Board of Directors Implementation, Execution and Monitoring Certification Program

1. The Board of Directors understand the company’s total risk exposure of a cyber attack, including financial, legal and reputational impacts
2. The Board has the competence, has practised a cyber breach simulation with management and understands the procedure
3. The Board has evaluated the company’s Data and IT culture concerning cybersecurity with Senior Management. All stakeholders and employees are routinely trained. The Privacy, Data Protection IT and Cybersecurity awareness message from the Board and Senior Magamnet is regularly conveyed to employees?
4. Performance bonuses for non-compliance of Privacy, Data Protection IT and Cybersecurity issues are at stake
5. The Board has leveraged third-party expertise, or independent assessment (as described in the corporate Cyber-Risk Oversight Handbook), to validate that the Privacy, Data Protection IT and Cybersecurity risk management program is meeting its objectives
6. There are a benchmark and threshold on the information, senior management provides to help the Board to assess which critical business assets and analytical partners, including third parties and suppliers, are most vulnerable to cyber-attacks?
7. Is the Board comfortable with the process used to assess the company’s cyber risk management program by a third party, and do the results offer a comprehensive view?
8. The Board monitors how senior management is handling and monitoring critical Privacy, Data Protection IT and Cybersecurity vulnerabilities
9. The Board has developed an investment plan based on the managements indication where the next cybersecurity dollars should be invested and why?
10. There is an approved plan on how is the company handling privileged access to Privacy, Data Protection IT and Cybersecurity, and how do they oversee employees with privileged access?
11. The Board has approved the company’s policies on external and other publicly- disclosed Privacy, Data Protection IT and Cybersecurity breaches
12. The Board has a complete overview of Internationa Best Practices and Glæobal Compliance procedures related to Privacy, Data Protection IT and Cybersecurity
13. Does the Board have complete knowledge of lessons learned from those IT and cyber incidents being incorporated into the company’s Privacy, Data Protection IT and Cybersecurity response plan?
14. The Board has identified appropriate and meaningful cyber metrics and the Board is provided on a regular basis the dollar value of Privacy, Data Protection IT and Cybersecurity compliance
15. There is a total plan on how senior management evaluates and categorizes identified Privacy, Data Protection IT and Cybersecurity incidents and determine which to escalate to the Board?