Boards of directors of top companies around the world have made organizational improvements to oversee privacy and security risks within their companies yet there remains a lack in oversight related to cyber security risk, according to a new report by cyber security research center at Carnegie Mellon Univ.
“While placing high importance on risk management generally, there is still a gap in understanding the linkage between information technology (IT) risks and enterprise risk management,” says the CyLab report, Governance of Enterprise Security: CyLab 2012 Report, How Boards & Senior Executives are Managing Cyber Risks. “Although there have been some measureable improvements since the 2008 and 2010 surveys, boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks.”
Sen. Joseph Lieberman (I/D-Conn.), a co-author of proposed legislation in the Senate that among other things would have the federal government establish minimum, enforceable cyber security standards for owners and operators of critical infrastructure in the United States, said recently that the CyLab report bolsters the need for the security standards.
The report says that the financial sector is providing better privacy and security practices than other industry sectors while noting that “The energy/utilities and industrials sector respondents each indicated that their boards never (0%) address vendor management issues, whereas the financial and IT/telecom respondents said they do (28% and 15% respectively).” It also says that the energy and utilities sector places a lower value on board member IT experience even though their organizations are heavily reliant on complex computer-based control systems.
“The poor cyber security ranking of the energy sector and other utilities reinforces repeated warnings about the vulnerability of our most critical infrastructure,” Lieberman said in a statement. “These are not scare tactics. They are facts.”
The report also says that “57% of respondents are not analyzing the adequacy of cyber insurance coverage or undertaking key activities related to cyber risk management to help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches.”
The report was authored by Jody Westby, and adjunct Distinguished Fellow at CyLab and a consultant with her own firm Global Cyber Risk, LLC.