Effective communication among first, second, and third line roles and the board is essential.
            Establishing periodic communication helps to ensure the board is provided with relevant
            information to effectively carry out an internal control oversight role. The board will also be
            looking to expect the CAE to provide assurance that management has a strategy and plan in
            place to notify the board, enforcement authorities, customers, and the public in the event of a
            major breach. Escalation and communication protocols should be established and reviewed by
            the board, to ensure timely and appropriate notification takes place if a breach occurs.


            The strategy and communication plan should be documented with clearly defined roles and
            responsibilities in the event of a disruptive cybersecurity exploit. The plan needs to be tested
            and drafts of potential communication letters/press releases reviewed by legal counsel in
            advance. A comprehensive, well-planned response and remediation strategy will help reduce
            with minimizing the impact to the organization and maintaining the trust and confidence of
            customers and other stakeholders in the event a breach occurs.





















































                      www.theiia.org                                            Assessing Cybersecurity Risk    22