Nasdaq & Simpson Thacher present – in June 2017 – a compact, highly informative and well written document, which in fact is a general guideline and a first step for an integrated approach of risk management. It is suitable for in fact every company or public organisation which has experienced or will be experiencing cyber attacks. It is offering a framework, based on experience.
PRIMO detected the same lines in her round tables: cyber security should be addressed on board level, concerns all business disciplines (not only ICT), need an open risk culture in the organisation and demands leadership which understands this. And above all: security has to be felt as core business by all employees in the organisation. Creating ‘cyber security’ therefore is risk management on its highest level. In fact not rocket science but above all a practical approach:
“The overriding principle for any board overseeing cyber risks is that cybersecurity should be approached as an enterprise risk management (“ERM”) issue, rather than a technological problem for the information technology team to handle. The management of cyber risks is just one element of the company’s risk management and oversight, and overseeing such risks should be part of the board’s oversight of the execution and performance of the company’s ERM program (or, if the company doesn’t have an of cial ERM program, the company’s risk assessment and mitigation activities).
Accordingly, while directors may not understand all the technological details surrounding data protection systems and processes, the board nevertheless needs to ensure that it is comfortable that management is effectively managing the company’s cyber risks, as with any other risk the board oversees through the ERM process.
Leading to the conclusion:
To fulfill its duty of care with respect to overseeing the company’s cyber risks – and to be able to demonstrate, in any future litigation, that it has ful lled this duty – the board must ask thoughtful and strategic questions to understand how management is preventing, detecting and responding to data breaches and incidents and to ensure that it is comfortable that the measures being taken in this regard are suf cient and appropriate.
By asking the questions outlined above – and any other questions relevant to the company’s facts and circumstances – and by exercising good judgment, directors can successfully oversee the cyber risks facing the company and the company’s plan to mitigate and respond to those risks.