Companies must protect themselves against a number of cyberattacks, whether the perpetrator is a nation state, cyber criminal or disgruntled employee. In some companies, cybersecurity has historically been treated as a technology issue. However, cyber risk must be managed at the most senior level in the same manner as other major corporate risks. To properly manage cyber risk, the CEO must fully understand the company’s cyber risks, the company’s plan to manage these risks, and the company’s response plan when the inevitable breach occurs. CEOs also must consider the risk to the company’s reputation and the legal exposure that could result from a cyber incident.
A good starting point for a CEO is a list of cybersecurity questions for CEOs created by the Department of Homeland Security. Some of the key questions a CEO should ask the Chief Information Security Officer or outside information technology consultants are:
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- What is the current level and business impact of cyber risks to our company?
- How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
- What is our plan to address identified risks? How do we preserve the integrity of data resident on our network?
- How are industry standards and best practices reflected in our cybersecurity program?
- How comprehensive is our cyber incident response plan? How often is it tested? If we were breached tomorrow, who would we call?
- Do we have cybersecurity insurance that covers data breaches?
(Click the following link for the full document https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf.)
Recommended CEO Actions:
- Confirm that cyber risk is addressed in existing risk management processes and governance processes.
- Get involved in cyber risk management discussions, including an evaluation of your company’s specific cyber risks and cyber incident response plans.
Additional Resources for Getting Started: