Corporate Director Responsibilities for Cyber Risk Management

Cyber-attacks can be rapid, highly damaging and public, and have negative impact on investor and customer confidence, affecting an organization’s credit worthiness and exposure to civil liability.

Cyber risk is most often considered an IT risk, defined as “the business risk associated with the use, operation, ownership, involvement, influence and adoption of IT within an enterprise”.   Our dependence on external networks/providers and the expertise of hackers to gain access to system user credentials, have made organizations particularly vulnerable to cyber-attacks.

Corporate directors have a legal responsibility to ensure appropriate cyber risk management policies are prepared and practices are implemented to identify, protect against and respond effectively to cyber incidents. Cyber risk cannot be treated in isolation by the IT function, as economic harm resulting from a disclosure of electronic information or digital assets, compromise of a computer network or network security, or disclosure of confidential or personal information is an organizational risk.

Independent board sponsored risk functions to manage and report on internal controls, stress testing, and organizational recovery plans (including all business areas) are recommended, particularly where an organization is responsible to provide viability statements, stores confidential information and has high transactional volume with third parties vendors or customers.

While cyber insurance can’t protect your organization from cybercrime, it will help to withstand the financial impact of a significant security event. And whether your organization ultimately determines to add cyber liability protection to their insurance budget, there is a great benefit in going through the insurance application process to identify data risks, enhance current controls and improve your organization’s cyber risk profile.

INTECH provides sound advice and assistance on cyber liability risk and insurance options.