An effective ITRM program is broader than cyber risks and information security, addressing the entire IT risk universe.
Implementing an effective ITRM program that addresses cyber risk begins with understanding the roles that each member of the C-suite needs to play.
Board of directors/audit committee
The board is responsible for setting an adequate standard of due care and ensuring its execution through its oversight mandate.
The board, through an audit, risk and/or technology committee, should review the IT risk posture of the organization at least annually. In keeping with recent SEC guidance, the board and audit committee should determine the nature and extent of the requested cyber risk and incident disclosures, if any.
Chief risk officer (CRO)
Responsibilities range from overseeing the development and implementation of an ITRM program to monitoring and measuring its performance and effectiveness against the standard of due care set by the Board.
General Counsel (GC)
In the event of a cyber compromise, the GC needs to act quickly to minimize the impact of the breach. The GC's office should be part of a breach response plan in place that includes an external communications plan that has been tested to ensure effective execution in a time of crisis.
The GC will need to be prepared to respond carefully to authorities such as the FBI, and to draft responses to subpoenas for evidence that demonstrate a reliable forensic chain of custody.
Chief information officer (CIO) and chief information security officer (CISO)
The CISO function is typically responsible for developing and testing a cyber incident response program, and should oversee a company-specific threat assessment that analyzes the potential targeted assets and the resulting business impact.
The CIO and CISO should work with the CRO to ensure that tactics are effectively mitigating the broader IT risk landscape. CISOs should be transitioning traditional information security functions to be IT risk management functions.
<< Previous | Next >>
|Technology risk management for cyber threats |
(incident and breach)
(damages and liabilities)
- Set standard of due care
- Periodically evaluate cyber risk governance and review annual cyber risk assessment
- Issue cyber risk disclosures as per SEC guidance
- Receive breach notifi cations and governance updates
- Re-evaluate cyber risk governance oversight
- Re-evaluate standard of due care
- Re-evaluate cyber risk disclosures
|Risk management |
- Oversee ongoing ITRM program for cyber risks
- Monitor breach and cyber risk
trends and measure risk management execution
- Evaluate effectiveness of cyber risk response and technology/risk management, then improve
- Develop cyber risk legal response strategy
- Approve cyber breach response program
- Execute breach communications plan
- Execute authority/regulator response plan
- Perform cyber risk liability control (long-lived)
|Information security |
(including incident response team)
- Build threat mitigation program to plan/protect most critical assets
- Establish incident, investigation and forensics response program; conduct tests
- Detect and respond to incident
- Execute investigation plans including incident forensics
- Assess effectiveness of cyber incident response
- Execute incident remediation plan, assess effectiveness