The World Economic Forum’s new report. Principles for Board Governance of Cyber Risk, is the work of a panel of international experts on cybersecurity, including FAIR Institute President Nicola (Nick) Sanna, to find a concise, action-oriented checklist for board members.
Many of the six principles and sets of recommendations point the way to implementing Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, to provide the financial basis for board oversight of cyber risk management.
“In order for organizations to make effective business decisions, risk determinations should focus on the financial impact to the organization, including trade-offs between digital transformation and cyber risk,” the WEF report says.
The report also encourages board members to “instruct management to establish a consistent framework, using industry-accepted risk quantification models, for calculating the potential economic impact and likelihood of cybersecurity scenarios” and to “base cyber-risk management decisions on the potential impact and likelihood of risk events and functional loss or exposure” – all
principles followed by FAIR practitioners as well.
The WEF’s recommended six principles are:
- Cybersecurity is a strategic business enabler
- Understand the economic drivers and impact of cyber risk
- Align cyber-risk management with business needs
- Ensure organizational design supports cybersecurity
- Incorporate cybersecurity expertise into board governance
- Encourage systemic resilience and collaboration
Download the World Economic Forum’s Principles for Board Governance of Cyber Risk.
Daniel Dobrygowski, Head of Governance and Trust at the World Economic Forum Centre for Cybersecurity, was a panelist at last year’s FAIR Conference. Watch the session here: Video: How Boards Exercise Proper Cyber Risk Oversight – Tips for Directors from the FAIR Conference.
The WEF report is the latest in a series of guidance documents from respected advisory groups encouraging the quantitative approach to cyber risk management, including the NACD Cyber-Risk Oversight handbook, the COSO report Managing Cyber Risk in a Digital Age and the NIST publication Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286). The WEF report was produced in collaboration with the Internet Security Alliance, the NACD and PwC.
