10 Questions for a Board Member to Ask About Cybersecurity

OBJECTIVE OF THE TOOL:
This tool offers suggested questions that board members can ask management to conduct oversight of their cyber-risk management, and explains what answers to those questions might look like.

The questions that follow do not encompass everything a company must do to protect itself. However, these questions should be a good start to give a board some confidence that the company understands what it needs to do and is structurally set up to succeed.

Tier 1. Policy and Governance

This covers a set of prerequisite control issues that every organization must address. If these questions are not satisfactorily answered, continuing on to Tier 2 and Tier 3 questions will offer little useful insight.

1. How is personally identifiable information (PII) treated domestically and internationally? What are the safeguards of stolen equipment?
   Why it’s important: The legal and branding penalties for PII violations are severe and very public. Requirements vary greatly between states, and especially between countries. With the preponderance of employee computing assets being laptops or tablets, it is a safe bet that some will be lost or stolen.

   Helpful answer: “We know where all of our PII is stored. We have it encrypted at rest and in transit. All of our employees who routinely handle PII are trained in safeguarding procedures. We have periodic (usually annual) training on PII for our employees. We are aware of the differences in PII requirements, especially in Europe, and have taken the necessary additional steps to comply.”

   Answers that demand additional prodding:
   - "Our employees won’t accept disk encryption of their laptops.”

   - “We don’t have that much PII.”

   - “Our non-HR employees don’t handle PII, so we don’t need to train them.”