Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity

The purpose of this document is to provide boards of directors a set of Guiding Principles to enable the implementation of an effective cybersecurity program. A director should understand the full range of cyber risks facing his or her company and encourage management to develop appropriate strategies tailored to the company’s operating environment, risk profile, and long-term goals.

The specific needs of any effective cyber program include careful planning, smart delegation, and a system for monitoring compliance — all of which directors should oversee. It’s no longer a question of whether a company will be attacked but more a question of when this will happen — and how the organization is going to prevent it. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of true cyber resilience. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery.

Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can.

Longer term, the board should understand and consider the strategic business implications of cybersecurity, foster the right company culture surrounding security, and encourage the integration of cyber risk management practices into other governance and approval processes. In essence, the board should consider cybersecurity as a managerial issue, not just as a technical one.

Click here for the full report.

This entry was posted in Emerging Risks by David X Martin. Bookmark the permalink.

About David X Martin

David X Martin is a veteran financial executive whose career includes stints at PricewaterhouseCoopers (PWC), Citibank, and AllianceBernstein. He has extensive experience working with regulators and sovereign governments, and at one time or another has handled the oversight of investable assets, investment strategies, operations, quantitative research, distribution channels, trading, and investment banking. He also has extensive experience running financial holding companies, overseeing acquisitions and the creation of new banking businesses.