10 leading practices to oversee cyber risk
EY regularly engages with boards and hosts gatherings of directors and cybersecurity experts to discuss challenges and leading practices in overseeing cyber risk. During the past year, our programs included dialogues involving more than 500 directors, and a three-part webcast series attended by over 18,000 people. The webcasts covered ransomware, leading practices for cyber oversight, and regulatory developments in cyber and data privacy.
Based on insights gained through our engagements with directors, as well as what EY cybersecurity leaders have learned from assignments around the globe and across industries and company sizes, we have identified these 10 leading practices to help boards oversee cyber risk:
1. Elevate the tone.
Establish cybersecurity as a key consideration in all board matters.
2. Stay diligent.
Address new issues and threats stemming from remote work and the expansion of digital transformation. And remember that every employee needs to be diligent, too — 82% of breaches involve a human element, according to Verizon’s 2022 Data Breach Incident Report, issued in late May.
3. Determine value at risk.
Reconcile value at risk in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.
4. Leverage new analytical tools.
Such tools inform the board of cyber risks ranging from high-likelihood, low-impact events to low-likelihood, high-impact events (i.e., a black swan event).
5. Embed security from the start.
Embrace a “trust by design” philosophy when designing new technology, products and business arrangements.
6. Independently assess your program.
Obtain a rigorous third‑party assessment of your cyber risk management program (CRMP).
7. Evaluate third-party risk.
Understand management’s processes to identify, assess and oversee the risk associated with service providers and third parties involved in your supply chain. Supply chains were responsible for 62% of system intrusion incidents in 2021, according to Verizon’s 2022 Data Breach Incident Report.
8. Test response and recovery.
Enhance enterprise resilience by conducting rigorous simulations and arranging protocols with third-party specialists before a crisis.
9. Understand escalation protocols.
Have a defined communication plan for when the board should be notified, including incidents involving ransomware.
10. Monitor evolving practices and the regulatory and public policy landscape.
Stay attuned to evolving oversight practices, disclosures, reporting structures and metrics.