On April 29, 2016, the Council of Institutional Investors (CII) published its new Special Report, Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards.
To facilitate effective cybersecurity risk oversight by the board, CII has suggested five questions that a board of directors needs to be able to answer:
- How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
- Has the board evaluated and approved the company’s cybersecurity strategy?
- How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
- How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
- When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?