t cht lk
t cht lk
Given the SEC ’ s quest for transparency , executive directors that manage cyber-risk should ponder the following advice :
1 . Favor discretion over rules : cybersecurity based on compliance to rules or standards may make it easier to get through client audits , but it may not make you secure . Standards take many years to agree and implement , by which the cyberthreat has moved on , and they reflect the minimum capability that standard setters consider to be generally appropriate , rather than an aspirational capability . Independently scrutinize standards set by consensus and create a logical , defensible cyber-risk strategy specific and appropriate to your organization .
2 . Have ‘ skin in the game ’: Make those responsible for managing risk define the cyberrisk management strategy : avoid the mistakes made by financial sector regulators in , for example , allowing banks ’ capital requirements to be set by the ratings agencies .
3 . Not only are ratings agencies not responsible for managing banking risk , but they are also susceptible to market pressure : It is they who set disastrously low risk ratings to new and lethal financial products like collateralised debt obligations which caused the 2007 financial crisis . Execs need to have ‘ skin in the game ’.
4 . Adopt a barbell security strategy : a combination of high and low-risk management strategies , avoiding the middle ground . Protect the maximum extent possible IT systems that host your critical data and if necessary , take more risk with the rest of your network by focusing on resilience rather than security .
5 . Rehearse what you would do when a security incident happens : periodic testing of your security incident response fitness effectively vaccinates your business against a breach . Train your incident response team to control the language they use when they communicate as it could be used in court as evidence . The most resilient companies are those that have learned how to operate without Internet access or even without IT . Make provisions for re-building your IT from scratch . p
This rule change represents a major shift in how cyberbreaches are handled and disclosed , and it has several potential benefits for both investors and the overall security landscape .
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 77