29











        and increasingly focused on the company’s
        “adjacencies,” which can serve as entry points
        for hackers. The Internet of Things and the digital
        records that surround people, organizations,
        processes, and products (“code halos”) call for
        deeper—if not wholly different—conversations. The
        board should help elevate the company’s cyber-
        risk mind-set to an enterprise level, encompassing
        key business leaders, and help ensure that cyber
        risk is managed as a business or enterprise
        risk—not simply an IT risk. Do discussions about
        M&A, product development, expansion into new
        geographies, and relationships with suppliers,
        customers, partners, advisers, and other third
        parties factor in cyber risk? Help ensure that
        awareness of—and accountability for—cyber
        security permeates the organization, with a security
        mind-set, proper training, and preparation for
        incident response. Is cyber security risk given regular
        and adequate time on the board’s agenda? Does the
        board need a separate committee to focus on it?
        Where are the company’s biggest vulnerabilities, and
        how is it protecting its most critical data sets? Do
        we benchmark against others in the industry? Do we
        have a cybersecurity scorecard and a robust cyber-
        incident response plan? Do directors work under the
        assumption that any email could become public at
        any time?







































        © 2017 KPMG Central Services, a Belgian Economic Interest Grouping (“ESV/GIE”) and a member firm of the KPMG network of independent member firms affiliated with KPMG International
        Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Belgium.