Information and communication networks are a fundamental part of our infrastructure and have led to greater accessibility, mobility, convenience, efficiency and productivity. Being connected has become the new normal across so many aspects of our lives, driving significant change across the worlds of business and our private pursuits

However, such connectivity can bring about both benefits and harms, social and economic alike.

Information systems and internet-connected devices are highly susceptible to malicious cyber activity and our dependence on such systems increases our exposure to threats.

In New Zealand and globally, a wide range of institutions, both public and private, have been subject to malicious cyber activities. There are external parties (threats) who seek to derive value from our organisations’ information.

The traditional approach to cyber security has been to build bigger walls (firewalls, anti-virus software and other perimeter security devices). While still necessary, these alone are no longer sufficient. A holistic approach to cyber risk management – across the organisation, its networks, supply chains and the larger ecosystem – is required.

CYBER SECURITY AND RISK MANAGEMENT Issues for consideration at Board level

The benefits of adopting a risk managed approach to cyber security, include:

• STRATEGIC

Corporate decision-making is improved through the high visibility of potential risk exposure, both for individual activities and major projects, across the whole of the organisation.

• FINANCIAL

Providing financial benefit to the organisation through the reduction of losses and improved “value for money” potential, noting that cyber-security incidents are a cost.

• OPERATIONAL

Organisations are prepared for most eventualities; having adequate contingency plans provides corporate reassurance and helps ensure business continuity.

This document provides key questions to guide leadership discussions about cyber security risk management for your organisation. They are intended to be non-prescriptive, as organisational context will vary.

About NCSCThe National Cyber Security Centre (NCSC) is responsible for safeguarding our nation’s government and critical infrastructure from cyber borne threats that can affect our national security, public safety, and economic prosperity. For more information, please visit: www.ncsc.govt.nz To report a cyber-incident: www.ncsc.govt.nz/incidents or +64 4 498 7654This publication incorporates work originally researched, drafted and published by our international partners (Australian Defence Signals Directorate, Her Majesty’s Government of UK ©Crown Copyright, US-CERT). It has been reproduced with permission and any changes have been made at the discretion of the NCSC.

Key questions for Boards

This publication incorporates work originally researched, drafted and published by our international partners (Australian Defence Signals Directorate, Her Majesty’s Government of

UK ©Crown Copyright, US-CERT. It has been reproduced with permission and any changes have been made at the discretion of the NCSC. As this publication notes, even well

defended organisations may experience a cyber incident at some point. This publication cannot, and does not, offer any insurance against such incidents. Organisations are urged to

seek professional advice in addressing the risks identified here. This publication is not intended to be a substitute for that.

ver 1: 2013

1. Does the Board understand what cyber security threats the organisation is vulnerable to?

2. Has the impact that a cyber security incident could have on your corporate reputation, share price, intellectual property and organisational wellbeing been identified? For example, what would the consequence be if sensitive information was lost or stolen?

3. Does the Board have a sufficient view of the business impact of cyber-security risks to the organisation?

4. Is there a plan to address cyber security risks?

5. Has the plan resulted in sufficient processes for the organisation to detect and respond to cyber incidents?

6. Does the Board have assurance that information assets are protected in a sustainable manner?

7. When failures occur, how resilient is the organisation and how would it recover?

8. Has the Board clearly communicated to the Executive its risk tolerance and expectations in relation to organisational cyber security?

ABOUT NCSC

The National Cyber Security Centre (NCSC) is responsible for safeguarding our nation’s government and critical infrastructure from cyber-borne threats that can affect our national security, public safety, and economic prosperity.

For more information, please visit: www.ncsc.govt.nz

To report a cyber incident: www.ncsc.govt.nz/incidents or +64 4 498 7654