1. Do I know who is responsible for cyber risks in the company? Have I met them and am I confident there is sufficient segregation between them and those making decisions about the technological direction of the company?
2. Does the board regularly discuss the level of cyber risk it is prepared to take, and how much it is prepared to invest in managing that risk?
3. Do I fully understand the board’s cyber updates, briefings or papers, and how that information was generated? Are the cyber updates and technical briefings clear enough to enable a strategic discussion which encompasses the wider corporate environment? Is the board investing too much trust in its technical staff when signing off options which may carry personal liability for each director? Do briefings cover the basic areas outlined in the Government’s 10 Steps to Cyber Security guidance?
4. Is the board being offered choices or options in relation to cyber risk management? Regular IT driven updates will not aid effective board level oversight of the risk.
5. Outside of board meetings, do I speak regularly to the Chief Information Officer, Head of Internal Auditor Chief Information Security Officer to improve my understanding of the company’s threat profile, controls and processes?
6. Have I considered being a sponsor for the Chief Information Officer, Chief Information Security Officer or Head of IT? Can I help them communicate effectively with the board and vice versa around technology and business objectives?
7. Do cyber risks form part of the assessment of risk for all new projects and transactions? For example, cyber risks may be higher for the company’s involvement in a high-value transaction.
8. Have I encouraged board colleagues to provide assurance to investors and customers? Could a paragraph in our annual report boost investor confidence, whilst enabling us to enhance reputation and seize commercial advantage? I could suggest publicly presenting our Cyber Essentials certification.
9. Am I confident the business is prepared for a major breach? Is there an organisation-wide crisis management plan in place? Should I encourage the management team to present a table top cyber scenario to the board?
10. Are board members fluent in the risks and opportunities of the digital age? Are they actively educating and supporting their colleagues so the board can manage cyber risk? Should we address the need for stronger technology and digital understanding (including cyber risks) through board education or better use of external risk management experts?
CNA – has access to many levels of talent, such as CISO, DPO, architects, engineers, and other specialist security, compliance, and risk personal and would be interesting in hearing your views in confidence around your current and future requirements.