In today’s world cyber resilience and cyber risk management can have direct impacts on an organization’s reputation. As such the emerging trend within information security frameworks over the last decade has been to put the responsibility and accountability for managing these risks on top level executives.
Many organizations are struggling with this emerging trend as they lack processes and tools for dealing with this added burden. As such, the world group has released a set of Principles and Tools for Boards to help executives and the board manage these existential risks as they become increasingly more responsible and accountable for them.
The document developed in partnership by Hewlett-Packard Enterprise and the Boston Consulting Group identifies ten key principles that boards should adopt.
Principle 1 – Responsibility for Cyber Resilience
The board as a whole takes ultimate responsibility for oversight of cyber risk and resilience. The board may delegate primary oversight activity to an existing committee (e.g. risk committee) or new committee (e.g. cyber resilience committee).
Principle 2 – Command of the Subject
Board members receive cyber resilience orientation upon joining the board and are regularly updated on recent threats and trends – with advice and assistance from independent external experts being available as requested.
Principle 3 – Accountable Officer
The board ensures that one corporate officer is accountable for reporting on the organization’s capability to manage cyber resilience and progress in implementing cyber resilience goals. The board ensures that this officer has regular board access, sufficient authority, command of the subject matter, experience and resources to fulfill these duties.
Principle 4 – Integration of Cyber Resilience
The board ensures that management integrates cyber resilience and cyber risk assessment into overall business strategy and into enterprise wide risk management, as well as budgeting and resource allocation.
Principle 5 – Risk Appetite
The board annually defines and quantifies business risk tolerance relative to cyber resilience and ensures that this is consistent with corporate strategy and risk appetite. The board is advised on both current and future risk exposure as well as regulatory requirements and industry/societal benchmarks for risk appetite.
Principle 6 – Risk Assessment and Reporting
The board holds management accountable for reporting a quantified and understandable assessment of cyber risks, threats and events as a standing agenda item during board meetings. It validates these assessments with its own strategic risk assessment using the Board Cyber Risk Framework.
Principle 7 – Resilience Plans
The board ensures that management supports the officer accountable for cyber resilience by the creation, implementation, testing and ongoing improvement of cyber resilience plans, which are appropriately harmonized across the business. It requires the officer in charge to monitor performance and to regularly report to the board.
Principle 8 – Community
The board encourages management to collaborate with other stakeholders, as relevant and appropriate, in order to ensure systemic cyber resilience.
Principle 9 – Review
The board ensures that a formal, independent cyber resilience review of the organization is carried out annually.
Principle 10 – Effectiveness
The board periodically reviews its own performance in the implementation of these principles or seeks independent advice for continuous improvement.