Cybersecurity Action Plan for Board Members

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

⚠️ 𝗕𝗼𝗮𝗿𝗱𝘀 𝗵𝗮𝘃𝗲 𝗯𝗲𝗲𝗻 𝗽𝘂𝘁 𝗼𝗻 𝗻𝗼𝘁𝗶𝗰𝗲. 𝗧𝗵𝗲𝘆 𝗼𝘄𝗻 #AI 𝗮𝗻𝗱 #cybersecurity 𝗿𝗶𝘀𝗸𝘀 - not IT teams. *** I wrote previously on Anthropic's release of its latest AI model, 𝗠𝘆𝘁𝗵𝗼𝘀, a powerful AI cyberhacker, and the dangers it can unleash to critical information infrastructures the world over. In the wrong hands, critical systems can be attacked: • Governments and banks • Hospitals and healthcare infrastructures • Power grids and public services    Initially limited to a handful of trusted companies, there are reports that other actors have now gained unauthorised access to it. While the Singapore government does not have access to Mythos, it is working with partners who do to better understand its capabilities and implications. *** ✅ 𝟱 𝗿𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗲𝗱 𝗮𝗰𝘁𝗶𝗼𝗻𝘀: 1️⃣ Update cybersecurity risk assessments of IT systems 2️⃣ Maintain full visibility of asset inventory 3️⃣ Shift to continuous monitoring, automated detection and response 4️⃣ Govern AI tools and their use ⭐ 5️⃣ Deploy AI actively as defence *** 🔍 𝗕𝗼𝗮𝗿𝗱𝘀 𝗮𝗿𝗲 𝗮𝗹𝘀𝗼 𝗲𝘅𝗽𝗲𝗰𝘁𝗲𝗱 𝘁𝗼 𝗰𝗼𝗺𝗺𝗶𝘀𝘀𝗶𝗼𝗻 𝗮 𝗿𝗲𝘃𝗶𝗲𝘄 𝗰𝗼𝘃𝗲𝗿𝗶𝗻𝗴: 1️⃣ Are AI-enabled threats in your risk assessments? 2️⃣ Do you have full visibility over critical systems & third-party dependencies? 3️⃣ Is your incident response fast enough? 4️⃣ Is your use of AI tools properly governed? ⭐ 5️⃣ Where can AI strengthen your defences? Where gaps are found, management must remediate and resource accordingly. *** ⭐ As a #lawyer and #board director who has worked at the intersection of #technology, #governance and #risk mitigation for some time now, I see AI, cybersecurity and regulatory risks already converging on boardroom tables. The boards that navigate this well will not necessarily be the ones with the biggest IT budgets. They will be the ones with the right people around the table - directors who understand law, regulation and digital systems well enough to ask the hard questions. #governance #law #tech #AI #board Singapore Institute of Directors Cyber Security Agency of Singapore (CSA) 📸 Link to this The Business Times article below:

In an article last year for Foreign Affairs Magazine (https://lnkd.in/ggFTEU3z) on how to catalyze a sustainable approach to cybersecurity, Eric Goldstein & I emphasized that in every business the responsibility for cybersecurity must be elevated from the IT department to the CEO and the Board. As we noted, the trend is moving in the right direction: In a survey conducted by NACD (National Association of Corporate Directors), 79% of public company directors indicated that their Board’s understanding of cyber risk had significantly improved over the past two years. The same study, however, found that only 64% believed their Board’s understanding of cyber risk was strong enough that they could provide effective oversight. To improve those numbers, CEOs & Boards must take ownership of cyber risk as a matter of good governance. This is largely a cultural change: where cybersecurity is considered a niche IT issue, accountability will inevitably fall on the CISO; when cybersecurity is considered a core business risk, it will be owned by the CEO and Board. Recognizing that Board members in particular have special power to drive a culture of "Corporate Cyber Responsibility," I asked my Advisory Committee to make recommendations on how to advance such a culture. The effort, led by Dave DeWalt, highlighted several key points: Board members should be continuously educated on cyber risk, with cybersecurity considerations appropriately prioritized in every business and technology decision, and decisions to accept cyber risk scrutinized and revisited often. Boards should also ensure that the thresholds for reporting potential malicious activity to senior management are not set too high; “near misses” should be reported along with successful intrusion attempts, as much can be learned from them. In addition, Boards should ensure that adequate long-term security investments are available to address the safety consequences of antiquated technology with new investments focused on technology that is #SecureByDesign. Finally, Board members should ensure that CISO's have the influence & resources necessary to make essential decisions on cybersecurity, with decisions to prioritize profits over security made both rarely and transparently. The Committee also recommended developing a Cybersecurity Academy for Board Directors & set about establishing a pilot program, which was held yesterday at the U.S. Secret Service Training Center (https://lnkd.in/eVSzP_sx). Huge thanks to my teammate Kimberly C. for her partnership, as well as the awesome Ron Green for driving this effort with Dave & Katherine Hennessey Gronberg, and the great NACD team, led by Peter Gleason. Am super grateful to the Board Directors who participated in this inaugural effort and look forward to their feedback so we can further scale the program.

When preparing for a Board meeting as a CISO, it’s crucial to focus on questions that bridge cybersecurity with business priorities and risk management. Here are key areas you should be ready to discuss: 1. Alignment with Business Goals: You could be asked, “How is our cybersecurity strategy aligned with the company’s broader goals?” This question invites you to explain how your initiatives support growth, innovation, or digital transformation, showing cybersecurity as an enabler, not just a cost center. 2. Risk Landscape: Be prepared to answer, “What are our top cyber risks, and how are we mitigating them?” Boards want clarity on the biggest threats, how they might impact the business, and the effectiveness of your defenses. 3. Business Impact: Expect questions like, “What’s the potential impact of a breach on our revenue and reputation?” Here, you should be able to highlight how your security initiatives support the business strategy. 4. Incident Response Planning: They may ask, “How prepared are we for a cyber incident, and how quickly can we recover?” You should have insights into your incident response plan, any recent tests or simulations, and your team’s readiness. 5. Compliance and Regulatory Requirements: Be ready to address, “Are we meeting all compliance and regulatory requirements?” This includes explaining how you’re keeping the company aligned with evolving data privacy and cybersecurity regulations. 6. Return On Security Investment (ROSI): They might ask, “Are we investing enough in cybersecurity, and are we seeing returns?” Be prepared to show how your budget aligns with industry benchmarks and the tangible outcomes of security spending. It may be good to also have a PowerBI dashboard that shows the mapping between risk, controls, and budget. It's a handy tool. In my previous jobs, I was asked to develop such a tool with a slider that controls the budget and accordingly reflects the change in risk. 7. Third-Party Risks: You could be asked, “How are we managing risks from our vendors and partners?” This is especially relevant if your supply chain is critical. Describe how you assess and monitor third-party risks. 8. Employee Awareness and Culture: Boards are increasingly interested in culture, so expect, “How are we fostering a security-minded culture?” or “What training and awareness programs do we have in place?” 9. Evolving Threat Landscape: Prepare for “How is the threat landscape changing, and are we adapting?” Being able to speak to new trends or emerging threats shows the board that you’re forward-looking. 10. Metrics and Reporting: They might ask, “What metrics are we using to measure cybersecurity effectiveness?” Boards are increasingly data-driven, so they’ll want to understand how you’re tracking performance, like incident response times, vulnerability remediation rates, or risk reduction over time. This question may not be asked depending on how tech savvy your board is.

Board Briefing: Cybersecurity Legal Obligations & Readiness Scorecard Oversight Duties: Fiduciary responsibility to treat cyber as an enterprise risk. Regular review, challenge, and resourcing. Disclosure: Ensure truthful, timely reporting (SEC, NYDFS, OSFI, MAS, NIS2, DORA). Incident Reporting: Jurisdictional deadlines (see below). • United States: SEC requires board cyber-risk oversight disclosure; material incidents must be disclosed within four business days. NYDFS: The board must oversee, and the CISO reports annually. • Canada: OSFI B-13: board approves risk appetite/strategy; PIPEDA requires reporting breaches with “real risk of significant harm.” • European Union: GDPR (72-hour breach reporting), NIS2/DORA: management body accountability, risk-management measures, third-party oversight. • United Kingdom: ICO reporting within 72 hours; board must oversee DPIAs, response plans. • Australia: APRA CPS 234 – board accountable for security capability; notify APRA within 72 hours. • Singapore: MAS TRM – board sets risk appetite, ensures resourcing; Cybersecurity Act: CII breach reporting duties. • India: CERT-In: report within 6 hours of specific incidents; logging/retention duties. • Japan: METI Guidelines – management responsible for cyber risk, supply-chain, and incident readiness. If you enjoy my work and want to motivate me to share more, please buy me a Coffee! Link: https://lnkd.in/g78R_Vvv Link: https://lnkd.in/gNCjtz6U #Cybersecurity, #BoardBriefing, #LegalObligations, #RiskManagement, #CorporateGovernance #DataSecurity, #InfoSec, #Compliance, #CyberRisk, #BusinessContinuity, #InfoSec, #DataSecurity, #BoardOfDirectors, #CSuite, #Leadership, #CyberRisk, #FiduciaryDuty, #Boardroom, #CyberLaw, #SEC, #GDPR, #CCPA, #IncidentResponse, #Cybersecurity #CorporateGovernance, #BoardOfDirectors, #RiskManagement,

My colleague Natura De Pinto and I are pleased to share our new playbook for cybersecurity in the boardroom! Cyberattacks are rising, and boards are feeling unprepared. A recent study found that 65% of directors believe their company will face a major cyberattack in the next year. So, what can boards do? Here are 3 simple steps we learned from our conversations with top CISOs: Step 1️⃣: Focus on resilience, not just prevention. It's about how quickly you recover when a cyberattack happens, not just stopping it. Ask your CISO: How do we balance speed and resilience? Step 2️⃣: Shift from compliance to risk tolerance. Know your organization’s risk appetite and how it impacts your bottom line. Ask your CISO: What are the highest-priority risks? Step 3️⃣: Don’t rush the conversation. Engage in deeper, informal discussions with your CISO to build trust and understanding. Ask your CISO: What keeps you up at night? Cybersecurity is everyone’s responsibility. Let’s get prepared. https://lnkd.in/gyY4q4SX #cybersecurity #cyberresilience #boardroom #kornferryinstitute

🔐 How to talk cybersecurity with executives (without losing the room) One of the biggest challenges in cybersecurity isn’t tools or threats… It’s communication. Executives don’t ignore security because they don’t care. They ignore it when it’s framed as fear, tech jargon, or endless cost. Here’s how to make cybersecurity resonate at the C-suite level: 1️⃣ Speak in business risk, not technical risk Instead of: “We need MFA to stop credential attacks” Try: “A compromised account could halt operations, trigger regulatory fines, and damage customer trust.” Executives manage risk, revenue, and reputation. Tie security to those. 2️⃣ Quantify impact, not possibility Avoid “if” and “maybe.” Use: Financial exposure Downtime costs Legal and compliance impact Brand and customer trust erosion Security becomes real when the risk has a dollar sign attached. 3️⃣ Align security to business objectives Security shouldn’t feel like a blocker. Position it as: Enabling growth Supporting mergers or expansion Protecting customer confidence Preventing operational disruption Secure companies move faster, not slower. 4️⃣ Address budget concerns head-on Executives don’t fear spending money; they fear wasted dollars. Frame budget conversations around: Risk reduction per dollar spent Prioritization over perfection Phased investments vs. massive overhauls Replacing redundant or underused tools 💡 “We’re not asking for more budget, just smarter allocation.” 5️⃣ Show the cost of doing nothing The most expensive security strategy is inaction. Breach recovery costs Insurance premium increases Lost customers Executive and board scrutiny after an incident Prevention is almost always cheaper than response. 6️⃣ Keep It simple and visual Dashboards > spreadsheets One-page risk summaries > 40-slide decks Clear metrics > technical deep dives If they can explain it to the board, you’ve done it right. Cybersecurity isn’t an IT problem. It’s a business continuity strategy. When security conversations shift from tools to outcomes, buy-in follows. 💬 How do you translate cyber risk into executive language at your organization? #CyberSecurity #Leadership #RiskManagement #ExecutiveCommunication