Ten Questions to Ask Management About Your Organization’s Cyber Readiness
1. What cyber risk management framework does the organization use to assess and benchmark our approach and risk profile (e.g., NIST)?
2. Given management’s assessment of our cyber risks and mitigating procedures, where are our most significant residual vulnerabilities?
3. Where do we rank in cyber preparedness compared to relevant peers and how frequently does management perform cyber scenario testing/war games? How do we benchmark our performance?
4. Which leaders across the organization have accountabilities for cyber risks within IT, functions, business and operational areas, etc.? How do we ensure we have enough resources dedicated to each?
5. How are our business continuity/resiliency plans adapting in response to dynamically evolving cyber threats? For example, what company policy and protections are in place regarding ransomware threats and related payments? Do these plans consider local laws?
6. Have we quantified and assessed the potential financial impact of an interruption caused by a cyber event?
7. Do we have a dedicated cyber insurance policy, or are we relying on add-on products or blended coverages? What exposures does our cyber insurance coverage address and what risks have we elected not to insure?
8. What are the limits of liability of cyber insurance that we have available, and how can we determine if they are sufficient?
9. How often will the board be updated on the status of cyber risk management and cyber insurance coverage, and what will be the format of that report?
10. How have we compared our cyber insurance program to our fundamental risk profile, as well as to similarly-situated peers in our industry, or those with similar risk/threat profiles?