Rise of the CISO
What is a CISO and how does it differ from a CTO and CIO?
Cyber risk is like any other business risk and requires board level attention and responsibility. Since the 2015 edition of the Cyber risk practice guide was published, boards have significantly stepped up their focus on cybersecurity.
The 2021 edition of the Cyber risk practice guide retains five core principles to help boards understand and approach cybersecurity in their organisations. Updates to the guide include privacy law developments and new resources for directors. It also presents questions for directors to ask management around their cybersecurity policies and settings.
There are five core principles for boards in their oversight of cyber risks.
Directors should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
It is essential that directors understand their legal responsibilities and the implications of cyber risk relevant to their organisation.
Cybersecurity needs regular and adequate time on the agenda. Boards should also continue to build their cyber competency and ensure they have access to external expertise.
Ensure that an enterprise-wide cyber risk management framework is established.
Board and management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.