Authority-to-Operate Processes by Leticia Smith
March 2016 – In the structuring of a security solution for an enterprise, reporting and documentation hold important roles as support for technology solutions. The reporting and operating procedures help designate the liability and cost of remediation in the event of a security incident. Prior to placing systems online, senior management should review privacy and security risks before formally approving Authority to Operate (ATO) documents. Ideally, these reports would be made to a risk committee with responsibility for enterprise risk, including IT risks. It may be advisable for the risk committee to be separate from the audit committee and report directly to the full board of the company.
From a cybersecurity perspective, corporate liability will arise in one of two circumstances: (i) failing to implement any reporting system; or (ii) after implementing a reporting system, and then consciously failing to monitor or oversee its operations, “thus disabling [the board] from being informed of the risks or problems requiring their attention.”
Corporate directors, in order to reduce their liability, should require a comprehensive review of their organization’s insurance policies to determine whether, and to what extent, they have coverage in the event of a cyber-attack or breach. Internally to the company, insurance may pay for business interruption expenses, legal expenses, loss of assets, and security event response costs. Externally to the company, there should be coverage for third-party damages, credit-monitoring expenses, postage, advertising, and customer notification and other expenses.
It is imperative for corporate operating boards to regularly review their organization’s incident response programs. Intellectual property and data can be lost with devastating speed, and it is important that staff have their needed authority and guidance to be able to respond without hesitation. To minimize risk and allow teams to practice their procedures, companies need to have a well thought-out and comprehensive plan to address a cybersecurity breach. This should include protocols for internal notification and communications regarding a breach. The plan should establish clear chains of authority for stopping a cyber intrusion, securing data networks and implementing disaster recovery steps on a priority basis. Incident response plans must address external breach notifications to customers, the markets, employees and, if necessary, the appropriate authorities.