Cyber Risk Committee

CSGA's Cyber Risk Committee was designed to work with:

=> Public Safety Officials
=> First Responders
=> Emergency Managers
=> Law Enforcement
=> Government Agencies
=> NATO and Other Military Organizations
=> Chief Security Officers
=> Chief Information Security Officers
=> Key Senior Officials

To discuss key cybersecurity related issues, strategies, action plans, incident response plans, rapid deployment, public relations and more when responding to cyber threats and attacks on cities, municipalities, infrastructure globally.

Cyber-risk is an enterprise-wide risk that corporations are wisely placing on the high-priority list, now and for the long term. Such issues as mobile technology, cloud computing, social media, increasing incidences of breaches, corporate espionage and hacks that shut down operations have made cyber-risk impossible to ignore.

Perhaps what today’s corporations are struggling the most with is scrambling to decide how best to handle cyber-risk. Size of corporation, IT budgets and other issues are major factors in how corporations approach cyber-risk matters. Some companies are realizing that they need a tech-savvy board director to guide them. Many other companies are realizing that even that isn’t enough to help protect against cyber-attacks and manage potential data breaches.

The trend in corporate cyber-protection is more of a “boots on the ground” approach, which includes forming a cyber-risk committee that takes the reins and responsibility for all cyber-risk matters. Rather than form a wholly new committee, some corporations delegate the responsibility to the audit committee. Cyber-risk committees play a major role in cyber-protection. It’s important to note that forming a cyber-risk committee doesn’t alleviate the pressure or responsibility for the board or audit committee in their roles to protect against cyber-attacks.

Defining the Cyber-Risk Committee

A cyber-risk committee may be defined as a sub-group of a board of directors that identifies, evaluates and monitors all cyber-risk management activities and determines how they align with the overall corporate risk profile.

The Role of the Cyber-Risk Committee

Cyber-risk management requires three things:

1. Clarity of the cyber-risk management program.
2. Confidence in the adequacy of the program.
3. Assurance in the information they receive.

Because cyber-risk is an enterprise-wide risk, it requires enterprise-wide oversight. Cyber-risk committees need to encourage the board to give cyber-security issues a high priority and to prioritize them with strong oversight as part of good governance. In addition, cyber-risk committees need to be communicating regularly with the audit committee to help them understand specific risks and who is accountable for them.

Managing a Cybersecurity Program

As cyber-risk matters began to rear their ugly heads in years past, corporations took a piecemeal approach to managing cybersecurity until they were able to figure out more comprehensive and appropriate approaches. Today’s cyber-risk programs require a more mature approach. Cyber-risk committees should be the authority on cybersecurity matters. They need to know where risks may come from and how those risks could affect the business. They also need to understand the IT assets that connect to the organization’s greater network. The evolution of cyber-risk concerns is sparking a similar evolution of concerns in the regulatory arena on national and global fronts. Cyber-risk committees need to stay abreast of new regulations. The future will likely hold some new national mandates around cybersecurity.

Cyber-risk committees need to be as forward-thinking as possible. This means being continually willing to challenge the effectiveness of current cyber-risk management programs. It also means that they need to support cyber-risk initiatives as they continue to evolve. This responsibility includes such tasks as promoting a culture that’s aware of risks and developing a holistic risk management strategy. The committee’s efforts will have an impact on the corporate budget, so they also need to be able to strike a balance between the cost of the program and the value that it provides.

The CSGA currently offers a voluntary program called the Cybersecurity Risk Management Framework that helps corporations to find the gaps in their programs and remediate them. This tool incorporates a concentrated set of criteria for cyber-risk committees to identify how adequate their processes and internal controls are.

Data breaches require a rapid response where the board and managers will need to respond within hours. Cyber-risk committees should be able to report to the board on how they intend to stage rehearsals for data breach responses, including tabletop exercises. Their reports to the board should include when they or the IT teams conducted breach rehearsals, what they learned from them, and make recommendations for what to change moving forward.

In addition to working with the board, cyber-risk committees will need to review management’s response plans, so they know who is responsible for making decisions after a breach and what actions the corporation needs to take. Possible actions may include:

=> How and when to make a public announcement.
=> How and when to notify customers.
=> When or if to notify law enforcement.
=> Bringing in a forensic group and who they would report to.
=> Making a report.

The pervasive nature of cyber-risk requires boards, managers and audit committees to accept some responsibility for cyber-risk.

Cyber Security Global Alliance's Cyber-Risk Committee | Cyber-Risk Management Activities

The Cyber Security Global Alliance's Cyber-Risk Committee is a sub-group of the board of directors that identifies, evaluates, and monitors all cyber-risk management activities, ensuring alignment with the overall corporate risk profile. Learn more about our comprehensive approach to cyber-risk management.