Overview

• FTSE 350 Cyber Governance Health Check 2018, a UK government report found that only 16% of boards have a full understanding of the impact and disruption associated with cyberattacks, despite 96% having an established cybersecurity strategy.
• This significant lack of board-level cybersecurity awareness among FTSE 350 members is “alarming”.
• Also, there is growing evidence that cyber-attacks are now deliberately targeting executives and board members – not businesses themselves – which shows that attackers believe this group is particularly vulnerable as well as valuable.

Approach

Based on data collected from an Cybersecurity Posture Assessment and additional pertinent organizational information, such as enterprise and business unit revenue and business value of significant IT assets from the CISO and CIO point of view our experts will work to provide your Board access to the industry leading experience and focus in the areas such as:

• Helps board members understand their current obligations in a changing cyber security landscape.
• Provides them with an easy-to-understand presentation on threat intelligence, industry trends and personal security.
• Delivers a positioning paper outlining the relevant cyber security challenges the enterprise must react to.
• Provides context for cyber risk management activities that might otherwise be unclear or confusing.

Benefits

.

• Helps board members understand their current obligations in a changing cyber security landscape.
• Provides them with an easy-to-understand presentation on threat intelligence, industry trends and personal security.
• Delivers a positioning paper outlining the relevant cyber security challenges the enterprise must react to.
• Provides context for cyber risk management activities that might otherwise be unclear or confusing.

Deliverables

• What part of the Board should handle examination of cyber security risks? Should it be the whole Board? Should this responsibility be assigned to the Audit Committee? The Risk Committee (if there is one)? Should the Board create a “Cyber Committee” to exclusively deal with these issues? Should additional Board members be recruited who have specific cyber security experience?
• How often should the Board (or Committee) be receiving cyber security briefings? In this world, which moves at light-speed and in which cyber breaches are reported daily, are quarterly briefings enough? Should the Board be receiving monthly briefings? Or more (given the industry type of the Company on whose board they sit, e.g. tech/IP company)?
• Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the Company’s senior management, CTOs, and CIOs?
• What are the greatest threats and risks to the Company’s highest-value cyber assets? Does the Company’s human and financial capital line up with protecting those high-value assets?
• What is the Company’s volume of cyber incidents on a weekly or monthly basis? What is the magnitude/severity of those incidents? What is the time taken and cost to respond to those incidents?