MARCH 2016 www.bdo.com AN OFFERING FROM THE BDO CENTER FOR CORPORATE GOVERNANCE AND FINANCIAL REPORTING BDO USA CORPORATE GOVERNANCE PRACTICE ELEVATING CYBERSECURITY TO THE BOARD – QUESTIONS BOARDS SHOULD BE ASKING T he board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas. BDO has prepared the following compilation of critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. Questions contemplate the general to the specific, with concentrations on strategy, organizational risk profile, cyber maturity, metrics, cyber incident management and resilience, and continuing education. These questions may be useful as a starting point for boards to use in their discussions with and in the oversight of management’s plans for addressing potential cyber risks. GENERAL Â…Â… What are the potential cyber threats to the organization? Â…Â… Currently, do boards feel they are adequately up to speed on cybersecurity issues impacting their organizations? Â…Â… boards currently have the skill sets necessary to adequately address cybersecurity? Do Â…Â… What should the board be focused on with respect to cybersecurity? Â…Â… What is a suggested interaction model between senior management and the board for cybersecurity? Â…Â… the regulatory focus on the board’s cybersecurity responsibility been increasing? Has If so, what is driving that focus? OVERALL CYBERSECURITY STRATEGY Â…Â… Does the board need to play a more active part in determining an organization’s cybersecurity strategy? Â…Â… What are the key elements of a good cybersecurity strategy? BDO USA’s Corporate Governance Practice was developed to provide guidance to corporate boards.

The firm works with a wide variety of clients, ranging from entrepreneurial businesses to multinational Fortune 500 corporations, on a myriad of accounting, tax, risk management and forensic investigation issues. CONTACT SHAHRYAR SHAGHAGHI National Practice Leader, Technology Advisory Services (212) 885-8453 sshaghaghi@bdo.com MICHAEL VAN STRIEN Director, Technology Advisory Services (713) 960-1706 mvanstrien@bdo.com MAURICE LIDDELL National Leader, Security & Infrastructure Services (713) 407-3265 mliddell@bdo.com AMY ROJIK National Assurance Partner (617) 239-7005 arojik@bdo.com . 2 BDO KNOWS: CORPORATE GOVERNANCE Â…Â… the organization’s cybersecurity preparedness receiving the Is appropriate level of time and attention from management and the board (or appropriate board committee)? Â…Â… How can management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework? Â…Â… How can management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment? Threat Intelligence and Collaboration Â…Â… What is the process for gathering and validating inherent risk profile and cybersecurity maturity information? External Dependency Management Â…Â… What third parties does the organization rely on to support critical activities? Â…Â… What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity? RISK ASSESSMENT: RISK PROFILE CYBERSECURITY METRICS Â…Â… the organization a direct target of cyber attacks? Is Â…Â… How should a board obtain IT metric information? Â…Â… What do the results of the cybersecurity assessment mean to Â…Â… Who should deliver IT metrics? the organization as it looks at its overall risk profile? Â…Â… What are the organization’s areas of highest inherent risk? Â…Â… management updating the organization’s inherent risk profile Is H ER ENT RI S K PR OF I LE IN to reflect changes in activities, services, and products? Â…Â… What should IT metrics contain? In what format should it be presented? Â…Â… the information meaningful in a way that invokes a reaction Is and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated? CYBER INCIDENT MANAGEMENT & RESILIENCE Â…Â… How does management validate the type and volume of cyber attacks? ASSESSMENT Â…Â… Does the organization have a comprehensive cyber breach B ER SE RI CY TY response and recovery plan? CU R I T Y M AT U RISK ASSESSMENT: CYBER MATURITY Oversight Â…Â… How does an incident response and recovery plan fit into the overall cyber security strategy? CYBERSECURITY EDUCATION Â…Â… How does the board remain current on cybersecurity developments in the market and the regulatory environment? Â…Â… Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities? Â…Â… the inherent risk profile and cybersecurity maturity levels Do meet management’s business and risk management expectations? If there is misalignment, what are the proposed plans to bring them into alignment? For more on managing risk related to the governance of cyber security, refer to BDO’s archived webinar and self-study course: Managing Risk – Elevating Cybersecurity to the Boardroom. Cybersecurity Controls Â…Â… the organization’s policies and procedures demonstrate Do management’s commitment to sustaining appropriate cybersecurity maturity levels? Â…Â… What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks? Â…Â… How effective are the organization’s risk management activities and controls identified in the assessment? Â…Â… there more efficient or effective means for achieving or improving Are the organization’s risk management and control objectives? BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through 63 offices and more than 450 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 1,408 offices in 154 countries.  BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.  Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firm’s individual needs. © 2016 BDO USA, LLP. All rights reserved. .