Guidance published by the Association of Governing Boards of Universities and Colleges (AGB) advises that higher education governing boards should stay appraised of rising cybersecurity threats, and fund efforts to address them.
The ‘Cyber Risk Oversight for Higher Education Boards: Key Principles and Practical Guidance for Foundation and Institution Board Members’ guidance details how higher education institutional governing boards can effectively oversee the cybersecurity strategies of their colleges, universities, or institutionally related foundations.
“Governing boards must see cybersecurity as a crucial business matter,” the guidance notes, adding, “particularly during continued ransomware attacks against higher education institutions.”
The guidance provided recommendations for governing boards on how to communicate with their information security teams, including questions about cybersecurity and suggested cybersecurity frameworks for their schools.
“Cyberattacks are a persistent threat to colleges, universities, and institutionally related foundations. This resource includes thought-provoking questions and strategic recommendations for boards to oversee this important component of the organization’s risk portfolio,” Henry Stoever, AGB president and CEO, said in a press release.
The guidance also provides five principles that a governing board should embrace to oversee cyber risks:
- Board members need to understand and approach cybersecurity as a strategic enterprise risk, not just an IT risk;
- Board members should understand the legal implications of cyber risks related to an institution’s specific circumstances;
- Board members should have adequate access to cybersecurity expertise, and discussions on cyber-risk management should be done routinely during meetings;
- Board members should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget; and
- Board-administration discussions about cyber risk should include identification and quantification of financial exposure to cyber threats, and mitigation strategies including insurance.