EcoDa a publié un rapport : Cyber-Risk oversight 2020
Key Principles and Practical Guidance for Corporate Boards in Europe
This handbook is intended to promote sufficient knowledge by Board members, in any corporate structure, to allow the Board as a whole to respect its mandate for oversight and strategy of information security by evaluating the effectiveness of the risks their organisation is facing, in a full and comprehensive manner, and how it is mitigating those risks. Five principles have been identified for Boards to follow in addressing and ensuring oversight of cyber risk.
Principle 1 - Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
Principle 2 - Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances.
Principle 3 - Boards should ensure adequate access to cybersecurity expertise, with appropriate reports at both Board and Committee level.
Principle 4 - Board directors should ensure that management establishes an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective and response capabilities, monitoring and communication at all levels. Resources should be adequate and allocated appropriately on the basis of strategies adopted.
Principle 5 - Board discussions about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, acceptance, etc). These principles were developed and are applicable to, and important for all directors, including members of unitary (one-tier) Boards, two-tier Boards, and Nordic boards2. Every organisation has valuable data and related assets that are under constant threat from cyber-criminals or other adversaries. This handbook promotes the principles of strategic risk management. Principle 1 sets the ground for a strategic risk governance by the Board. The Principles 2 and 3 further guide the Board in assessing the risks and determining appropriate strategies. Principles 4 and 5 offer guidance for what the board should expect of management to address cybersecurity as an enterprise-wide risk management issue. The five principles for effective cyber-risk oversight detailed in this handbook are presented in a relatively generalised form in order to encourage discussion and reflection by Boards of directors. Naturally, directors will adapt these recommendations based on their organisation’s unique characteristics; including size, life-cycle stage, strategy, business plans, industry sector, geographic footprint, culture, and so forth.