As cybersecurity becomes increasingly central to board discussions of strategy and risk, we’ve seen more boards forming dedicated Cyber Risk or Technology committees. While the names may vary, these committees allow boards to place a heightened focus on cyber risk oversight across the organization–often pulling it out of a busy Audit Committee agenda.
In this episode, Kathy Misunas, a board member with Tech Data Corp. and Boingo Wireless Inc., joins TK Kerstetter to discuss why each of her boards ultimately decided to form a Cyber Risk Committee.
“We had a lot of outside, third-party people accessing our systems,” explained Misunas of the Tech Data board. Over time, she said, the Cyber Risk Committee broadened its scope to account for other technology-related business issues, which emerged from a shifting landscape, mergers, and acquisitions.
Misunas points out that board committees don’t always have to be long-term oriented. Certain boards, she explained, may benefit from having a dedicated cyber risk committee for a specified amount of time (e.g., one or two years). This approach can provide board members with a deep dive, as well as the confidence that they’ve identified the organization’s greatest cyber risks; that they have the right talent in place; that cybersecurity budgets are being allocated properly, etc.
Misunas also emphasizes one of the committee’s most important duties: the cyber breach communication plan.
The board should really be involved in looking at the crisis communication plan…What would [the company] do if there was a front-page [news story]? Do they have the right people in [place]…? What does the external world need to know about [the incident]? Is the legal department involved? Is an external communication company involved?…This is a whole different set of circumstances–a different set of people involved, different FAQs–than you have in your normal [crisis] plan.