Pub. 16 2019 Issue 1

14 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G N E W M E X I C O R E A L I Z E D R E A M S J ust look at the news every few weeks and you will learn yet another company or organization has suffered a cybersecurity breach. Have you really ever considered just how deep this impacts that company or organiza- tion? What are the real costs? How did this this breach occur, how could their IT department let this happen? Who is responsible and how? And ultimately is that company or organi- zation board culpable or responsible in some way? There is no doubt that the costs of a cyber incident can be staggering with first party breach response expenses, busi - ness interruption loss, and third-party litigation all having a noticeable impact on the bottom line. In some cases, the fallout may affect a brand's reputation, strain a company's ability to serve customers, or prevent a nonprofit organiza - tion from effectively fulfilling its mission. Given the existen - tial threat posed by cyber risks, the issue has gradually risen from solely an IT department problem to one that concerns top-level management. In recent years, there have been several high-profile shareholder derivative lawsuits aimed at directors and officers of publicly-traded companies following data breaches, of- ten alleging a breach of fiduciary duty, negligence, or gross mismanagement. Boards of directors for private companies, organizations, and nonprofits alike have a duty of care to their organizations, and individual directors and officers may be held personally liable for their failures, negligence, or inaction. In an era where the prevention of cyber attacks is virtually impossible, it is imperative that boards recognize their exposure to cyber risk and proactively take the steps to manage it. Boards and management should recognize that your cyber security risk exposure is directly related to your IT Management Processes and Practices also. Because of the direct correlation and connection between your IT manage- ment processes and practices and your IT Security boards should pay close attention. Boards should ensure that all the aspects of IT management within a company or organization is following foundational processes and controls specifically around change, configuration, and release management due to the quantitative science that proves these foundational controls drive an IT organization's success and SECURITY. Boards must begin to realize companies and organizations simply can't afford NOT to demand these methodologies are practiced because failure to follow them could be creating the highest un-recognized critical risks and exposure for both the board and the company/organization. Here are some of the major topics that boards should con- template when assessing and addressing their organizations' cyber risk and overall approach to managing your IT assets and systems: 1) Cyber Risk Assessment: Depending on the size of your organization and resources available, a security audit or cyber risk assessment can provide a clear outline of the most like- ly sources of cyber threats, identify vulnerabilities in your network, and provide recommendations to address these exposures from both technological and procedural standpoints. Recognize this starts by assessing your overall IT systems, people, processes and adhering them to IT best practices, which is just as paramount as knowing what inherent risks you can identify and assess. It should be noted that if your IT processes are broken it is a good indicatory your IT security is weak too. Why Boards & Management Should Care About Both Cybersecurity and IT Management Practices! By Mark Allers, IP Services