Chapter 7

Establishing an Effective Cybersecurity Risk Subcommittee

As we have outlined in previous chapters, it is critical for all organizations to have a robust cybersecurity risk management framework in place to protect their assets, data, and reputation.

By setting up a cybersecurity risk subcommittee, organizations can ensure that they have a dedicated group of experts who are focused solely on this issue, and who can provide regular guidance and advice to the board of directors. Whether a company is private or public, these steps can help enhance cybersecurity posture and ensure that it is well-prepared to manage and respond to cyber threats.

Step 1:Define the Subcommittee's Purpose and Scope

The purpose of the subcommittee should be clearly defined and communicated to all board members. This includes the subcommittee's role in advising the board on matters related to cyber risk and digital resilience, as well as the limits of its authority. The scope of the subcommittee should also be defined and communicated. This includes the areas of focus for the subcommittee, such as reviewing the organization's cybersecurity risk management practices, emerging threats, and digital resilience.

Step 2:Identify Subcommittee Members

The subcommittee should consist of board members who have a strong understanding of technology and cybersecurity, as well as those who bring diverse perspectives and expertise to the table. It is important to have the right mix of skills, knowledge, and experience to ensure that the subcommittee is effective. Consider including members with a background in technology, cybersecurity, risk management, and legal and regulatory compliance.

Step 3:​ Provide Cybersecurity Training for Committee Members

Most likely, not all committee members will be technology and cybersecurity experts and will need additional training to ensure that they are equipped to carry out their responsibilities effectively. The subcommittee should provide regular training sessions for its members on cybersecurity and technology-related topics. This can include in-person training, online courses, and workshops.

Step 4:​ Assign a Chairperson

The subcommittee should have a chairperson who is responsible for overseeing its operations and ensuring that its meetings are productive and focused. The chairperson should be a board member who has a strong understanding of technology and cybersecurity, and who is committed to the subcommittee's success.

Step 5:Establish a Regular Meeting Schedule

The subcommittee should meet regularly, at least quarterly, to review the organization's cybersecurity risk management practices and discuss any emerging issues. Preparation should cover all relevant information and data, including regular reports from the organization's cybersecurity risk management team. We recommend that the chair builds rapport with the CISO and CIO that oversee the operational and day-to-day responsibilities.

Step 6: Establish a Work Plan

The subcommittee should develop a work plan that outlines its priorities and objectives for the year. The work plan should include regular reviews of the organization's cybersecurity risk management practices, as well as any specific initiatives or projects that the subcommittee plans to undertake.

Step 7:Regularly Report to the Board of Directors

The cybersecurity risk subcommittee should provide regular reports to the board of directors on its activities and findings. The subcommittee should also provide recommendations for any changes or improvements that are needed to enhance the organization's cybersecurity risk management practices. The subcommittee's reports should be comprehensive and should highlight any areas of concern or areas for improvement.

Proposed Agenda Topics

While each organization is unique, we outline some of the important elements that the subcommittees should include on their annual agenda. We have shared 12 areas, which can be divided into 3 topics per quarterly review.

  1. Review of the organization's cybersecurity risk management framework: This includes reviewing the policies, procedures, and practices that the organization has in place to manage cyber risk and ensure digital resilience.
  2. Emerging threats and vulnerabilities:​ The subcommittee should stay informed about the latest cyber threats and vulnerabilities and assess the organization's exposure to these risks.
  3. Incident response planning:​ The subcommittee should review the organization's incident response plan and ensure that it is up-to-date and effective.
  4. Cybersecurity insurance:​ The subcommittee should assess the organization's need for cybersecurity insurance and recommend any changes to the organization's coverage.
  5. Third-party risk management:​ The subcommittee should review the organization's approach to managing third-party risk, including due diligence and vendor risk assessments.
  6. Employee training and awareness: The subcommittee should review the organization's employee training and awareness programs and recommend any changes or improvements.
  7. Regulation and compliance:​ The subcommittee should review the organization's compliance with relevant cybersecurity regulations and standards and recommend any changes to the organization's approach.
  8. Budget and resource allocation: The subcommittee should review the organization's budget and resource allocation for cybersecurity and recommend any changes to ensure that the organization has the resources it needs to manage cyber risks effectively.
  9. Data protection, encryption, and recovery:​ The subcommittee should review the organization's data protection and recovery strategies, including backup and disaster recovery plans, to ensure that the organization's critical data is protected and can be recovered in the event of a breach or other cyber incident. In addition, the organization's encryption strategy should also be part of the focus and assess if it is adequate to protect sensitive data, both at rest and in transit.
  10. Technology debt: The subcommittee should review the organization's technology debt and assess the impact on cybersecurity risk. This includes evaluating the security implications of outdated software and systems and recommending strategies for reducing tech debt.
  11. Technology roadmap: The subcommittee should review the organization's technology roadmap and assess the impact on cybersecurity risk. This includes evaluating the security implications of new technology deployments and recommending strategies for integrating cybersecurity into the broader technology roadmap.
  12. Cybersecurity metrics and reporting:​ The subcommittee should review the organization's cybersecurity metrics and reporting and recommend any changes to ensure that the organization is effectively measuring and managing cyber risk.

Chapters