Boards and senior management of these companies are still not engaging in key oversight activities, such as setting top-level policies and reviews of privacy and security budgets to help protect against breaches and mitigate financial losses, the research found. Less than one-third of the respondents indicate their boards and senior executives are undertaking basic responsibilities for cyber governance.
Although improvements are being shown in the formation of board risk committees and cross-organizational teams, nearly half of the respondents indicated that their companies did not have full-time personnel in key privacy and security roles, and 58% of the respondents said their boards have not reviewed their companies’ insurance coverage for cyber-related risks.
"Privacy and security are competitiveness issues, and companies that set the tone of a 'trusted workplace' with their employees also convey the message of a 'trusted business' to the marketplace. Effective governance enhances profitability through the mitigation of liabilities and losses associated with compliance costs, operational downtime, cybercrime, and theft of intellectual property", commented Jody Westby, chief executive officer of global risk at Carnegie Mellon CyLab.
The report recommended that organizations undertake a number of cyber risk governance activities, including: establish the “tone from the top” for privacy and security through top-level policies; review roles and responsibilities for privacy and security and ensure they are assigned to qualified full-time senior level professionals and that risk and accountability are shared throughout the organization; ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches; review annual IT budgets for privacy and security, separate from the chief information officer's budget; conduct annual reviews of the enterprise security program and effectiveness of controls, review the findings, and ensure gaps and deficiencies are addressed; and evaluate the adequacy of cyber insurance coverage against the organization's risk profile.
The final survey report, which will analyze differences in responses from Asia, Europe and North America and responses by industry sector, will be released in March