720-891-1663

Board of Directors Risk Management & Cybersecurity Services

Click HERE to read our GRC Solution Assessment Report or call 303-887-5864

"The new U.S. National Security Strategy, upcoming SEC rule changes, and the Caremark Standard make it clear that boards must take a proactive role in reducing company risk ASAP. Cyber risk has now become ubiquitous and insidious. These threats can shatter a company’s reputation, invite company-destroying lawsuits, and reduce company valuations. No one is immune, which makes the responsibility to oversee, manage, and mitigate cyber risk a top-down priority in every organization. The time has arrived for ALL boards to step up and do their jobs of protecting our nation and themselves." --Ray Hutchins and Mitch Tanenbaum

NOTE: The Board of Directors has “risk oversight” responsibility and liability; the board does not itself manage cybersecurity risks or any other risks; instead the board manages corporate oversight of these matters.

We offer the following critical, confidential Board of Directors (BOD) cybersecurity and privacy services:

1. Direct membership on boards as cybersecurity, privacy, and risk management specialists
2. BOD training (see below)
3. Company risk management plan reviews
4. BOD D&O insurance policy reviews
5. Company cybersecurity policy reviews
6. Translation of management and IT reports to the BOD
7. Review of risk management mitigation activities
8. Expert witness services

Our BOD advisory and training services fully align with the U.S. National Cybersecurity Strategy, the NIST Cybersecurity and Privacy Frameworks, the DoD CMMC framework, and any other applicable compliance requirements.

NOTE: For purposes of any engagement, we recommend that we report directly to the board or appropriate board sub-committee and not the organization’s management. This helps the board meet their independent oversight requirements as mandated by the SEC, FTC, and other regulatory agencies.

BOD Training Services

All boards have different interests and requirements for such training, therefore we tailor each program to your needs. Additionally, boards themselves have widely differing appetites for learning about risk management and cybersecurity. The new U.S. National Cybersecurity Strategy and SEC regulations are increasing the urgency of such training within boards.

Training is typically scheduled during normal board meetings. Each situation is different, but we typically recommend four training sessions over the course of four quarterly or monthly meetings.

Each training session is a 1.5 hour, interactive (Zoom or equivalent) session with time for Q&A. Sessions are recorded for documentation and later training or review. The sessions typically generate many questions.

Trainings are performed by company partners Mitch Tanenbaum and Ray Hutchins, each of whom is imminently qualified to teach their fellow citizens how better to protect our nation's assets.

Over the course of the training, we'll cover:

1. Risk management: Risk management strategies, including risk assessment, risk mitigation, risk transfer, and risk acceptance.
2. U.S. National Cybersecurity Strategy: This important new national strategy impacts many things that affect your company.
3. Ransomware response strategy: Continuity of operations, customer communications, issues related to data exfiltration and preparation for potential class action lawsuits. We will use a very recent incident dumpster fire as the case study.
4. Threat landscape: Overview of the current threat landscape and the potential impact on the organization's operations, reputation, financial performance and company valuation.
5. Regulatory landscape: Covers the new SEC regulation, the Caremark Standard, HIPAA, GLBA, GDPR, CCPA, FTC Safeguards Rules and other applicable compliance requirements.
6. Risk appetite and tolerance: Has your company defined these and are the company's risk management strategies aligned with these levels?
7. Incident response: Board members should be familiar with the organization's incident response and/or emergency operations plans. This includes the key steps involved in incident response, which includes detection, containment, investigation, and recovery. We'll also cover management's communications with the board during incidents.
8. Third-party risk management: Risks associated with third-party vendors and service providers and how the organization manages these risks.
9. Cybersecurity metrics and reporting: Introduction to the metrics associated with tracking cybersecurity and privacy risks and the effectiveness of risk management strategies. Boards must understand how to interpret these metrics and reports and how to use them to make informed decisions about cybersecurity and privacy risks.
10. D&O and company cyber insurance coverage requirements and considerations.

WORD TO THE WISE: Our competition for board services and training is comprised primarily of non-profit associations and training organizations. We are a front-line cybersecurity and privacy company doing more than consulting. We are engaged in active response, mitigation and compliance. Our daily, hands-on operational activies and experience provide any board leadership with more relevant intelligence, insight, and support.

Position Papers of Possible Interest
The Global Cyberwar and Societal Response
Caremark and More Propels New Board Risks



Call us today for more information: 303-887-5864

z z