As technology becomes all pervasive across organizations, it brings with it the risk of falling victim to cyberattacks — a potent risk that has attracted attention like never before. Are organizations across the corporate landscape alert to this emerging risk that is real? As and when a cybersecurity breach occurs, the severity of its impact will depend on how prepared and proactively engaged the board is with this challenge.
Cyberattack has emerged as the next big challenge, a risk that can severely impact a company’s competitive advantage and shareholder value and damage its reputation. In today’s world of “always on” technology and negligible awareness around security among users, cyber-attacks are no longer a matter of “if” but “when.” The wave of security breaches that have affected leading organizations across domains including e-commerce, financial services, media and entertainment, telecommunications and technology, have made it clear that no organization is immune to this threat. Consider two instances of Cyberattacks and how these affected the organizations that fell victim to it.
Case Study 1
A leading entertainment organization was hacked and it lost more than 100 terabytes of data to unauthorized users, which compromised the confidentiality of business sensitive and personal data. The data breach included unreleased movies, personal data, employee confidential information (such as Social Security. Numbers and medical information) etc. As a result the senior management and C-level suite had to tender an embarrassing public apology to all customers and shareholders. While this is a good example of company leadership and board taking ownership and responsibility it would take years to regain the customer trust and brand erosion caused by breach of customer privacy.
Case Study 2
A financial services organization was attacked as a result of negligence regarding two-factor authentication. The attackers were able to move around the network and ultimately access more than 80 + servers. While no financial data was affected, the attackers were able to access customer records revealing email addresses, home phone numbers and mailing addresses for more than 60 million household customers, potentially affecting the customer trust and creating potential data privacy issues. The resulting public disclosure brought about embarrassment and potential loss of customer trust, which would take several years to rectify, given the very nature of the financial services business.
Given the severity of its impact and graduating much beyond being treated just as a technology issue, cyber attacks have acquired the stature of a business risk that requires an enterprise-wide response. Boards need to take it out of the silo of the IT department and lead the change in mindset across the organization so that it is viewed as a risk that is managed and integrated into the overall business strategy and operations. The major hacking exploits are indicating a new trend, which has recently emerged, i.e., a company may not only be attacked for who it is, but more importantly “to whom it can give access to” thereby requiring a complete change in its cyber defence strategy. Accordingly, many businesses, which service large organizations, may be at increasing risk given that they may often be the conduit to a more sophisticated cyberattack.
Cyber security and Cyber governance
With the proliferation of digital media and an increasing number of people engaging in technological and social media experiences, significant amounts of information is accessible to a large number of people, with a potential to damage corporate reputation. Given the pervasive impact that cybersecurity can have across the length and breadth of company operations, the full board should govern cybersecurity. However, more than just ensuring its put on the board agenda, it is important to ensure that cyber risk considerations are interwoven into all major discussions and decisions at the board level — whether they are about changes in the business environment or in business strategy and operations (e.g., a merger, acquisition, introduction of a new product, entrance to new markets, implementation of new technologies or software).For example, during an acquisition, if cyber risks are not considered when diligence is carried on the acquire to understand associated business risks, a company and its board will not fully understand associated vulnerabilities and hazards they are likely to inherit once the transaction is complete. As organizations adapt to changes in the external business environment and their business strategy and operations, boards need to ensure that related cybersecurity measures and related risks are adapted to accordingly. A solid foundation in cybersecurity, stemming from cybersecurity knowledge from an enterprise standpoint, has become imperative for the management and the board. Putting this foundation in place is not an easy task, but boards should call upon management to “activate” its resources and bridge any human capital and knowledge gaps. With cybersecurity acquiring a sense of urgency in the boardroom, the quantum of resources that address this challenge continue to be of concern.
According to a EY Global Information Security Survey, 43% of survey respondents stated that their organization’s total information security budget will stay around the same in the coming year. It is the board’s responsibility to challenge management so that management is appropriately allocating resources to address cyber risks that are commensurate with risk levels. Given that technology transcends and affects all departments and corporate structures, boards should address whether management’s cybersecurity plan has a cross-functional team involving business leaders of all key departments, such as human resources. This will ensure that the management is taking a holistic and comprehensive approach toward managing cybersecurity.
Anticipating and addressing risks proactively
Strong cyber governance will enable organizations to proactively articulate their strategies to address advanced persistent threats. Organizations change and so do threats. Therefore, the foundation of cybersecurity must adapt to keep pace, and boards will need to adapt to these changes as they commit to incorporating cybersecurity as part of their governance responsibilities. As the economy becomes more digitized and the degree of interconnectedness with other parties (such as suppliers, vendors and customers) increases, so does the risk to the company. Therefore, when performing and re-evaluating its risk assessment, boards will need to continuously evaluate, balance and adapt to all risks (both internal and external) posed to the company, including those that are associated with the company’s broader network or ecosystem. A key ask from boards, for them to effectively address cyber attacks, in addition to an improved understanding of such risks, is to ensure that their directors’ skills and experiences are commensurate and adequate. Otherwise they should consider adding someone with IT experience, which could help the board mitigate its cybersecurity “knowledge gap”. In some instances, boards are hiring their own experts to educate directors. Others are leveraging independent advisors (e.g., external counsel and external auditors) who can provide perspectives and insights on trends related to cyber risk present in the industry.
Regulators speak about cyber security
Regulators across various sectors, such as telecom, insurance and banking, are taking steps to increase the oversight and highlighting the need for public companies to make disclosures related to these risks. Earlier, many private organizations did not believe in disclosing information about such attacks but recently more organizations are increasingly becoming vocal about such incidents. Cyber threats and attacks expose organizations to legal liability. Individuals whose personally identifiable information is compromised as a result of a data breach may bring civil privacy claims under specific country legislations. Shareholders affected as result of cyberattacks could file derivative claims mentioning that officers and directors breached their fiduciary duty of care by failing to implement appropriate security control and oversight.
Network to keep the networks safe
The ferocious dynamism of technology and the cyber threats that come with it are accelerating rapidly. Organizations need to invest not only in right security technologies but in better understanding of their ecosystem and working with trusted partners to further protect their cyber sphere together. Leading boards motivate their organizations to proactively foster relationships and increase the level of collaboration ather than just monitoring of their own systems, working more closely with others in the industry, competitors and governments to combat threats that face them as a team.
Deploying metrics to determine preparedness to address cybersecurity concerns
Leading practices suggest a focus on metrics, which will help the board determine whether management is appropriately adapting to potential cyber threats and responding to them swiftly. Companies often engage in cyber security war games to assess their level of preparedness by engaging in actual real life cyber hacking, potential data loss type of scenarios and gauging the level of preparedness of the same. The metrics should focus on the total number of breach attempts detected, time taken to respond and the effectiveness of the entire cybersecurity incident response procedure. Determining benchmarks will allow boards to assess whether responses were swift and successful and also whether to consider hiring external experts to review the company’s cybersecurity plans and benchmark those plans against comparable companies. However, apart from metrics, it is important that the board is challenging the management on the need to create an incident response plan that helps in promptly addressing any cybersecurity breach that occurs so that the damage resulting from it is minimal or altogether mitigated. Viewing cybersecurity as an enterprise wide risk will provide boards the true context of beginning to put in place a robust cybersecurity governance framework.
Board oversight on committees to address cybersecurity framework
Boards need to set the tone to enhance security as it should be deeply rooted in the organization’s strategy and culture. Board should determine whether the full board or a committee should have oversight responsibility. In some cases, a risk committee, executive/operating committee or the audit committee will be given the oversight charge. At times, audit committees may need detailed information about the organizations’ cyber security practices and they often leverage the information to understand the oversight. They should understand if the team handling cybersecurity is sufficiently equipped and skilled to handle this responsibility. The audit committee’s action plan will depend on the company’s level of maturity in managing security risks, and it may require more attention and time in sectors where these risks and the potential for damages are highest, such as telecommunications and financial services institutions.
Six commandments for the board to consider
- Ensure that sufficient resources are allocated to cater to cyber security Issues
- Understand management’s preparedness in terms of an incident response plan, to respond to cybersecurity breaches
- Consider the addition of new skills that could help in a better understanding of cybersecurity issues
- Appointment of independent directors with knowledge of information technology systems and associated threats
- Ensure metrics that test effectiveness of an incident response plan are put in place
- Consider cybersecurity specific insurance