The importance of information and internet security cannot be over emphasized. When most people think of cyber risk, they usually associate it with banks, insurance companies, medical facilities etc. As larger institutions become more secure, the malicious hackers increasing look for the small to medium enterprises as a gateway into those larger organizations with which they have direct electronic connections. In the increasingly connected world, no-one is immune from cyber attacks be it direct or thru third party connections. Once relegated to the Chief Information Officer, cyber security is now considered an integral part of overall Enterprise Risk Management.
Board members, trustees, c-suite executives and plan sponsors are all Fiduciaries. A fiduciary is a person who holds a legal or ethical relationship of trust with one or more other parties (person or group of persons). Fiduciaries can be held individually liable for any breach of fiduciary duty. Consequently Fiduciaries must pay special attention to how information is managed with a view to ensuring:
Confidentiality: only those who need access to information are allowed access
Integrity: the information has not been tampered with or deleted without proper authority
Availability: the information is available when it is needed
Failure to properly protect proprietary information can easily result in a situation where a fiduciary is found to have breached his/her fiduciary responsibility. Individual board members can be held liable for such breaches and standard D&O Insurance does not offer significant protection.
Our approach is based, in part, on recommendations from the National Institute of Standards and Technology (NIST) and the protocols developed and promoted under ISO 27001. The approach is broken down into five areas:
Identify those assets (including human and technical) that need to be managed;
Protect those assets thru appropriate safeguards;
Detect possible threats as they happen;
Respond appropriately and according with a well thought out plan; and
Recover the compromised assets and return the organization back to full operation.
Fiduciaries have no choice. As part of their role in identifying and managing other areas of their business (treasury, marketing, treasury, accounting, logistic etc), they must approach cyber security with the same careful attention to detail.