Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.
Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.
Some corporate directors struggle to answer questions such as:
What is our ability to prevent, detect, contain and respond to a cyberattack?
How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
What is our overall risk tolerance?
How does our level of preparedness compare to our competitors?
What is the potential impact of a cyber incident to our balance sheet?
What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?
After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.
One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.
There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”
Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.
In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.
Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.
It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.
Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.
Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.
As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.
From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzes are awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New in the Threat Environment
According to the 2017 Cybercrime Report, published by Cybersecurity Ventures and the Herjavec Group, cybercrime will cost the global business market $6 trillion annually by 2021. Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, says that this considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.
Cybersecurity and the SEC
In recent years the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
occurrence, frequency, and severity of prior cybersecurity incidents;
probability and potential magnitude of cybersecurity incidents;
adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
aspects of the company’s business and operations that give rise to material cybersecurity risk;
costs associated with maintaining cybersecurity protections;
potential for reputational harm;
existing or pending laws and regulations that may affect the cyber requirements; and
litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.
Cybersecurity is the bedrock of intelligent business. Companies that hope to develop superior customer knowledge, unique insights, and proprietary intellectual property by utilizing digital capabilities will require a robust cybersecurity strategy to underpin the whole. Companies need a strategy that leads to true cyber resilience.
To create a resilient enterprise, companies must make changes in four areas: leadership and governance, funding, organizational culture, and security measurement and monitoring.
Directors and executives should be asking themselves the following questions in order to ensure that they are on the right track.
1. Leadership and governance: Do we really understand what’s at stake for the business?
CEOs and boards of directors fortunately are ramping up their engagement and accountability for cybersecurity. Most CEOs, however, have much more to do. The chief executive’s relationship with his or her chief information security officer (CISO) is critical to the right kind of engagement. The CEO’s relationship with the CISO is also important to the board’s ability to perform sound cyber-risk governance.
CISOs should have oversight of more than just the corporate office, to include functions, subsidiaries, joint ventures, and labs. They should be involved in discussions of any new business initiatives or technologies that will increase cyber risk. CEOs and boards should bring them into the inner circle to help build risk management strategies to support business goals and objectives. The bottom line is that CISOs must become business advisors to leadership and informants of business challenges and successes to boards.
2. Culture: Do we truly put security first?
A big part of embracing a security-first culture is having the right mindset. At the C-suite and board level, cyber resilience and operational performance management should go hand in hand. Security must be a strategic priority tracked and reacted to as part of the tempo of normal business management, much the same as with the profitability of business units. It is a new competence that needs to be built, just like manufacturing excellence or personalization in digital marketing.
This mindset must spread throughout the organization and serve as a spur to proper actions. Line management must understand that they have a primary objective: Protect customers’ data and the company’s digital assets and operations. Fail at this and all else is irrelevant. The same is true for the front lines.
Cultural change must be backed by action and investment, and the buck stops with the board. Ensure your board is asking management whether or not this key culture change is being made across the organization.
3. Funding: How much is the right amount?
Answering this difficult question requires breaking it into two parts:
Is the company brilliant at the basics? This means properly investing to resolve challenges of any magnitude—from intruders who want to get at a particular customer, to attackers after the company’s most critical assets, whether they be data or key intellectual property that differentiates the company in the market.
Is the company innovating to improve its security? The only way to lower the cost of cybersecurity (or at least slow cost increases) while improving overall capability is to innovate upon current security practices.
Getting the basics right isn’t easy. It requires understanding and preparing for the many potential intentions of cyberattackers. It also means hardening high-value assets. Companies must make it as difficult as possible for attackers and limit the damage that’s possible when they do breach the walls.
Breakthrough innovations come from many corners, including business partners, vendors, and alliances across other ecosystems. CEOs and boards should think of the startup community as their company’s route to innovation and experimentation. Once partners demonstrate how their products will integrate efficiently and drive value in the security mission, security professionals must rapidly scale the innovations across their organizations. The CEO can empower that scaling, and the board should be asking the CEO about plans to do so.
4. Metrics and monitoring: Are we measuring for business relevance?
The metrics used in the past to measure business success won’t help in the future. For example, low, medium, and high compliance scores don’t communicate enough about business risk. Rather than information such as project plans on encryption, CEOs and board members should receive metrics on protecting customer data. Rather than metrics around patching (updating software with the latest, most secure versions), they should hear about how the integrity of production environments is being maintained. Companies need business-relevant scorecards on security.
In addition to receiving better information on more relevant metrics, CEOs and boards should improve their own monitoring and understanding of cyber threats. They need to develop muscle memory by taking part in crisis drills and working through attack scenarios. Such practice helps track improvements and lessons learned, and to be prepared to respond immediately when a threat occurs.
The Path to Cyber Resilience
CEOs and boards of big organizations that have been successful at demonstrating cyber resiliency are leading wise pivots to new strategies for security. While these pivots are essential to the survival of businesses, they do bring risks and increased attack surfaces to critical digital assets and operations. Business leaders must engage more directly to own this challenge, because in the future, the only resilient business will be one that is cyber resilient.