On Friday, a breaking news of one of the biggest data breaches in history came around in the world’s largest hotel Company, Marriott International Inc. As per records, the reservation database for it’s Starwood properties exposed private data of up to 500 million guests, which included the Customers’ passport numbers, travel details and payment-card data.
While Regulators, Security Analysts, Board of Directors and C-Suite are evaluating and examining upon the fact that Hospitality Industry as a primary target for Hackers and Criminals because of the amount of financial data available due to payment and reservation systems, the common denominator is the severity of impact and how to avoid such serious Cyber Security issues in present and future. While it is impossible to anticipate every risk, directors can be an aid to the management team by helping the organization to see around corners. here are some of the Key Lessons we can grasp for Board Oversight of Cyber Security.
Having the right amalgamation of Skills
The need of the hour highlighted by this incident is that of a Board composition that is diverse in background, skills, perspectives and experiences. Along with Board Diversity, what’s important is keeping board skills fit for the purpose. It calls for a strong commitment from all Directors to continuous improvement: staying relevant with industry, technology, and societal and other trends that have a significant impact on the organization’s strategy, sustainability, growth, competitive position, and risk profile.
Having a strong Dedicated Committee for Cyber Risks
With recent upsurge in cases of Information Security breaches, it has become evident that Cybersecurity oversight isn’t a casual part time pursuit. Because of being dynamic in nature, Cybersecurity risks cannot be governed by conventional risk management. While the fundamental enterprise risk management processes might be effective, it is important to recognize that these processes may not necessarily capture high impact Cyber Security risks. A focused and dedicated Cyber Governance Committee is the right proactive approach needed to identify, monitor, Report and Remediate Cyber Risks at the right time.
Continuous Reporting on Cyber Governance – a constant agenda for Boardroom discussions
In a disruptive, volatile and uncertain Business Landscape, companies need to re-evaluate the frequency and format of Board Room discussions on Cyber Governance. It has been observed that valuable information already exists within the company that can help identify, the existence of many types of Cyber risks at an early stage, but often times this information does not reach the boards in an actionable form. While Advancements in technology such as data analytics and artificial intelligence can make more information available in real time, it is also important to ask how frequently this information has been reviewed, discussed and acted upon. It is vital to examine that the Processes related to the flow of information to the board are keeping pace with changes in the business and risk environment, and that reporting thresholds are clearly established and well understood.
As evident with this incident, whether the Risks come from internal or external sources, or are driven by unexpected circumstances or under reported issues, high impact Cyber Risks don’t wait for Boards and C-Suite when they occur. The key here is having an Adaptive Cyber Governance Strategy that can better position the Organization to manage Cyber Risks and mitigate the ones that cannot be eliminated. Strengthening Adaptive governance surely requires changes to Boards’ composition, skills, and operating processes when we talk of long term Brand Reputation, Sustainability and Growth.
Visit our Appexchange listing for more details on our innovative Product Suite