Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.
Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.
Some corporate directors struggle to answer questions such as:
What is our ability to prevent, detect, contain and respond to a cyberattack?
How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
What is our overall risk tolerance?
How does our level of preparedness compare to our competitors?
What is the potential impact of a cyber incident to our balance sheet?
What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?
After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.
One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.
There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”
Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.
In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.
Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.
It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.
Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.
Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.
As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.
Late last month, the US Securities and Exchange Commission (SEC) approved nonbinding guidance urging public companies to “inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance, which gives greater urgency to current cybersecurity risks, builds on an earlier document issued in 2011. In the SEC’s words, “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” A recent report from the Office of the Director of National Intelligence predicts that the world faces “imminent disruption” from cyber threats—potentially on a massive scale with “lethal” consequences.
Meanwhile, not surprisingly, Congress continues to take action on cyber risk, proposing 191 bills so far on the topic.
The imperative for boardrooms to conduct sound cyber-risk oversight is here to stay—in the boardroom and in the halls of legislation. Luckily, resources abound for corporate directors to get up to speed on what their companies need to know and disclose while awaiting regulations and rulemaking about cyber-risk oversight.
Ubiquity of Cyber Risk
The ubiquity of cyber risk poses a fundamental operating problem for all enterprises. Most businesses today depend on digital technologies to operate, which leaves sensitive data and other assets vulnerable to cyber risk. The new Berkshire Hathaway 2017 annual report puts it well. After listing cyber threats in great detail, the report notes that “These are risks we share with all businesses.” Hacking, phishing, malware, viruses—you name it, it’s happening for all of us. Such events can present a material, existential threat to corporations, and possibly could even physically harm the people who work for them or that they serve. That is why Berkshire’s founder and leader Warren E. Buffett has stated famously that cyberattacks are the “number one problem with mankind.”
Directors on Alert
Corporate directors by and large are keenly aware of their companies’ responsibilities around cyber-risk oversight. NACD’s 2017 survey of 660 US public company boards’ members indicated that only 37 percent of directors feel “confident” or “very confident” that their company is properly secured against a cyberattack. This result, which demonstrated lower confidence in a company’s preparation for a cybersecurity incident than in 15 other risk areas, is down from 49 percent the previous year.
Does this mean that companies are less prepared? I read things differently. It means that directors are less complacent.
More directors may be realizing that cybersecurity incidents are inevitable. Directors also are learning more about the topic, with 85 percent of boards reporting at least some knowledge of the topic, up from 78 percent two years before. (In 2015, 22 percent of directors reported that their boards had no or very little knowledge of cyber risk. That dropped in 2017 to 15 percent.)
If you’re feeling either behind or a little foggy on your understanding of these risks, you might consider brushing up with these resources:
Hundreds of directors have enhanced their cybersecurity literacy through the NACD Cyber-Risk Oversight Program, offered in partnership with Ridge Global and Carnegie Mellon University’s CERT Division of the Software Engineering Institute. More than 175 corporate directors and senior executives have completed the course, the world’s first and only program of its type, while an additional 135 now enrolled in the program are progressing to complete the CERT Certificate in Cybersecurity Oversight.
NACD offers the Director’s Handbook on Cyber-Risk Oversight, published jointly with the Internet Security Alliance (ISA) and available to all regardless of NACD membership status. The handbook is the most downloaded publication in NACD history, and the only private-sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice, as well as a wide variety of private-sector organizations such as the US Chamber of Commerce and the International Auditors Association.
ISA and NACD also jointly produce summits on cybersecurity exclusively for corporate boards, where recognized experts and seasoned directors share best practices. As an outgrowth of this initiative, NACD and ISA will cohost our first international dialogue, the Global Cyber Forum, in Geneva, Switzerland, in April 2018.
In all these venues, NACD’s resources on cyber-risk oversight keep driving home several key challenges:
Cyber risk is a global challenge that now threatens to undermine governments, markets, and businesses around the globe. Most cyberattacks are cross-border.
Cyber risk is also systemic, given our reliance on digital networks and devices for commercial, government, and personal use.
For corporations, cyber risk is a strategic, enterprise-wide matter demanding active board engagement. Continuous learning is a must, even for specialists, given how quickly technology and threats are evolving.
Questions to Help You Learn About Your Company’s Security Posture
In closing, I’d like to share some applicable questions shared recently with our members in our Weekend Reader e-newsletter. For your next board meeting, consider asking some of these pointed questions to begin establishing a deeper understanding of cybersecurity across the enterprise.
Which cyber risks are communicated to our company’s shareholders, and in what format?
Has our management team determined what constitutes a material cybersecurity breach?
How effective is our internal escalation process when incidents are discovered?
Have we set clear thresholds for when senior management and the board should be notified?
How is our company’s cyber-risk assessment process integrated into the overall risk-management process?
Can material risks be mitigated by insurance, and does the corporation have sufficient coverage?
Does our company’s cyberbreach response plan include an investor communications strategy?
Under what circumstances is it necessary to inform law enforcement, customers, and other relevant stakeholders?
While corporate directors have some catching up to do, we’re a community of curious, dedicated professionals. Let’s commit to continuous learning and applying that knowledge to sound cyber-risk oversight. We owe it to our shareholders, our customers, and to the security of our economy.
“If you had to sign a cybersecurity certification similar to the financial reporting requirements for corporate officers under Sarbanes-Oxley (SOX) Section 302, could you do it?”
As my firm counsels boards and C-suite executives on cyber risk, we often begin by framing our conversation with that provocative question. How directors answer will indicate how confident they are in the cybersecurity posture of their business.
As an exercise, let’s review SOX Section 302. For the purposes of this discussion I have replaced the finance-related text with cybersecurity-specific language. These changes are bolded, and other elements that are critical SOX measures for proper oversight by officers and the board are underlined.
SEC. 302. CORPORATE RESPONSIBILITY FOR CYBERSECURITY REPORTS.
(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,78o(d)), that the principal executive officer or officers and the principal cybersecurity officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
(3) based on such officer’s knowledge, the cybersecurity statements, and other cybersecurity information included in the report, fairly present in all material respects the cybersecurity condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report cybersecurity data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Now, how confident are you in the state of your cyberposture? Fortunately, to use the old exercise phrase, “this has been only a drill.”
However, multiple federal regulators, including the Securities and Exchange Commission, the Federal Trade Commission, and state agencies such as the New York Department of Financial Services, have become far more aggressive in holding corporate officers and board members accountable for cybersecurity oversight. And it is not out of the question that SOX-like requirements may materialize in the future, should another series of damaging breaches occur impacting consumers.
Regardless of whether regulators may soon require such specific attestations, significant discomfort with these questions at the board and C-suite level can indicate that cybersecurity is not being managed as an enterprise, twenty-first century business imperative. With sensitive customer information, employee data, operational processes, intellectual property, and trade secrets all on your networks, cybersecurity represents a real business and reputation risk.
While no program or technology can guarantee that your organization will not be hit by a cyberattack, it is incumbent upon us all to learn what we need to know to ask the right questions and to close as many gaps as possible. As the regulatory environment continues to focus on our ability to provide effective oversight, doing nothing is a sure-fire way to find cyberthieves in your system as well as regulators, litigators, shareholders, and customers knocking on the boardroom door.
Tom Ridge is chair of Ridge Global, a risk management and cybersecurity advisory firm. An experienced corporate board member, he previously served as the first U.S. Secretary of Homeland Security and as the 43rd Governor of Pennsylvania.