Understanding the risk
- What is the value of the information we hold (e.g. intellectual property, financial, strategic plans and other business critical information, customer/personal data)? What are our ‘crown jewels’ that need the most protection?
- What is the potential impact if this information is stolen or corrupted (e.g. reputational damage; damage to market value and share price; loss of competitive advantage and market share, direct liabilities to third parties affected, regulatory censure)?
- How much would it cost a third party to obtain this information and what could it be worth to them?
- What are our customers/clients’ expectations of our cyber security?
- How many of our critical business functions are outsourced to third parties?
- Have we conducted due diligence on the cyber security risks across our extended enterprise and supply chain, including the use of cloud based services? How much private and sensitive information is shared with these third parties?
- What provisions are there in the contracts to deal with cyber risk?
- Are our systems engineered to the best levels of security? What could be improved?
- Do we have an effective mobile device strategy? How do we control the use of personal devices for organisational business?
- Are we using social media in our organisation? How do we know what our employees, customers and the public are saying about us on social media? Do we have a social media strategy and could we manage a social media crisis?
Governance and assurance
- Do we have an effective enterprise risk management process in place and are cyber risks fully integrated into this process?
- Are we clear who is responsible for managing risks, can we identify who on the board is responsible, who explains the risks to them and on what information will decisions be made?
- Have we considered our risk appetite in relation to cyber risks, have we communicated this to all functions and do we know if our resources being deployed effectively? How would we know if inappropriate risk taking was taking place?
- Are we fully aware of the regulatory and legal exposure?
- What privacy and data security laws and regulations might the organisation be subject to?
- What are the implications for our investment decisions?
- Does our risk strategy support our wider strategic priorities? Does our risk mitigation facilitate and enable growth?
- Are our controls delaying or blocking progress and are we agile enough to exploit market opportunities?
- Do we invest sufficiently in IT risk mitigation, including training, incident preparedness and assurance? How do we prioritise our investment?
- Does our culture support the necessary activities to manage this risk?
- Does our internal audit programme give us sufficient assurance in respect of our cyber risk management?
- What is the management’s approach to IT security risk management?
- What framework does management use in designing its cybersecurity risk management program?
- What processes are in place to periodically evaluate the cybersecurity risk program and controls?
- How will we know if we are being or have been attacked?
- Do we have an incident response plan and have we tested it? Do we have arrangements to obtain specialist advice and services post breach (e.g. customer help lines)?
- Who has the responsibility to declare a cyber risk incident?
- Do our business continuity plans include cyber risk scenarios?
- Might we have cover under our existing insurance policies for financial losses caused by cyber risks?
- Are there any other risk transfer possibilities?
- Are we prepared to do a root cause analysis following a breach, particularly to identify human factors, and are we prepared to act on the findings?
- Could we defend our level of preparation in the aftermath of an attack?
- Do we have an effective cyber risk training programme in place including reporting of breaches and subsequent actions?
- Are there initiatives in place to support learners after the training has taken place?
- Does our cyber risk training focus on the technology, the organisation or the individual?
- Who contacts our Insurance Company?
- Does they have a plan to respond to a cyber security threat?
- What and how do we need to inform them if an incident occurs or we suspect an incident?