Directors should ask managers these questions about cyber

Corporate directors should be asking management some tough questions about what the organization is doing to prevent cyberattacks on their organizations.

John Heaton, a partner, advisory with KPMG’s cybersecurity practice, talked with Canadian Underwriter Wednesday about what corporate directors should be asking their managers about cyber risk.

Heaton discussed the topic Tuesday at KPMG’s Annual Insurance Conference.

Question 1:

What are the threats?

Directors should identify not only the threats, but the potential consequences of the threats on the organization and its likelihood.

“That tells me if you understand who might target you,” said Heaton. “Do you understand how you might be targeted? Do you understand what could impact you?”

The managers’ answer to this question demonstrates the level of understanding about the data an organization holds and what is important—be it personal, health or credit card data, or data being held on behalf of others.

Question 2:

Is there a cybersecurity program in place?

“Is it ready to protect that data and deal with those threats and risks?” Heaton asked.

Question 3:

How do we report to the board of directors?

Updating the board of directors on progress is important. Heaton said management should be thinking about questions such as: “What information should I be producing that will tell them [the directors] that I have identified those threats, I know what my data is and I’ve protected my data?”

Data being held by organizations varies by industry, and even P&C data is different than the data collected by life insurers. “The data [organizations] hold, the amount of data and how long they hold that data will dramatically change their threat and the potential impact,” Heaton said.

As organizations move toward eliminating paper-based processes and moving everything online, that increases the risk, Heaton said. “More and more, that data is in one place and you’ve got to protect it.”