to gain access to systems is one of the main risks that companies face. Directors need to be educated about this.
At the same time, the speed of decision making in the boardroom requires directors to work at all hours in all manner of locations—for example, a CEO reviewing a strategic document can ask for a last-minute change just before the board materials are distributed.
Consequently, both the management team and corporate secretary need technology to make the relevant changes and then to distribute the board packet in real-time.
This scenario is replicated for all documents in the board packet for every board meeting. Flexible yet secure distribution channels are of paramount importance.
How to manage these risks?
Managing cyber risk means putting in place the right governance and supporting processes with the right enabling technology.
Leaders must allocate resources to deal with cyber security, and actively manage governance and decision-making regarding cyber security.
Key to achieving cyber risk management, within the enterprise and at the board level, is building an informed and knowledgeable organizational culture.
This is often about changing the culture so directors are alert to risks and are proactive in raising concerns.
Given the immeasurable value of a credit union’s information assets and the severe implication of any loss to the core business, cyber security policies need to prioritize investments into critical asset protection rather than just the latest technology or system to detect every niche threat.
Furthermore, protecting a credit union’s technological and information assets from malicious damage and inappropriate use requires intelligent constraints on how directors, board support staff, and external parties access corporate applications and data.
Insufficient safeguards will result in the loss of critical data. But overly stringent controls can get in the way of doing business or have other adverse effects on productivity, director engagement, and collaboration.
A business-driven cyber security model that can provide resiliency to increasingly flexible, open enterprises—even in the face of highly capable and malevolent actors—should be the aim of executive management and directors.
The risks of cyber crime are different for individual credit unions, and each need to adopt a customized approach to cyber security based on its own character, risk appetite, and knowledge.
The objective should be to identify the assets that need protection and to focus on measures to prevent criminals from gaining easy access to information and data.
In protecting commercially sensitive information, there is a need to balance the speedy dissemination of board materials with the need to make informed decisions.
Keeping this in mind, the key elements of a cyber security plan should include:
1. A comprehensive focus on security architectures ranging from devices and locations to roles and data;
2. The ability to authenticate the identity of users, devices, and documents; and
3. The ability to limit the number of people who have access to critical production systems and data.
Management and boards cannot move slowly to secure their data. To ensure compliance and the fidelity of their information they must seek out proactive solution: Services that offer data security, encryption, data integrity, and strong user authentication.
Organizations need to make this a broad management initiative with a mandate from executive leadership to protect critical information assets without placing constraints on business innovation and growth.