The costs of a cyber attack can be significant. To protect finances, liability, reputation, and future growth, corporate boards must ensure that their companies have appropriate processes in place to manage cyber risk in the context of their business. This article looks at cybersecurity from a governance perspective and offers suggestions for directors on how to carry out their oversight role.
For many companies, 2013 marked the year that responsibility for oversight of cybersecurity moved from the IT department to the boardroom. Publicity surrounding China’s growing cyber army, massive theft of information by trusted insiders like Edward Snowden, and large data breaches, such as the one experienced by Target Corporation in December 2013, all helped to elevate cyber risk to the forefront for business executives. With so much at stake for a business—financial loss, operational disruption, competitive disadvantage, legal liability, and harm to corporate reputation—the question for corporate directors and officers is not whether to become involved in cyber risk management, but how to appropriately oversee their company’s initiatives.
The Rewards and Risks of Information Technology
Virtually every essential business function performed today uses information technology, making IT both a key business enabler and a critical business risk. The task of balancing business and employee demands for greater connectivity and access to information with the security concerns that may arise from granting those requests is complex and challenging. Each device or software application used can help facilitate new business opportunities, but those technologies also have the potential to be used to infiltrate or harm the business.
Balancing the rewards and risks associated with the use of smart phones and other mobile devices by employees and/or board members is just one example of the growing challenges that corporate cybersecurity professionals face. Mobile devices facilitate working remotely, but the microphones and cameras in those devices that enable business functionality can also be activated remotely to record and monitor communications in real time, creating a potential risk that important financial and strategic data could be compromised.
Malicious actors can leverage information technology in countless ways that can negatively impact a business. Ironically, the very information technology originally developed to enable businesses may now be used as a weapon against the enterprise. For example, Iranian attackers harnessed the power of cloud computing to launch massive denial of service attacks against the US financial services industry, including JPMorgan Chase, Bank of America, Citigroup, and others, resulting in disabled corporate websites, lost revenues, high customer dissatisfaction, and new security technology expenditures. In another example, reports have shown that software programs like Metasploit, originally developed to help defenders identify security holes in their own systems, have been used by outside actors to exploit those same vulnerabilities.
The most damaging attacks may not even come from external threats, but from knowledgeable, trusted insiders with access to sensitive information. In 2013, former National Security Agency (NSA) contractor Edward Snowden demonstrated that even the most secure organizations are vulnerable to the insider threat. Enabled by advances in data storage that allow a nearly unlimited amount of information to be placed on a device small enough to fit in one’s pocket, Snowden was able to bypass the NSA’s digital and physical access management security and steal hundreds of thousands of classified documents.
Insider threats pose challenges for companies in the private sector as well. Last year, the US government obtained an indictment of Sinovel Corp., a China-based manufacturer and exporter of wind turbines that used an insider to steal proprietary source code and confidential business information from American Superconductor (AMSC). The theft led to lost customers, which in turn caused a massive drop in the company’s stock price, from which it has not recovered.
Cyber attacks can also destroy data and assets, with the potential to inflict severe economic loss to a business. An August 2012 attack against oil company Saudi Aramco completely erased the hard drives and contents of approximately 30,000 corporate computers, all of which had to be replaced. A similar attack was used in March 2013 against banks in South Korea. The Stuxnet virus, launched several years ago against an Iranian nuclear facility, demonstrated that cyberweapons could be used to physically destroy infrastructure. Remarkably, the virus destroyed nuclearcentrifuges even though the facility was physically isolated and disconnected from the Internet. While cyber attacks resulting in this type of destruction, fortunately, remain rare, the ability to inflict this type of damage clearly exists.
Potential Enforcement and Liability
If new attack vectors and threat actors aren’t enough cause for concern, corporate leaders face significant and growing legal liability for failing to protect their businesses. In the United States, cybersecurity regulations in the financial, energy, and defense sectors continue to expand. President Obama issued an executive order in 2013 creating new cybersecurity standards for critical infrastructure companies.
The Federal Trade Commission has been actively enforcing consumer protection laws against companies that have suffered breaches, most notably the ongoing case against Wyndham Worldwide Corporation. Private regulatory organizations such as the credit industry-sponsored Payment Card Industry Council are developing stricter security guidelines for retailers that process credit card transactions, and banks and credit card institutions continue to enforce noncompliance with those guidelines through fines. Nearly every US state has a data breach notification law that allows state attorneys general to pursue actions against organizations that fail to appropriately disclose incidents involving their constituents’ information. Federal agencies have announced increased oversight of new security requirements for companies that maintain personal health information.
The Securities and Exchange Commission, which issued guidance to publicly traded companies in 2011 about their obligations to disclose cyber attacks to shareholders, is now poised to enforce nondisclosure of material cyber incidents. In addition, the commission will hold a public roundtable in March 2014 to discuss the issues and challenges cybersecurity raises for market participants and public companies, and how organizations are addressing those concerns. Following a massive data breach involving customer information in December of 2013, Target Corporation faces nearly 70 lawsuits, including at least two shareholder derivative lawsuits that allege that the company’s board of directors breached their fiduciary duties by failing to take sufficient steps to protect the company from a breach and its consequences.
Beyond the United States, countries around the globe continue to adopt new, tough laws requiring various levels of protection of business and customer information. The European Union, for instance, has already adopted stringent data privacy standards, and is poised to require companies to implement greater cybersecurity controls to protect their businesses,16 and Asian countries like Singapore assess financial institutions against a robust set of internal and vendor-focused security controls. Lack of standardization for security poses a huge challenge for businesses and the people charged with meeting those standards. For companies seeking to expand operations, data security and privacy are critical components needed to compete in virtually every market and, for some companies, differentiate service offerings from less-secure competitors.
The Board’s Role
With so much at stake for a business, it should be clear that cyber risk management is not merely the IT staff’s responsibility. Cyber risk management should be an enterprise-wide effort with participation from senior executives, corporate officers, and directors to ensure that the appropriate strategies, risk management policies, and budget for the company are in place. Many corporate directors recognize that cyber risk management is an integral component of their fiduciary duty to the company, requiring them to act with care and diligence. Still, many boards struggle with how to effectively execute their duties to the company in the area of cyber risk management. The following steps may serve as a good starting point.
Understand cyber risk
To begin, though awareness continues to improve, many board members simply may not have a strong understanding of cyber risks and their actual or potential impact to the company. Reasons for this lack of awareness typically include the board’s general discomfort or disinterest in information technology, the technology staff’s difficulty in communicating risks to the business leaders, or the incorrect assumption by leadership that the company is impervious to a consequential cyber incident.
If this is the board’s first time engaging on cybersecurity issues, a briefing by a trusted internal, external, or even government advisor can help educate board members about important issues related to cyber threats, vulnerabilities, and consequences, and can help put those risks into the context of the business. Directors may also consider asking directors of other boards with more experience overseeing cybersecurity issues within their organizations to help supplement their information. Boards may also want to consider the framework or recommendations of widely recognized groups.
Evaluate the organizational approach to cybersecurity
Prioritizing cyber risk management at the board level can help to increase awareness, establish management and oversight expectations, facilitate information exchange about strategic and technical cyber risk challenges between the board and employees, and help facilitate a companywide culture of cybersecurity. Directors should focus on both creating a board-level governance structure and evaluating the corporation’s approach to cyber governance.
A number of companies have designated or created a board-level committee to oversee cyber risk. Some companies delegate cyber risk management to the audit committee. If a company determines that cyber risk oversight should be designated to a board-level committee, the crossfunctional impact that cyber incidents can have on the business should be considered in determining where within the board’s organizational structure oversight of such risk is best housed.
Recognizing that cyber risk management is more than just an IT component, directors should ensure that their companies have developed a cyber risk governance program that incorporates business and technology executives and functions across the company. This approach should consider the role of key executives (e.g., CEO, general counsel, chief financial officer, chief information officer (CIO), and chief information security officer), the way that risk management decisions are made, and whether a cybersecurity committee or management team exists or should be created. This committee or team can provide the board with information about a variety of cross-cutting cyber risk issues, including, for instance, existing and emerging legal requirements related to network and data security.
As a result of rapidly expanding legal liability, general counsels are increasingly being tasked with leading or co-leading, along with the CIO, cyber risk governance programs. Fortune 500 companies that maintain enterprise risk management programs are incorporating cyber risk into this broader framework.
Request regular briefings on cyber risk/threats In order to effectively carry out their oversight responsibility, board members should request strategic and technical information about the company’s cyber risk and mitigation efforts from those responsible within the organization. However, a 2012 survey by Carnegie Melon University found that fewer than 40 percent of boards regularly receive reports on privacy and security risks, and 26 percent rarely or never receive such information. In a study released in January by the Ponemon Institute, only 12 percent of boards stated that they received cyber threat briefings frequently. Boards that do not have updated information regarding privacy and security risks are unable to adequately consider how to prioritize threats to their companies, and cannot effectively oversee or approve management priorities. Since cyber risks and threats can change quickly, directors with designated responsibility for overseeing cyber risk management should receive briefings or updates at least quarterly. Briefings to the full board should be provided semiannually or as situations warrant.
Prioritize material cyber risks to protect business value
Not all cyber risks are created equal, therefore companies must prioritize cybersecurity initiatives. Businesses should focus their resources on reducing material cyber risks by protecting their “crown jewels,” which are the information and technology assets that could have the most significant financial impact on the business if compromised, destroyed, or disrupted. In other words, the company’s “worst case scenarios” for a cyber attack should be the ones to which it devotes the most resources.
In considering financial impact, a company must not only consider direct financial and economic loss, but the financial harm that can arise from defending lawsuits, operational disruption, reputational damage, and competitive loss.
Regardless of the industry, ensuring that the company’s cyber risk management strategy is built around protecting the information and assets that are important to the business is a key role of the board. Board members are well suited to help their companies with this important discovery process. They have knowledge of the company’s business information, trade secrets, customer records, and essential technology.
Prioritizing a cyber risk management program without considering the business consequences to the company can waste valuable resources protecting the wrong things. Unfortunately, according to a 2013 study conducted by Tripwire, over 30 percent of companies say they do not have a “risk-based” security management program. Moreover, a 2010 Forrester report revealed that organizations allocate the same amount of resources to protect their company secrets and customer data, even though they consider company secrets twice as valuable as the data. Sensitive business data that provides the most value to business operations and future success should be prioritized and guarded with appropriate resources. Board members can promote the concept of protecting business value within their organizations by participating in these information identification initiatives.
A cyber risk management program that is focused on material risks and consequences to the company will also help public companies satisfy their fiduciary duty and legal obligations to investors. The SEC stated in 2011 that public companies must report material cyber risks and incidents to their shareholders. Identifying and mitigating the cyber risks that would have the most significant economic impact to the business can help reduce the likelihood that a company will have to disclose incidents to its shareholders, thereby protecting business value and reducing liability exposure.
Boards should keep in mind that information vital to the long-term success of the organization resides not only within the walls of the corporate castle, but also on the networks of the company’s external advisors (its law firms, consulting firms, etc.). Ensuring that the company has a vendor risk management plan is an essential step to managing material cyber risk.
Request a security technology “roadmap” and budget estimates to implement the strategy
Technology is an important component to help reduce cyber risk. Directors should review the company’s cybersecurity expenditures to ensure that they are aligned with reducing the company’s most significant business risks.
Though cyber threats have evolved significantly in recent decades, many companies still use traditional perimeterbased technical approaches to defend their networks and data. According to a 2013 ISACA study, more than 80 percent of companies reported that they use traditional perimeter security, including firewalls, routers, and antivirus/anti-malware programs, to defend themselves against advanced persistent threats (APTs). Modern cybersecurity requires visibility inside the network and at endpoints that traditional firewalls and antivirus technologies cannot provide solely at the perimeter. Boards play an important role in ensuring that their companies acquire the appropriate technology to protect the most critical elements of the business. Directors should request a security technology “road map,” a strategy with accompanying budget that incorporates the company’s business risks into a technology acquisition strategy.
In considering the role of technology, it is becoming clear to most organizations that they must maintain a “realtime” view of the security of the company’s networks and data in order to identify and mitigate incidents when they occur. It appears that few companies are doing this successfully. Companies rarely discover data breach incidents on their own, as reported by Verizon, which found that almost 70 percent of companies penetrated did not know until told by a third party. Moreover, that same report found that it took “weeks or months” for most companies to discover they had been breached.
Having real-time security and event monitoring can help companies develop metrics to measure progress and maturity over time. Ironically, though they would clearly benefit from receiving real-time information about the company’s security posture, board members are among the least likely members of an organization to request such a capability.
While the amount spent on security is not directly relevant to a company’s security posture, it can provide indications of how the company treats the issue. A 2013 PWC survey found that companies typically invest only 3.8 percent of their total information technology investment in security. Though there is no “right” or “wrong” percentage of investment in cybersecurity, corporate directors should inquire about whether budgets are adequate for all information technology operations, including security.
Having a security technology roadmap and corresponding budget to implement it can lead to a more efficient allocation of resources that reduces the company’s most significant risks. After a breach event, for instance, companies often rush to buy technology without fully appreciating the problem that they are trying to solve. Board members addressing a breach event should ensure that any technologies purchased are aligned with the company’s short-, medium-, and long-term requirements, and should review this alignment iteratively.
Testing your company’s response plan with a cyber exercise
Even with a robust strategy and cutting-edge technology, a company may still suffer a breach. Advanced preparation and effective crisis management are therefore key elements of a company’s cyber risk management strategy. Knowing when to bring in technical and legal support and how to engage with law enforcement, customers, shareholders, the media, and other affected parties is critical to reducing the damage that could result from a cyber incident. Unfortunately, many companies do not adequately account for a cyber-related incident in their business continuity and disaster recovery plans, and few companies test their plans before a cyber crisis occurs.
Simulations that include the participation of important executive and operational personnel across the organization can strengthen awareness and improve the ability of teams from across the organization to work together and to communicate quickly and effectively in a real crisis. Scenarios should test a variety of different cyber incidents, from the loss of critical data to significant operational disruption. Board members should initiate and participate in such exercises to help them understand their role and responsibility during a crisis. After-action reports that summarize the simulation findings and contain actionable recommendations for board members and business leaders to improve cyber risk management can help drive important changes in the business that may help reduce the risk of future events or, at the very least, any damage that may result from such an attack.
Cybersecurity is a rapidly changing risk that every business must address. Corporate directors play an important role in ensuring their companies have sufficient policies and resources in place to address that risk and to respond in the event that the company does suffer a cyber attack. Boards should ensure that they are requesting and receiving appropriate and timely information to help them fulfill their oversight role in managing cyber risk.