By Apprameya Iyengar
Last month the New York Stock Exchange (NYSE) released their “definitive cybersecurity guide for directors and officers.” Given the rise in cybersecurity incidents and growing sophistication of cyber criminals disrupting critical business processes, directors and officers are under more scrutiny than ever before to maintain effective cyber incident management protocols across the enterprise. While cyber incidents may vary based on different circumstances, the NYSE suggests a phased approach to cybersecurity incident management overseen by a chief information security officer (CISO).
1. Empower the CISO before a crisis.
Public companies are well-served by empowering a CISO to direct and manage cybersecurity incident response activities across the enterprise. Directors and officers should carefully consider the CISO’s reporting line to help ensure that the CISO is organizationally positioned with a strong and independent voice to effectively oversee the company’s cyber incident management readiness. Recent trends include having the CISO report directly into the general counsel, the chief operating officer, the chief risk officer, or in some cases, the chief executive officer. In addition, directors and officers should also consider:
- Will the CISO’s role involve advising on cybersecurity aspects of major business decisions (e.g., M&A, strategic partnerships, engaging critical third party vendors, and new product launches)?
- What is an appropriate budget to enable a CISO to assemble a team and implement the right technology infrastructure and controls to assess, detect, and mitigate vulnerabilities in the company’s networks?
2. Create, implement, and periodically test your cybersecurity incident response plan.
An effective cyber incident management plan should specify individual roles involved in responding to a cybersecurity incident and the operating procedures in the immediate aftermath of a cyber incident. While each company’s risk management philosophies may differ, a clearly articulated cyber incident management plan should be tailored and updated to address:
- Who are the company’s most likely intruders? Sophisticated cybercriminals are exploiting perimeter and network security systems by company employees accessing compromised websites, malware, “spear phishing,” and “zero day exploits.”
- Where are the biggest gaps in the company’s IT network(s)? What security measures are in place at the perimeter of your company’s IT network(s) (e.g., cloud, mobile, email, WiFi) to detect and/or keep out intruders?
- Where is the company’s most valued data stored and who has access to the data? Consider which members of your organization have access to the company’s most sensitive data and how such access is monitored, controlled, and audited.
- How often is your company’s incident management plan tested, and by whom? Testing your company’s cyber incident management plan is a critical predictor of how the company would perform after an actual cyber incident in addition to understanding current gaps in your cyber incident response program. Consider engaging independent third parties to review your cyber incident response program to help mitigate current and foreseeable threats.
3. Delivering the Message: How to communicate cybersecurity incidents internally and externally?
Communicating cybersecurity incidents is critical to raising cyber literacy across the enterprise and keeping the organization secure. A company’s corporate communications team can help message cybersecurity threats and vulnerabilities to a broad audience across your enterprise. Additionally, your company’s crisis communications capabilities include cybersecurity incidents and the appropriate spokespersons should be trained in responding to media inquiries.
With the ubiquitous nature of cyber incidents, no company, public or private, is immune from a cyber incident. However, implementing and updating an enterprise-wide cyber incident management plan can help neutralize the impacts of an inevitable cybersecurity breach.
For additional information, please contact the author or a member of Polsinelli’s Privacy and Data Security practice.