2 BDO KNOWS: CORPORATE GOVERNANCE Â…Â… the organization’s cybersecurity preparedness receiving the Is appropriate level of time and attention from management and the board (or appropriate board committee)? Â…Â… How can management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework? Â…Â… How can management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment? Threat Intelligence and Collaboration Â…Â… What is the process for gathering and validating inherent risk profile and cybersecurity maturity information? External Dependency Management Â…Â… What third parties does the organization rely on to support critical activities? Â…Â… What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity? RISK ASSESSMENT: RISK PROFILE CYBERSECURITY METRICS Â…Â… the organization a direct target of cyber attacks? Is Â…Â… How should a board obtain IT metric information? Â…Â… What do the results of the cybersecurity assessment mean to Â…Â… Who should deliver IT metrics? the organization as it looks at its overall risk profile? Â…Â… What are the organization’s areas of highest inherent risk? Â…Â… management updating the organization’s inherent risk profile Is H ER ENT RI S K PR OF I LE IN to reflect changes in activities, services, and products? Â…Â… What should IT metrics contain? In what format should it be presented? Â…Â… the information meaningful in a way that invokes a reaction Is and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated? CYBER INCIDENT MANAGEMENT & RESILIENCE Â…Â… How does management validate the type and volume of cyber attacks? ASSESSMENT Â…Â… Does the organization have a comprehensive cyber breach B ER SE RI CY TY response and recovery plan? CU R I T Y M AT U RISK ASSESSMENT: CYBER MATURITY Oversight Â…Â… How does an incident response and recovery plan fit into the overall cyber security strategy? CYBERSECURITY EDUCATION Â…Â… How does the board remain current on cybersecurity developments in the market and the regulatory environment? Â…Â… Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities? Â…Â… the inherent risk profile and cybersecurity maturity levels Do meet management’s business and risk management expectations? If there is misalignment, what are the proposed plans to bring them into alignment? For more on managing risk related to the governance of cyber security, refer to BDO’s archived webinar and self-study course: Managing Risk – Elevating Cybersecurity to the Boardroom. Cybersecurity Controls Â…Â… the organization’s policies and procedures demonstrate Do management’s commitment to sustaining appropriate cybersecurity maturity levels? Â…Â… What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks? Â…Â… How effective are the organization’s risk management activities and controls identified in the assessment? Â…Â… there more efficient or effective means for achieving or improving Are the organization’s risk management and control objectives? BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through 63 offices and more than 450 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 1,408 offices in 154 countries.  BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.  Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firm’s individual needs. © 2016 BDO USA, LLP. All rights reserved. .