ISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.
Third-party breaches trigger steep regulatory fines from agencies like the SEC and the Department of Health and Human Services. Data breaches can also shake shareholder confidence, and they can have devastating consequences for customers whose identities are stolen. The people at the top of the company often pay the price for data breach aftermath. Target’s massive 2013 data breach, which resulted from a third-party vulnerability, cost CEO Gregg Steinhafel his job. In addition, ISS advised Target shareholders to overhaul the board, charging board members with poor risk oversight.
How Boards Can Protect Themselves and Their Organizations