The toolbox is a list of questions to evaluate how cybersecurity is handled in your organization. It allows board members to do a self-assessment, to get the ‘lay of the land’.
Many of these questions reflect back on the principles from our guidebook: having a solid risk management program, access to security expertise, mitigation of risks through insurance, etc.
Here goes:
- Does the CEO encourage open access between and among the Board, external sources, and management about emerging cyber threats?
- Are we considering the cybersecurity aspects of our major business decisions, such as M&A, partnerships, new product launches, etc., in a timely fashion?
- Do we know the maturity scale of our cyber risk program?
- Are we spending appropriately on cybersecurity tools and training? Do we know if our spending is cost-effective? Are we actually improving security or just completing compliance requirements?
- Who is managing our cybersecurity? Do we have the right talent and clear lines of accountability/communication for cybersecurity?
- Have we considered how we would manage our communications in the case of a cyber event, including communicating with the public, our shareholders, our regulators, our rating agencies? Do we have segmented strategies for each of these audiences?
- Does our organization participate in any of the public or private sector ecosystem-wide cybersecurity and information-sharing organizations?
- Is the organization adequately monitoring current and potential cybersecurity-related legislation and regulation?
- Does the company have adequate insurance, including Directors and Officers, that covers cyber events? What exactly is covered? Are there benefits beyond risk transfer to carrying cyber insurance?
