Given the increase in cyberwarfare, cybercrime, cyberhacking, and cybersecurity in 2014, those threats are likely to increase in 2015.
In carrying out a risk assessment a board may consider a range of likely and improbable scenarios.
Boards won’t be held responsible for not predicting a particular unforeseeable crisis ( a “black swan event“).
But they are responsible for planning for and dealing with the serious consequences of crises which result in a threat to the company’s reputation or losses to customers or shareholders.
ASIC chairman Greg Medcraft recently said this about cybercrime:
“Cybercrime is a systemic risk, and I have been saying for some time now that I think it is the next black swan event. It is also an issue that’s captured the interest of global policy makers, including the G20.
So, how do we counter the threat of a cyber-attack? Cyber-resilience through risk management is vital.
For organisations, risk managements systems must be granular enough to ensure a good level of resilience in an organisation….
In the United States, the White House has released its Cybersecurity Framework. It aims to help organisations manage cyber-risks by establishing an analytical framework for:
- identifying and protecting against cyber-risks; and
- detecting, responding and recovering from a cyber-attack.”
Boards need to maintain their oversight of IT security and develop employee awareness of cyber-risks and their consequences including the threat to individual privacy.
What questions should directors ask management?
- Can someone explain to me in plain english how we are protected?
- Identify and prioritise opportunities for improvement
- Does the company need access to additional technical expertise?
- How can I be assured that our security is up to date?
- Is there a fast response and recovery plan if we are attacked?
- What alarms/indicators does our network have to show unauthorized access?
- Have our independent auditors approved our internal controls for cybersecurity?
- Can we test our systems before there’s a problem?
- Are we adequately insured?