What Boards need to ask amidst under-reporting of cyber attacks
Kingston, Jamaica, 26 October 2017 – PwC points to under reporting of cyber incidents as a significant challenge when assessing cybercrime within Jamaica and the Caribbean. This challenge is exacerbated by the fact that there are no regulatory requirements for companies to report on such incidents and their cybersecurity risk management programme. Notwithstanding the lack of reporting, PwC’s cybersecurity experts have found that even where companies have identified cyber threats, most do not have a cyber-incident response plans to remain resilient during and after an attack.
Being resilient to cyber threats and attacks, however, starts at the top, “As the cyber threat landscape evolves, Boards must continue to look for ways to get a better handle on how to oversee cybersecurity risk management” said, Hugh Thompson, a Director in PwC Jamaica’s Risk Assurance practice. Hugh was speaking recently at the BizTech conference recently hosted by the Jamaica Computer Society.
In his presentation, Cybersecurity: What the Board of Directors need to ask, Hugh shared insights and noted seven key questions that every Board must ask to effectively perform their fiduciary responsibilities related to cybersecurity; and to bridge the confidence gaps.
- Do we have the information we need to oversee cyber risks? This involves meeting regularly with the company’s top security owner(s), external specialists and integrating technical personnel on the Board to review information and metrics about the company's threat environment and its resiliency to cyberattacks.
- How effective is our cybersecurity strategy at addressing the risks the business faces? Is the company investing in safeguards to better defend against evolving threats e.g. increasing the cybersecurity budgets, implementing cloud-based or third-party cybersecurity services, and performing data analytics to identify threats? Boards should be asking management about the company's strategy for addressing data security, whether it is effective, and whether the programme includes new technologies to monitor, identify and respond to cyber threats or incidents.
- How do we protect sensitive information handled, stored and transmitted by third-party vendors? A company's third-parties (suppliers, contractors, service providers and others) may have access to sensitive information, which can create a potential cybersecurity breach. Boards should understand how the company selects, vets and monitors third parties, along with how these parties protect the company’s sensitive information.
- Do we have cyber insurance? It’s a new and evolving industry, making it important that companies thoroughly understand the policies – what’s covered, and more importantly, what isn’t. Boards will want to understand the company’s policy (if one is purchased) and how the cyber insurance market is changing, particularly as underwriters become more sophisticated.
- Do we have the right data governance strategy to minimise our exposure? Companies should have effective policies, processes, and controls to manage and get rid of information and data proactively, that is, pre-breach. Boards should discuss with management whether the company’s data strategy is updated and effective to help minimise costs, legal claims and impact to brand should a breach occur.
- How do we stay current on the threat landscape around the industry and market? Some companies today are moving toward a more collaborative approach, where intelligence on threats and response techniques are shared with external partners in the public and private sectors. It’s important that boards ask what their company is doing to learn from others to improve its own resilience and cybersecurity.
- Do we have a tested cyber incident response plan? Boards should discuss with management the company’s incident response plan, what it involves around cybersecurity, how management tests the plan and if it could be improved and more effective.