LinkedIn Facebook Twitter Email

5 ways the board of directors can reduce cybersecurity risk

5 ways the board of directors can reduce cybersecurity risk

As the COVID-19 pandemic wears on across the globe, many businesses are also fighting another pandemic: ransomware attacks. Since March 2020, ransomware attacks have risen by nearly 500 percent, and the payments associated with those attacks are on the rise, too. Sadly, this trend doesn’t seem to be changing anytime soon. According to CyberSecurity Ventures, the cost of cybercrime will continue to increase by 15 percent each year, reaching $10.5 trillion annually by 2025.

Right now, most companies rely on their IT teams to stay compliant with cybersecurity standards. But as the risk of experiencing a cyberattack increases, your board of directors must take an active role in protecting the business—and themselves—from the consequences of cybercrime. Follow along to learn four ways the board of directors can support your company’s cybersecurity program while also reducing directors and officers (D&O) risk.

1. Take a holistic approach to cybersecurity that supports business objectives.

In the past, cybersecurity was considered more of an audit than a genuine threat assessment. Now, cybercrime can completely shut down a company’s infrastructure—and that means you need to take a holistic approach to your cybersecurity program.

If your company’s current cyber safety standards exclusively focus on protecting high-value assets, like customer data, consider expanding their scope. Your board should help IT personnel align cybersecurity with business objectives, including critical operations and processes that will impact business continuity.

“The key is to not just provide conventional, traditional cybersecurity capabilities, but to also understand what type of business you are, how you go to market, and what business processes are critical. How do you protect those processes that enable you to develop your product or service and deliver it to the market?”

– Derrick Lewis, senior director, Cyber Risk Control, Liberty Mutual Insurance.

In addition, as the company evolves its process and adopts new tools and technology, these changes can also create new vulnerabilities. Reviewing and adjusting cybersecurity protocols to align with business changes should be part of your risk-management planning.

Often, boards may not feel they have the knowledge or experience to speak on cybersecurity concerns. But with cyberattacks on the rise, the board can no longer take a backseat while the chief information security officer (CISO), chief information officer (CIO), or IT department spearheads cybersecurity initiatives. The board of directors should invest in education on these trends and risks in your industry, so they have a better sense of your company’s cyber health.

This education should start with meeting with the CISO or CIO on a regular basis— preferably on a quarterly basis. Having these conversations once a year is not sufficient to stay up to date on the threat landscape. In addition, gaining insight from a neutral third-party expert who can evaluate potential vulnerabilities and explain the impact to operations can also help the board understand the effectiveness of current policies and how priorities may need to shift.

“The CISO or CIO may want to defend their opinion, their outlook, or their practices, which is only natural, but it can lead to the board getting a picture that’s rosier than reality. Bringing in an impartial, external expert ensures that senior leadership is getting all the facts, even if there are vulnerabilities,” says Vivian Freedman, chief claims officer, IronPro Claims, Ironshore Insurance.

3. Assign cybersecurity oversight to designated stakeholders.

Designating specific stakeholders to take ownership of cyber risk management creates accountability, communicates the importance of these efforts, and enables the board to stay on top of cyber risks that could affect operations.

Notes Lewis, “It’s incumbent upon the board to have someone with cybersecurity expertise among their ranks to ensure this risk stays on their radar.”

Whether it’s a designated board member with cyber expertise or a cross-functional subcommittee, these stakeholders should have access to reports on the company’s cyber initiatives, with data from the CISO and other senior leadership. It’s also important to put formal reporting processes in place, especially for subcommittees that may not take part in all board-level initiatives.

4. Conduct cyber due diligence for third-party vendors.

For most companies, evaluating their own cybersecurity measures isn’t enough. Companies also need to understand how critical third-party vendors might impact their cyber safety. Supply chain attacks, which target companies by attacking their third-party vendors, are becoming more common and can have an enormous impact on business continuity. Companies that don’t do their due diligence before entering new third-party relationships could find themselves at risk in the event of a vendor systems breach.

“It’s critical before a cyber event occurs to understand a vendor’s defenses, and their insurance coverage. Because their exposure is your exposure.”

– Vivian Freedman, chief claims officer, IronPro Claims, Ironshore Insurance

To address this complex risk area, the board should understand and provide input on the processes and metrics used to evaluate third-party vendors, with a particular focus on their cyber safety protocols. They should also be aware of the risks they might incur if a third-party vendor is breached—and how your organization can mitigate its own exposure in those instances. 

5. Prioritize a culture of cyber hygiene and transparency.

Cyberattacks impact more than just the bottom line—they can also have a detrimental impact on brand reputation and customer safety. It’s up to the board of directors to prioritize cybersecurity and dedicate enough time and talent to address it effectively within operations—from onboarding employees to evaluating new software or procedures.

The board can also play an instrumental role in building a culture of cyber hygiene by empowering employees to report potential issues and establishing comprehensive procedures to respond to threats and alert relevant personnel.

“There’s a real risk that people will want to downplay when they see risks, because they don’t want to be the one to cause concern. It’s important to change that mindset, and the board can influence culture. Breaches can be prevented when employees at every level feel they can be vocal about security weaknesses,” Freedman says.

Demonstrating their commitment to cybersecurity through practices like regular reporting on potential cyber threats, encouraging employees to report cybersecurity concerns, and making ongoing improvements to current systems can help boards build transparency when it comes to a company’s cyber health.

Reducing cyber and D&O risk

A 2021 study by Willis Towers Watson identified cyberattacks and data loss as the top two risks that directors and operators face today—which means the board should have an obligation to prioritize cyber safety, or risk being held liable in the event of a cyberattack.  

A company’s board should play a fundamental role in building and improving its cyber risk-management program. With this input and buy-in, a company can better protect itself against cyber threats and related D&O claims.

Our cyber liability solution from Ironshore, a Liberty Mutual Company, helps protect companies against a variety of network security and privacy exposures resulting from data breaches and other cyber events. Learn more here.

This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.