On April 29, 2016, the Council of Institutional Investors (CII) published its new Special Report, Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards.
To facilitate effective cybersecurity risk oversight by the board, CII has suggested five questions that a board of directors needs to be able to answer:
- How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
- Has the board evaluated and approved the company’s cybersecurity strategy?
- How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
- How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
- When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?
There is nothing revolutionary about these five questions. These questions have been raised before, and cybersecurity has made its way to the board meetings’ agenda. However, CII’s “nutshell” cybersecurity questions highlight the intersection of corporate governance and cybersecurity and drive home the main message of the report: “effective cybersecurity risk management starts with the board.”
In addition, the report makes a very important point that directors do not need to “support unrestrained capital spending on any project with a ‘cyber’ prefix.” Instead, directors, similar to other risk oversight responsibilities, “need to:
- understand management’s cybersecurity strategy;
- learn where cybersecurity weaknesses lie; and
- support informed, reasonable investment in the protection of critical data and assets.”