Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.
Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.
Some corporate directors struggle to answer questions such as:
What is our ability to prevent, detect, contain and respond to a cyberattack?
How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
What is our overall risk tolerance?
How does our level of preparedness compare to our competitors?
What is the potential impact of a cyber incident to our balance sheet?
What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?
After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.
One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.
There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”
Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.
In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.
Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.
It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.
Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.
Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.
As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.
From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzes are awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New in the Threat Environment
According to the 2017 Cybercrime Report, published by Cybersecurity Ventures and the Herjavec Group, cybercrime will cost the global business market $6 trillion annually by 2021. Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, says that this considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.
Cybersecurity and the SEC
In recent years the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
occurrence, frequency, and severity of prior cybersecurity incidents;
probability and potential magnitude of cybersecurity incidents;
adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
aspects of the company’s business and operations that give rise to material cybersecurity risk;
costs associated with maintaining cybersecurity protections;
potential for reputational harm;
existing or pending laws and regulations that may affect the cyber requirements; and
litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.
With the principle of the rule of law and democratic governance under siege in numerous parts of the world, corporate board members are increasingly considering how global events are creating mounting risks to both their businesses and the bottom line.
These actions are taking place in jurisdictions that have long been high risk for companies. The Democratic Republic of the Congo, Venezuela, and Myanmar, for example, have for some time presented operational challenges as a result of poor governance. In recent years, however, countries thought of as bulwarks for the rule of law have also begun to present challenges for businesses. Some argue that these include the United States, a country that traditionally has been known as a powerful advocate for the rule of law and democratic values and the long-time guarantor of the system of global governance, and the United Kingdom, where the legal and regulatory uncertainty caused by Brexit has seen many investment decisions put on hold.
Just in the last few weeks actions taken by the United States with rule-of-law implications have given some in the business community great pause. US actions regarding Chinese telecom company ZTE Corp. have raised questions as to whether a law enforcement action against a corporate entity can be used as a point of leverage in an international trade negotiation. Notwithstanding policy arguments for and against, the US’s withdrawal from the Iran agreement and pending re-imposition of secondary sanctions create significant uncertainty both for international businesses making investment decisions in Iran, and with respect to the US’s long-term commitments to international agreements. Many also note that America’s executive in chief has imposed considerable pressure on elements of the Federal government whose independence has long underpinned the rule of law in the United States, from individual judges and the judiciary to members of Congress, to law enforcement and the Federal Bureau of Investigation. This pressure has at times taken the form of quite personal attacks that set a concerning precedent, including for businesses that must ask whether they could become a target for a president who dislikes what they may be doing.
It is no secret that businesses do well in jurisdictions where the rule of law is strong: where contracts are enforceable, where fair judicial decisions are rendered without unreasonable delay, where assets aren’t arbitrarily seized or contracts arbitrarily renegotiated, where laws and regulations are transparent and applied fairly, where bribes need not be paid for discretionary actions by government. These are environments where businesses thrive. Indeed, as a 2015 Report by law firm Hogan Lovells and the Bingham Centre for the Rule of Law makes clear, there is a strong correlation between foreign direct investment in a country and the existence of a sound rule of law.
Businesses also do well where basic principles of the rule of law and associated norms are embedded. The separation of powers, the existence of a resilient and independent law enforcement system, and basic respect for truth and fact-based decision making are all important contributors to business success.
Finally, the existence of a strong rule of law correlates with broader societal thriving, making for an invigorated source for customers, employees, partners, and suppliers.
Given this reality, it is imperative that boards be sensitive to the range of rule-of-law issues that impact their businesses, even in jurisdictions where they least expect it. This means considering specific risk factors involving rule of law, above and beyond more generic political risk factors, whenever contemplating entry into new jurisdictions. The same can be said for assessing merger and acquisition or joint venture prospects, even in places where rule of law issues aren’t on the front page of newspapers every day. Indeed, a broad range of rule of law risk factors should be included in standard risk matrices so that business-critical issues such as prospects for the enforceability of contracts, or the ability to get a fair and timely judicial decision, or the independence of law enforcement are specifically considered when assessing risk. Existing governance and compliance frameworks can readily be adapted to reflect rule of law issues, alongside human rights and other risk issues. Rule of law matters should be included on the agenda of board meetings when appropriate.
In addition, boards should consider their companies’ own self-interest in the existence of a strong rule of law, and decide what their role might be in encouraging better governance, both within the companies themselves and in the environments where they operate. Many high-profile businesses have stepped up in recent months to publicly support such issues as countering climate change (as occurred when the US withdrew from the Paris Climate Agreement last year, which precipitated an outpouring of commitments by businesses to meet the goals set out), or in response to gun violence (as with Dick’s Sporting Goods following the Parkland school shooting), for instance.
In this regard, business can serve as a champion of good governance and the rule of law, advocating for improving the standards of governance where appropriate, and initiating collective efforts with like-minded companies with shared interests in stronger rule of law. Chambers of Commerce and other trade associations can be powerful voices when it comes to advocating for a strong rule of law that encourages foreign investment and secures stable business environments. Directors can urge the associations they are involved in to initiate efforts to support the rule of law, helping to bring to bear the influence and credibility of the business community to move the needle, in a positive way, on the quality of governance and the rule of law. Further, there are business-driven associations that provide a platform for collaboration to support the rule of law.
With the rule of law being challenged in so many countries around the world, businesses have both a strong interest in and ability to contribute to fostering a strong rule of law everywhere. Businesses, and their directors, should be part of the urgent work to publicize and mitigate what it is we as a global community will lose if the rule of law is undermined.
Ulysses Smith is a US-based lawyer and director of the Business and the Rule of Law Program at the Bingham Centre for the Rule of Law. All thoughts are his own and do not necessarily reflect those of NACD.