The International Bar Association (IBA) has published what it claims to be a “first-of-its-kind” report to guide senior executives and boards to protect their organization from cyber risk.
Released today, Global perspectives on protecting against cyber risks: best governance practices for senior executives and boards of directors, is a lengthy document designed to give leaders insight into the main elements of a strong cyber-risk management program.
Read more on cyber risk: GCHQ Updates Security Guidance for Boards
Co-chairs of the IBA Presidential Task Force on Cyber Security, Søren Skibsted and Luke Dembosky, argued that while cyber risk is rapidly evolving and global, regulators have struggled to keep pace.
“The reality is that, in the few places they exist, cybersecurity regulations vary considerably in terms of requirements, level of detail, and the method of supervision and enforcement. Guidance documents are often fragmented, and sector- or country-specific, and there is no globalized approach or set of principles for governance of cybersecurity risks,” they added.
“As a result, there is a lack of structured overview of best practices through which boards and senior management can look at cybersecurity and compliance.”
The report is the IBA’s attempt to fill this gap and draws on reporting from 10 jurisdictions – Australia, Brazil, Denmark, Germany, India, Israel, Singapore, Uganda, the UK and the US.
Its recommendations for senior execs and boards include:
- Understanding the organization’s cyber-risk profile, via internal and external briefings, membership of threat intelligence sharing organizations and maintenance of a risk register
- Understanding what information assets to protect, including those held by third parties. Assessments should be rerun after major business and tech changes, and a data governance framework is essential
- Understanding significant regulatory requirements in order to future proof and optimize security investments. Specialized legal expertise may need to be sought
- Determining the organization’s risk tolerance, according to customer and regulator expectations, reputational risk and competitive landscape
- Understanding what security standards the organization is using and reassessing whether they’re appropriate periodically
- Ensuring the right risk decisions are made to protect key assets, basing it on senior technical advice
- Conducting periodic risk assessments led by outside experts and benchmarked against competitors
- Understanding who owns cybersecurity and the role legal and compliance personnel play
- Ensuring the board and management have sufficient cybersecurity expertise
- Investing enough funds in management. of cyber risk
- Understanding and regularly reviewing security testing and training programs
- Ensuring senior management/board receives regular updates and that cyber risk reporting lines are clear
- Reviewing, understanding and testing incident response plans and any changes in risk posture caused by evolving business developments
- Overseeing the response to “significant” events