Late last month, the US Securities and Exchange Commission (SEC) approved nonbinding guidance urging public companies to “inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance, which gives greater urgency to current cybersecurity risks, builds on an earlier document issued in 2011. In the SEC’s words, “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” A recent report from the Office of the Director of National Intelligence predicts that the world faces “imminent disruption” from cyber threats—potentially on a massive scale with “lethal” consequences.
Meanwhile, not surprisingly, Congress continues to take action on cyber risk, proposing 191 bills so far on the topic.
The imperative for boardrooms to conduct sound cyber-risk oversight is here to stay—in the boardroom and in the halls of legislation. Luckily, resources abound for corporate directors to get up to speed on what their companies need to know and disclose while awaiting regulations and rulemaking about cyber-risk oversight.
Ubiquity of Cyber Risk
The ubiquity of cyber risk poses a fundamental operating problem for all enterprises. Most businesses today depend on digital technologies to operate, which leaves sensitive data and other assets vulnerable to cyber risk. The new Berkshire Hathaway 2017 annual report puts it well. After listing cyber threats in great detail, the report notes that “These are risks we share with all businesses.” Hacking, phishing, malware, viruses—you name it, it’s happening for all of us. Such events can present a material, existential threat to corporations, and possibly could even physically harm the people who work for them or that they serve. That is why Berkshire’s founder and leader Warren E. Buffett has stated famously that cyberattacks are the “number one problem with mankind.”
Directors on Alert
Corporate directors by and large are keenly aware of their companies’ responsibilities around cyber-risk oversight. NACD’s 2017 survey of 660 US public company boards’ members indicated that only 37 percent of directors feel “confident” or “very confident” that their company is properly secured against a cyberattack. This result, which demonstrated lower confidence in a company’s preparation for a cybersecurity incident than in 15 other risk areas, is down from 49 percent the previous year.
Does this mean that companies are less prepared? I read things differently. It means that directors are less complacent.
More directors may be realizing that cybersecurity incidents are inevitable. Directors also are learning more about the topic, with 85 percent of boards reporting at least some knowledge of the topic, up from 78 percent two years before. (In 2015, 22 percent of directors reported that their boards had no or very little knowledge of cyber risk. That dropped in 2017 to 15 percent.)
If you’re feeling either behind or a little foggy on your understanding of these risks, you might consider brushing up with these resources:
Hundreds of directors have enhanced their cybersecurity literacy through the NACD Cyber-Risk Oversight Program, offered in partnership with Ridge Global and Carnegie Mellon University’s CERT Division of the Software Engineering Institute. More than 175 corporate directors and senior executives have completed the course, the world’s first and only program of its type, while an additional 135 now enrolled in the program are progressing to complete the CERT Certificate in Cybersecurity Oversight.
NACD offers the Director’s Handbook on Cyber-Risk Oversight, published jointly with the Internet Security Alliance (ISA) and available to all regardless of NACD membership status. The handbook is the most downloaded publication in NACD history, and the only private-sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice, as well as a wide variety of private-sector organizations such as the US Chamber of Commerce and the International Auditors Association.
ISA and NACD also jointly produce summits on cybersecurity exclusively for corporate boards, where recognized experts and seasoned directors share best practices. As an outgrowth of this initiative, NACD and ISA will cohost our first international dialogue, the Global Cyber Forum, in Geneva, Switzerland, in April 2018.
In all these venues, NACD’s resources on cyber-risk oversight keep driving home several key challenges:
Cyber risk is a global challenge that now threatens to undermine governments, markets, and businesses around the globe. Most cyberattacks are cross-border.
Cyber risk is also systemic, given our reliance on digital networks and devices for commercial, government, and personal use.
For corporations, cyber risk is a strategic, enterprise-wide matter demanding active board engagement. Continuous learning is a must, even for specialists, given how quickly technology and threats are evolving.
Questions to Help You Learn About Your Company’s Security Posture
In closing, I’d like to share some applicable questions shared recently with our members in our Weekend Reader e-newsletter. For your next board meeting, consider asking some of these pointed questions to begin establishing a deeper understanding of cybersecurity across the enterprise.
Which cyber risks are communicated to our company’s shareholders, and in what format?
Has our management team determined what constitutes a material cybersecurity breach?
How effective is our internal escalation process when incidents are discovered?
Have we set clear thresholds for when senior management and the board should be notified?
How is our company’s cyber-risk assessment process integrated into the overall risk-management process?
Can material risks be mitigated by insurance, and does the corporation have sufficient coverage?
Does our company’s cyberbreach response plan include an investor communications strategy?
Under what circumstances is it necessary to inform law enforcement, customers, and other relevant stakeholders?
While corporate directors have some catching up to do, we’re a community of curious, dedicated professionals. Let’s commit to continuous learning and applying that knowledge to sound cyber-risk oversight. We owe it to our shareholders, our customers, and to the security of our economy.
“If you had to sign a cybersecurity certification similar to the financial reporting requirements for corporate officers under Sarbanes-Oxley (SOX) Section 302, could you do it?”
As my firm counsels boards and C-suite executives on cyber risk, we often begin by framing our conversation with that provocative question. How directors answer will indicate how confident they are in the cybersecurity posture of their business.
As an exercise, let’s review SOX Section 302. For the purposes of this discussion I have replaced the finance-related text with cybersecurity-specific language. These changes are bolded, and other elements that are critical SOX measures for proper oversight by officers and the board are underlined.
SEC. 302. CORPORATE RESPONSIBILITY FOR CYBERSECURITY REPORTS.
(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,78o(d)), that the principal executive officer or officers and the principal cybersecurity officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
(3) based on such officer’s knowledge, the cybersecurity statements, and other cybersecurity information included in the report, fairly present in all material respects the cybersecurity condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report cybersecurity data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Now, how confident are you in the state of your cyberposture? Fortunately, to use the old exercise phrase, “this has been only a drill.”
However, multiple federal regulators, including the Securities and Exchange Commission, the Federal Trade Commission, and state agencies such as the New York Department of Financial Services, have become far more aggressive in holding corporate officers and board members accountable for cybersecurity oversight. And it is not out of the question that SOX-like requirements may materialize in the future, should another series of damaging breaches occur impacting consumers.
Regardless of whether regulators may soon require such specific attestations, significant discomfort with these questions at the board and C-suite level can indicate that cybersecurity is not being managed as an enterprise, twenty-first century business imperative. With sensitive customer information, employee data, operational processes, intellectual property, and trade secrets all on your networks, cybersecurity represents a real business and reputation risk.
While no program or technology can guarantee that your organization will not be hit by a cyberattack, it is incumbent upon us all to learn what we need to know to ask the right questions and to close as many gaps as possible. As the regulatory environment continues to focus on our ability to provide effective oversight, doing nothing is a sure-fire way to find cyberthieves in your system as well as regulators, litigators, shareholders, and customers knocking on the boardroom door.
Tom Ridge is chair of Ridge Global, a risk management and cybersecurity advisory firm. An experienced corporate board member, he previously served as the first U.S. Secretary of Homeland Security and as the 43rd Governor of Pennsylvania.
The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.