July 11, 2023
Cyber Risk Oversight: 10 Questions for Boards
With the SEC continuing to signal that it will finalize cyber disclosure rules sometime soon – and the Enforcement Division already pursuing and cautioning against potential disclosure shortfalls under existing rules – board are taking a fresh look at their approach to oversight on this topic. This Reed Smith memo suggests 10 questions that boards can ask to get useful info about cyber risks:
1. What and where are your company’s technology-based assets?
2. What cyber insurance does the company benefit from and when was it last reviewed?
3. How do your company’s employees and third-party contractors interact with the company’s cyber assets?
4. What are the legal, regulatory and reputational consequences of a cyberattack on your company?
5. Who at the company owns the cybersecurity risk portfolio? Does the business have sufficient capacity to deal with cybersecurity issues?
6. What cyber expertise exists at the company’s board level?
7. In the event of a cyberattack, what is the company’s plan to mitigate its impacts and consequences?
8. What is the reporting structure to the board regarding cybersecurity issues, and at what frequency does the board receive reports on cyber issues?
9. What cybersecurity policies are in place at the company? How does the company ensure that its employees, contractors and other third parties comply with the policies?
10. Specifically, how does the company ensure that online meetings are kept private and secure in the increasingly hybrid working world?
The full memo gives more color on each of these questions. While I’m not sold on the notion that every board needs a cyber committee or cyber-expert, which the commentary to Question No. 6 could be interpreted as suggesting, the question itself is still worth asking – especially if the SEC’s rule on this topic is adopted as proposed. Visit our “Cybersecurity” Practice Area for additional practical resources.
– Liz Dunshee
Blog Preferences: Subscribe, unsubscribe, or change the frequency of email notifications for this blog.
UPDATE EMAIL PREFERENCESTry Out The Full Member Experience: Not a member of TheCorporateCounsel.net? Start a free trial to explore the benefits of membership.
START MY FREE TRIAL