With growing frequency, the business press is reporting security breaches at highly reputable organizations whereby sophisticated cybercriminals gain access to highly sensitive information. Valuable corporate information assets, in addition to personal or financial information of customers and employees, can be exposed to cybersecurity risks. As a result, organizations are making cybersecurity risk a top-priority of their enterprise risk analysis given the numerous risk issues that cybersecurity breaches create for organizations who experience an intrusion event. A recent white paper, issued by the law firm of Sidley Austin LLP, provides a number of issues to be considered by senior executives as they evaluate cyber risk exposures.
Need for Strengthened Oversight of Cybersecurity Risks
Many of the recent cybersecurity events are providing compelling lessons about corporate data security vulnerabilities. They are highlighting risk exposures related to their core intellectual property assets and other trade secrets. Board concerns are growing with directors now asking management to describe the organization’s processes for identifying, assessing, and monitoring the ever-changing nature of cybersecurity risks. Many are making cybersecurity a top-priority risk oversight issue.
Cybersecurity risks arise from highly sophisticated computer criminals who may or may not be actively supported by foreign governments or organized terrorist organizations. Some are using technology access to steal intellectual property, while others are funded by foreign governments who are seeking to do damage related to national security and national economies. In some cases, cyber criminals are able to secretly penetrate a network and create the ability over time to move throughout a system without detection, leaking information in small increments for extended periods of time.
Recommendations for Senior Executives and Boards Regarding Cybersecurity
This Sidley Austin thought paper includes several recommendations for consideration by senior executives and the board of directors as they evaluate cybersecurity risks and the need for responses to manage those risks. Some of the recommendations are summarized below:
- Senior management should report regularly to the board of directors the organization’s cybersecurity risk profile and corresponding governance systems to address those risks.
- Public companies should evaluate whether cybersecurity risks should be included in their risk factor disclosures in the Form 10-K filing with the SEC.
- A strategy for identifying, assessing, managing and monitoring cybersecurity risks should be established and a C-level executive should be assigned responsibility for managing those risks.
- Management should evaluate their “insider threat” risks, and develop plans to mitigate any damage that could be caused by Wikileaks-type situations.
- Training and awareness programs should be developed to raise employee awareness of cybersecurity risks to help prevent, detect, and abate those risk threats.
- Management should develop contingency plans and response strategies for what might be an inevitable cybersecurity risk.
- Organizations should evaluate whether there are government resources that might provide relevant assistance to address certain types of cybersecurity risks.
Obtain the thought paper to review the full list of recommendations.
Click below to access the thought paper