More information is hidden in plain sight than ever before. When the success of the global economy is hinged on the secure ownership of intellectual property and data, it behooves those who govern in the global company to understand how this information is being protected—and how it could be compromised. To that end, the National Association of Corporate Directors convened directors and cyber risk experts in Geneva, Switzerland, for its first Global Cyber Forum.
Dr. Simon Singh demonstrates the inner workings of an Enigma machine (Credit: Les Studios Casagrande).
Attendees from nearly every continent made their way to the Hotel President Wilson to confront the challenges of securing data across borders in light of complex and sometimes competing regulations. The European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, will be a watchword during each session. The complex and potentially costly regulation is likely to affect most companies that do business with or employ Europeans.
GDPR defines protected data far more broadly than the protections set by most country regulators. (Click here to learn more about the implications of GDPR.) Experts from international KPMG offices, cybersecurity firm Rapid7, AIG together with NACD cohosts Ridge Global and the Internet Security Alliance, will proffer their best advice on the interconnected challenges and solutions of cybersecurity oversight for today’s board directors.
NACD’s Global Cyber Forum commenced Tuesday night with a keynote presentation by popular scientist and author Dr. Simon Singh.
A particle physicist who completed his degree at Cambridge University while working at the European Organization for Nuclear Research (CERN), Singh has committed himself to helping everyday people understand some of the most complex concepts in modern math and science. He is the author of several books and won a BAFTA award for producing Fermat’s Last Theorem, a documentary based on the search to prove one of the most difficult mathematical theories in history.
Singh’s presentation in Geneva turned directors’ attention to “the history of secrecy,” a topic that he covers in his 1999 book, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (Doubleday). He pointed to writers of the popular TV programs, The Simpsons and Futurama, to highlight how unexpected points about mathematics and science hidden in plain sight and how susceptible we are to finding patterns that may have absolutely no meaning.
He cited several instances of codes being found in popular texts or songs, including in the rock band Led Zeppelin’s “Stairway to Heaven,” which when played in reverse has been interpreted to contain an evil message. When Singh queued up the song, at first no one in the audience heard any discernable words. Then he pointed to the lyrics on a slide deck and almost half of the audience “heard” the words. His point? To challenge the audience to be more skeptical and open to believing that which can be proven—or disproven—with rigorous evidence.
When the science of cryptography was introduced to the audience. Singh noted that messages can be found as a pattern almost anywhere—including in Moby-Dick, where one author found an inordinate number of passages pointing to history that had coincidentally happened since its publication in 1851. The human mind, however, has been able over the millennia to form some truly remarkable codes that have eluded prying eyes and minds for hundreds of years.
While some of the earliest computing machines, such as Enigma, developed during the First World War present nearly insurmountable odds against being deciphered, Singh reminded the audience that all ciphers are created by humans, and where there are humans, there is bound to be error. The same human curiosity and propensity to find patterns in behavior has led some skilled code-breakers such as those at the UK’s Bletchley Park who turned the tide of World War II by breaking codes.
Directors in the audience were challenged to think of the technologies that could protect their company’s own secrets while also considering the power—and foibles—of human error. Singh brought with him a prized possession: his very own Enigma machine.
When he turned to the audience to see if they had any questions about it after a brief demonstration, one attendee asked how the next frontier of quantum encryption would impact businesses. Singh pointed to the fact that scientists in Geneva were already sending messages encrypted at the quantum level within cities, and that others had sent quantum-secured messages via satellite. Quantum computing itself could make all encryption obsolete, he said. Such a development would render useless our current understanding of how to protect corporate assets, such as customer information and other data. He also noted that no one really knows what governments around the world have already achieved regarding this next frontier in information security.
Coverage of the full day of programming at the Global Cyber Forum is forthcoming in another installment of the blog and in the May/June issue of NACD Directorship magazine.
Late last month, the US Securities and Exchange Commission (SEC) approved nonbinding guidance urging public companies to “inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance, which gives greater urgency to current cybersecurity risks, builds on an earlier document issued in 2011. In the SEC’s words, “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” A recent report from the Office of the Director of National Intelligence predicts that the world faces “imminent disruption” from cyber threats—potentially on a massive scale with “lethal” consequences.
Meanwhile, not surprisingly, Congress continues to take action on cyber risk, proposing 191 bills so far on the topic.
The imperative for boardrooms to conduct sound cyber-risk oversight is here to stay—in the boardroom and in the halls of legislation. Luckily, resources abound for corporate directors to get up to speed on what their companies need to know and disclose while awaiting regulations and rulemaking about cyber-risk oversight.
Ubiquity of Cyber Risk
The ubiquity of cyber risk poses a fundamental operating problem for all enterprises. Most businesses today depend on digital technologies to operate, which leaves sensitive data and other assets vulnerable to cyber risk. The new Berkshire Hathaway 2017 annual report puts it well. After listing cyber threats in great detail, the report notes that “These are risks we share with all businesses.” Hacking, phishing, malware, viruses—you name it, it’s happening for all of us. Such events can present a material, existential threat to corporations, and possibly could even physically harm the people who work for them or that they serve. That is why Berkshire’s founder and leader Warren E. Buffett has stated famously that cyberattacks are the “number one problem with mankind.”
Directors on Alert
Corporate directors by and large are keenly aware of their companies’ responsibilities around cyber-risk oversight. NACD’s 2017 survey of 660 US public company boards’ members indicated that only 37 percent of directors feel “confident” or “very confident” that their company is properly secured against a cyberattack. This result, which demonstrated lower confidence in a company’s preparation for a cybersecurity incident than in 15 other risk areas, is down from 49 percent the previous year.
Does this mean that companies are less prepared? I read things differently. It means that directors are less complacent.
More directors may be realizing that cybersecurity incidents are inevitable. Directors also are learning more about the topic, with 85 percent of boards reporting at least some knowledge of the topic, up from 78 percent two years before. (In 2015, 22 percent of directors reported that their boards had no or very little knowledge of cyber risk. That dropped in 2017 to 15 percent.)
If you’re feeling either behind or a little foggy on your understanding of these risks, you might consider brushing up with these resources:
Hundreds of directors have enhanced their cybersecurity literacy through the NACD Cyber-Risk Oversight Program, offered in partnership with Ridge Global and Carnegie Mellon University’s CERT Division of the Software Engineering Institute. More than 175 corporate directors and senior executives have completed the course, the world’s first and only program of its type, while an additional 135 now enrolled in the program are progressing to complete the CERT Certificate in Cybersecurity Oversight.
NACD offers the Director’s Handbook on Cyber-Risk Oversight, published jointly with the Internet Security Alliance (ISA) and available to all regardless of NACD membership status. The handbook is the most downloaded publication in NACD history, and the only private-sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice, as well as a wide variety of private-sector organizations such as the US Chamber of Commerce and the International Auditors Association.
ISA and NACD also jointly produce summits on cybersecurity exclusively for corporate boards, where recognized experts and seasoned directors share best practices. As an outgrowth of this initiative, NACD and ISA will cohost our first international dialogue, the Global Cyber Forum, in Geneva, Switzerland, in April 2018.
In all these venues, NACD’s resources on cyber-risk oversight keep driving home several key challenges:
Cyber risk is a global challenge that now threatens to undermine governments, markets, and businesses around the globe. Most cyberattacks are cross-border.
Cyber risk is also systemic, given our reliance on digital networks and devices for commercial, government, and personal use.
For corporations, cyber risk is a strategic, enterprise-wide matter demanding active board engagement. Continuous learning is a must, even for specialists, given how quickly technology and threats are evolving.
Questions to Help You Learn About Your Company’s Security Posture
In closing, I’d like to share some applicable questions shared recently with our members in our Weekend Reader e-newsletter. For your next board meeting, consider asking some of these pointed questions to begin establishing a deeper understanding of cybersecurity across the enterprise.
Which cyber risks are communicated to our company’s shareholders, and in what format?
Has our management team determined what constitutes a material cybersecurity breach?
How effective is our internal escalation process when incidents are discovered?
Have we set clear thresholds for when senior management and the board should be notified?
How is our company’s cyber-risk assessment process integrated into the overall risk-management process?
Can material risks be mitigated by insurance, and does the corporation have sufficient coverage?
Does our company’s cyberbreach response plan include an investor communications strategy?
Under what circumstances is it necessary to inform law enforcement, customers, and other relevant stakeholders?
While corporate directors have some catching up to do, we’re a community of curious, dedicated professionals. Let’s commit to continuous learning and applying that knowledge to sound cyber-risk oversight. We owe it to our shareholders, our customers, and to the security of our economy.