10 Questions for a Board Member to Ask About Cybersecurity

OBJECTIVE OF THE TOOL:
This tool offers suggested questions that board members can ask management to conduct oversight of their cyber-risk management, and explains what answers to those questions might look like.

The questions that follow do not encompass everything a company must do to protect itself. However, these questions should be a good start to give a board some confidence that the company understands what it needs to do and is structurally set up to succeed.

OBJECTIVE OF THE TOOL:
This tool offers suggested questions that board members can ask management to conduct oversight of their cyber-risk management, and explains what answers to those questions might look like.

The questions that follow do not encompass everything a company must do to protect itself. However, these questions should be a good start to give a board some confidence that the company understands what it needs to do and is structurally set up to succeed.

Tier 1. Policy and Governance

This covers a set of prerequisite control issues that every organization must address. If these questions are not satisfactorily answered, continuing on to Tier 2 and Tier 3 questions will offer little useful insight.

1. How is personally identifiable information (PII) treated domestically and internationally? What are the safeguards of stolen equipment?
   Why it’s important: The legal and branding penalties for PII violations are severe and very public. Requirements vary greatly between states, and especially between countries. With the preponderance of employee computing assets being laptops or tablets, it is a safe bet that some will be lost or stolen.

   Helpful answer: “We know where all of our PII is stored. We have it encrypted at rest and in transit. All of our employees who routinely handle PII are trained in safeguarding procedures. We have periodic (usually annual) training on PII for our employees. We are aware of the differences in PII requirements, especially in Europe, and have taken the necessary additional steps to comply.”

   Answers that demand additional prodding:
   - "Our employees won’t accept disk encryption of their laptops.”

   - “We don’t have that much PII.”

   - “Our non-HR employees don’t handle PII, so we don’t need to train them.”

2. How many third parties have access to your systems, and what controls are placed on them?
   Why it’s important: This would include outsourced cloud applications (such as those commonly used for customer-relationship management or payroll, for example), applications or systems that are located on your premises but managed by a third party from off-site (such as facility monitoring), or outsourced infrastructure. Employees of third parties seldom screen their employees as well as you would yourself. Their controls tend to be generic. In addition, advanced threats are increasingly targeting suppliers, so a compromised supplier-employee account could be a back door into your systems. It is much harder to “know when you fail” when your data and systems are outsourced.

   Helpful answer: “We have a formal process for reviewing third-party contracts and connectivity. Third-party personnel screening requirements and system security requirements are included in contracts. Access by individuals is strictly controlled to limit them to necessary data only.”

   Answers that demand additional prodding:
   - “We rely on our suppliers to be secure.”

   - “Each line of business manages their own suppliers’ access.”

   - “We don’t really have a good listing of the data that third parties have access to.”