Cyberattacks are becoming increasingly prevalent, and this trend is only set to continue over the coming months and years. A study from Weil, Gotshal & Manges released last month noted that public directors are responsible for protecting their companies from cybersecurity-related risks.
In the report, titled “What Every Public Company Director Needs to Know,” Paul Ferrillo, a securities and business litigation lawyer for Weil, presented a list of 12 questions public company directors should ask while reviewing and overhauling their companies’ cybersecurity strategies.
In part one, we outlined the first six of these:
- How should the board handle cybersecurity risk examination?
- How often should the board or committee have cybersecurity briefings?
- Should the board onboard cyber experts or rely on current members of senior management?
- How well do the current cybersecurity protections safeguard the company’s most prized cyber assets?
- How can the company learn from past cyber incidents and the effects these had on operations?
- How is the firm prepared to handle a crisis, and what would be the cost if the worst-case scenario came to pass?
The final six are below:
- Does the organization have a specific plan in place to respond to a cyber incident if one were to occur? How will it address the situation with stakeholders and other entities, including customers, vendors, regulators, shareholders, law enforcement and the media? It’s also important to remember that a plan may look solid on paper but fall apart in practice, so testing is critical.
- Are employees provided with cybersecurity training and aware of the gravity of failing to follow protocol? Often, executives are so focused on shoring up their protections against outside threats, such as hackers, that they overlook the need to educate their own people. According to Information Age, research from the Department for Business Innovation and Skills found that 36 percent of this year’s worst security breaches were caused by human error, and 17 percent of participating companies said they were aware their staff had broken data protection regulations over the past year.
- Are the practices of third-party service providers and vendors leveraged by the company up to the firm’s cybersecurity standards – i.e. do these third parties perform a sufficient level of “cyber due diligence”? A partner’s lack of regard for cyber safety can badly impact the organization’s reputation as a whole.
- Speaking of cyber due diligence, how much attention is paid to this aspect during merger and acquisition proceedings? Cybersecurity is a relatively new concept, and it can often be overlooked or not paid the appropriate amount of attention, which could leave firms vulnerable down the line.
- How well would the products and services that the company currently has on the market fare in the event of a cyberattack? Firms should analyze what Ferrillo termed the “cyber-robustness” of these offerings to identify and address weaknesses.
- Has the company considered adopting the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, either in its entirety or just particular portions? As the NIST website explains, the framework is a good foundation for infrastructure owners and operators to manage cybersecurity-related risk.
As Ferrillo noted, “There are plenty of tough questions that directors need to ask of … senior management and senior IT staff. And directors may need their own advisors and professionals to help them fulfill their oversight duties in helping to assess and ask the tough questions.”
That being said, the list presented above and in part one is a solid place to start.
About Caldwell Partners
Caldwell Partners is a leading international provider of executive search and has been for more than 40 years. As one of the world’s most trusted advisors in executive search, the firm has a sterling reputation built on successful searches for boards, chief and senior executives, and selected functional experts. With offices and partners across North America and in London, the firm takes pride in delivering an unmatched level of service and expertise to its clients.