〈   Responsibilities of members of the board of directors
Working at board level on the risks of cyberattacks

Chapter 2.3

Seven questions to enable the adoption of a suitable approach


Through new ways of fulfilling their fiduciary responsibility to shareholders,

and their responsibility for monitoring business risk management, directors can ask themselves seven key questions for understanding cybersecurity issues:

  1. Cybersecurity is not just about data protection.

What is the company’s policy in this area and its actions? Should we limit ourselves to the obligations of the FADP or the GDPR? Are further measures being taken? Do specific risks justify a more sophisticated approach?

  1. 2. Boards of directors should be involved in cybersecurity monitoring based on knowledge of the issues concerned.

For activities in markets other than Switzerland, the GDPR and other regulations impose requirements. The same applies to the Swiss Financial Market Supervisory Authority (FINMA). It is worth asking, then, how the board will participate in this monitoring.

  1. Boards should focus on risk, reputation and business continuity.

This is a message that needs to be passed on, because the operational teams will want to defend the activity, which will result in excessive stress for the IT teams, or even for external service providers if they are given this task. We must therefore ask ourselves: how should these external service providers be assessed and the quality of their services validated? It is the company’s responsibility to justify, in the event of a crisis, having chosen one service provider or another.

  1. What are the incident response plans?

In addressing this question, it is worth asking what impacts can affect the board of directors and its members, who will have to get involved in crisis management, and how this crisis management will be initiated.

  1. What is the role of the board of directors in the event of an incident?

Ahead of the crisis, the most appropriate makeup of the crisis unit and its internal procedures must be looked into.

  1. What are the disaster recovery plans in the event of a cyberincident?

A Business Continuity Plan (BCP) can provide alternatives in the event that part of the business is paralysed. Backup equipment, fallback location, secure software and networks… – these are just some of the ways to prevent a crisis from eliminating any possibility of maintaining activity.

  1. Are we investing enough in cybersecurity?

Given the background (provided by IT experts, subcommittees or someone from the board of directors who is responsible for this), assess the risks, vulnerabilities and potential impacts and adopt a set of measures capable of responding to these issues.

2023 © Trust Valley. All rights reserved.