Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • More than one third of directors at US public companies said they discuss cybersecurity at every board meeting. — WomenCorporateDirectors and Marsh & McLennan Companies, 2018
  • One third of organizations said they do not assess the cyber risk of their suppliers and vendors. — WomenCorporateDirectors and Marsh & McLennan Companies, 2018

As cyberattacks increase in number and severity, corporate boards are changing how they approach risk management and emerging threats, according to a Monday report from WomenCorporateDirectors and Marsh & McLennan Companies’ Global Risk Center.

More than one third of directors at US public companies said they now discuss cybersecurity at every board meeting, the report found, with high-profile data breaches, DDoS attacks, and ransomware attacks driving their attention. The annual economic cost of cybercrime is estimated at $1.5 trillion, according to the report.

However, most boards have only one director serving as the tech or cyber expert, and few directors have extensive knowledge of emerging threats, the report found. Risks regarding third parties are also rampant, as one third of organizations said they do not assess the cybersecurity risk of their suppliers and vendors. Companies also remain unclear on how they stack up against their peers in terms of cybersecurity and best practices, the report stated.

SEE: Network security policy template (Tech Pro Research)

“With increasing threats of attack on their data and systems, boards are demanding much more information about their organizations’ risk and how well they are covered against loss and breaches,” Susan C. Keating, CEO of WomenCorporateDirectors, said in a press release.

Here are 10 questions that board members or employees should ask management about their organization’s cyber readiness to avoid breaches and keep assets safe, according to the report:

1. What cyber risk management framework does the organization use to assess and benchmark our approach and risk profile (e.g., NIST)?

2. Given management’s assessment of our cyber risks and mitigating procedures, where are our most significant residual vulnerabilities?

3. Where do we rank in cyber preparedness compared to relevant peers and how frequently does management perform cyber scenario testing/war games? How do we benchmark our performance?

4. Which leaders across the organization have accountabilities for cyber risks within IT, functions, business and operational areas, etc.? How do we ensure we have enough resources dedicated to each?

5. How are our business continuity/resiliency plans adapting in response to dynamically evolving cyber threats? For example, what company policy and protections are in place regarding ransomware threats and related payments? Do these plans consider local laws?

SEE: Intrusion detection policy (Tech Pro Research)

6. Have we quantified and assessed the potential financial impact of an interruption caused by a cyber event?

7. Do we have a dedicated cyber insurance policy, or are we relying on add-on products or blended coverages? What exposures does our cyber insurance coverage address and what risks have we elected not to insure?

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

8. What are the limits of liability of cyber insurance that we have available, and how can we determine if they are sufficient?

9. How often will the board be updated on the status of cyber risk management and cyber insurance coverage, and what will be the format of that report?

10. How have we compared our cyber insurance program to our fundamental risk profile, as well as to similarly-situated peers in our industry, or those with similar risk/threat profiles?