For Immediate Release
WASHINGTON, DC (November 3, 2021)—The Association of Governing Boards of Universities and Colleges (AGB), the premier organization advocating strategic board leadership in higher education, and the Internet Security Alliance (ISA), comprising chief information security officers of Fortune 100 companies across critical sectors, today released Cyber Risk Oversight for Higher Education Boards: Key Principles and Practical Guidance for Foundation and Institution Board Members.
This new resource details how boards can effectively oversee the cybersecurity strategies of their colleges, universities, or institutionally related foundations. Cyberattacks pose great threats to organizational reputation and can result in large ransom payouts, costly legal challenges, and reputational damage. Such risks have only grown as many offices and classrooms have expanded their use of technology to address the challenges of COVID-19.
The resource provides five guiding principles that a board should embrace in order to oversee its organization’s cyber-risk portfolio:
- Board members need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.
- Board members should understand the legal implications of cyber risks as they relate to an institution’s specific circumstances.
- Board members should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
- Board members should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-administration discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.
Using the principles as a framework, the resource covers an array of supporting topics that contribute to developing a comprehensive cybersecurity strategy, including the responsibility of the board, legal requirements, and specific elements involved in cyber-risk planning as part of an overall risk portfolio. It includes a series of tools that offer practical considerations, such as checklists, example metrics, and information about federal cybersecurity organizations and agencies.
“Cyberattacks are a persistent threat to colleges, universities, and institutionally related foundations. This resource includes thought-provoking questions and strategic recommendations for boards to oversee this important component of the organization’s risk portfolio,” said Henry Stoever, AGB president and CEO. “We were pleased to work with ISA and others to develop this essential resource that will continue to grow in importance in the years ahead.”
“Digitization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk. Governing boards play a critical role in shaping the overall vision and strategy for their organizations and in setting a tone of security,” said Larry Clinton, ISA president.
Risks in the cybersecurity space have grown in number and scope in recent years. For example, Inside Higher Ed reported on a data breach by IT security company Accellion that affected multiple institutions across the country. More broadly, hackers have struck at other critical sectors of the country’s economy, including healthcare systems, energy suppliers, financial institutions, and the federal government.
A complimentary e-book version of Cyber Risk Oversight for Higher Education Boards is available for AGB members on the website. Further, this resource is available for preorder in hard-copy format.
The Association of Governing Boards of Universities and Colleges (AGB) is the premier membership organization that strengthens higher education governing boards and the strategic roles they serve within their organizations. Through our vast library of resources, educational events, and consulting services, and with 100 years of experience, we empower 40,000 AGB members from more than 2,000 institutions and foundations to navigate complex issues, implement leading practices, streamline operations, and govern with confidence. AGB is the trusted resource for board members, chief executives, and key administrators on higher education governance and leadership.
The mission of the Internet Security Alliance (ISA) is to integrate advanced technology with economics and public policy to create a sustainably secure cyber system. The ISA board consists of senior corporate executives representing each of the designated critical industry sectors. ISA has three major goals: thought leadership, advocating for market-based public policy, and promoting the use of effective cybersecurity standards and practices. ISA’s “Cyber Social Contract” describes an incentive-based, as opposed to regulatory, approach to public policy. ISA has also partnered with the National Association of Corporate Directors and other director organizations and governments around the world to develop handbooks on cyber-risk oversight that are now available on four continents in five languages. To learn more about ISA, visit www.isalliance.org.