Comment le C.A. peut-il s’acquitter de la surveillance des cyber-risques ?

Aujourd’hui, j’attire votre attention sur un article publié par , paru sur le site Cisco Blog, qui porte sur les nouvelles responsabilités qui incombent aux membres des conseils d’administration en matière de surveillance des risques cybernétiques globaux de la société..

Il existe des « guidelines » très utiles qui peuvent aider les membres de la direction (CxC), ceux qui doivent attester (signer) de la véracité des éléments de divulgation relatifs aux risques cybernétiques.

Également, il existe des moyens pour les membres de conseils d’administration de s’assurer qu’ils exercent une veille efficace de ces risques. Cet article fait écho à la conférence du Gartner Security and Risk Management Summit , plus particulièrement à la session  « Finding the Sweet Spot to Balance Cyber Risk ».

Tammie Gartner Session

À mon avis, tous les administrateurs devraient se familiariser avec l’environnement et la gestion des cyber-risques car ceux-ci peuvent avoir des conséquences dramatiques sur la performance de l’organisation.

La lecture de cet article vous sensibilisera davantage à votre rôle d’administrateur et aux conséquences qui en découlent. Voici un extrait de celui-ci. Bonne lecture !


Cyber Threat Management from the Boardroom Risk: Lost in Translation


During the session, the panel had been discussing how the senior leadership teams address the problem of putting their signatures against the risk that cyber threats pose to their organizations. Tammie Leith made a point to the effect that it is just as important for our teams to tell us why we should not accept or acknowledge those risks so that we can increase investments to mitigate those risks.

What caught my attention was that the senior management teams are beginning to question the technical teams on whether or not appropriate steps have been taken to minimize the risks to the corporation. The CxO (senior leadership team that has to put their signature on the risk disclosure documents) teams are no longer comfortable with blindly assuming the increasing risks to the business from cyber threats.Aguilar Session

To make matters worse, the CxO teams and the IT security teams generally speak different languages in that they are both using terms with meanings relevant to their specific roles in the company. In the past, this has not been a problem because both teams were performing very critical and very different functions for the business. The CxO team is focused on revenue, expenses, margins, profits, shareholder value, and other critical business metrics to drive for success. The IT security teams, on the other hand, are worried about breaches, data loss prevention, indications of compromise, denial of services attacks and more in order to keep the cyber attackers out of the corporate network. The challenge is that both teams use the common term of risk, but in different ways. Today’s threat environment has forced the risk environment to blend. Sophisticated targeted attacks and advanced polymorphic malware affect a business’s bottom line. Theft of critical information, such as credit card numbers, health insurance records, and social security numbers, result in revenue losses, bad reputation, regulatory fines, and lawsuits. Because these teams have not typically communicated very well in the past, how can we ensure that they have a converged meaning for risk when they are speaking different “languages”?

In order to fully explore the variations to the term “risk” for the business, I wanted to understand what the Security Exchange Commission (SEC) required of corporations in reporting requirements to their shareholders. The 2013 Cybersecurity Executive Order signed by President Obama, and the release of the NIST Cyber Framework seemed to be giving the SEC a new reason to revisit the topic of cyber security with a revitalized vigor.

The SEC had already published guidance on how corporations should provide cyber security risk disclosures in the CV Disclosure Guidance: Topic No. 2 Date: October 13, 2011. However, the speech that SEC Commissioner Luis A. Aguilar gave at the “Cyber Risks and The Boardroom Conference” at the New York Stock Exchange on June 10 discussed what the “boards of directors can, and should, do to ensure that their organizations are appropriately considering and addressing cyber risks.” In proposing a strong case for the boards of directors to take action, he discussed the “threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats.” He also discussed the derivative lawsuits that were brought against companies, their officers and directors relating to data breaches. What caught my attention most about the speech is when he said, “Thus, boards that chose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

Commissioner Aguilar made a strong recommendation for corporations to voluntarily adopt the NIST Cybersecurity Framework in order to begin addressing the problem with the statement, “While the Framework is voluntary guidance for any company, some  commenters have already suggested that it will likely become a baseline for best practices by companies, including assessing legal or regulatory exposure to these issues or for insurance purposes.”

I am not disagreeing with Commissioner Aguilar, but in practice, this is an incredible challenge for any board of directors as they are now being asked to provide direct cyber security oversight to the internal day-to-day operations of the organization or risk “peril.”