Cyber Risks: From the Trenches to the Boardroom
In 2012, as the importance of cybersecurity grew more apparent for business leaders around the globe, the World Economic Forum (WEF) launched a new initiative called the Partnership for Cyber Resilience. Since then, every yearly edition of the WEF’s Global Risks Reports have featured cyber risks front and center. As a PricewaterhouseCoopers (PwC) presentation titled “Threat Smart: Building a Cyber Resilient Financial Institution” put it: “Cyber risk is a business issue, not just a technology issue. Market leaders are finding that cyber risk management needs to be owned by the C-suite rather than by IT.”
In 2015, the WEF released a special report titled “Partnering for Cyber Resilience Towards the Quantification of Cyber Threats.” As Jacques Buith, the managing partner at Deloitte Risk Services, pointed out, “We need to be able to quantify cyber risks if proper cyber resilience assurance is to be achieved. Only then will management boards be able to take sound risk/reward decisions in this volatile world and thus secure their organizations’ cyber resilience.”
The report uses a cyber value-at-risk approach that aims to determine the value of x, or the amount of money over a period that businesses would lose in a successful cyberattack. The report also covers the different types of models from which to derive quantified risks: the Monte Carlo Method, Behavioral Modeling, Parametric Modeling and the Delphi Method, to name a few. Deloitte offered a more in-depth look at the relationship between risk and compliance, including measuring the status of risk governance.
C-Suites Must Have Knowledge of Cyber Risks
The WEF is not alone in pointing out the need for CISOs, CIOs, business executives and boards of directors to have more frequent, productive conversations around cyber risks and to properly oversee the effectiveness of controls deployed to mitigate them. Here is a sampling from the past year showing the level of interest — or, depending on your perspective, the demands from executives or directors — in the management of cyber risks.
- A first-quarter 2015 New York Stock Exchange (NYSE) special report entitled “Managing Cyber Risk: Are Companies Safeguarding Their Assets?” pointed out that 42 percent of boards surveyed “admitted their board only occasionally discusses cyber/IT security.” Also, only 21 percent of the directors reported their company had “IT risk well under control with regard to a possible cyber breach.”
- In 2015, NYSE Governance Services surveyed about 200 directors of public companies. The “Cybersecurity in the Boardroom” report highlighted a definite trend in the level of interest in the discussion of cyber risks in the boardroom: About 35 percent said that cybersecurity matters were discussed at every meeting, while another 46 percent indicated they were discussed at most meetings. Even more interesting is the perspective from the board that, in the event of a major breach, the order in which directors would hold leaders accountable for the breach started with the CEO, who was then followed by the CIO, the entire executive team and, in fourth place, the CISO.
- An article titled “Do boards have a role in cyber-risk?” asked whether boards need a cyber risk expert within their ranks. The answer, so far, is no. However, for directors, the author noted that the “one thing you can’t do is escape responsibility.”
- In 2015, PwC’s “18th Annual Global CEO Survey” showed that 61 percent of CEOs are concerned about “cyber threats, including lack of data security.” Cybersecurity was listed third in level of strategic importance (78 percent), just behind mobile technologies for customer engagement (81 percent) and data mining and analysis (80 percent). Additionally, 53 percent of CEOs reported cybersecurity as being very important strategically.
- Finally, from a government regulation and oversight perspective, companies operating in the U.S. must pay attention to the tone and words from Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar’s address at the NYSE’s Cyber Risks and the Boardroom Conference on June 10, 2014: “Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation and engagement on cybersecurity issues,” Aguilar said in his speech. “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.”
Organizational Best Practices
So what’s an organization to do? First, download the National Association of Corporate Directors (NACD) “Cyber-Risk Oversight Handbook,” a resource that can be applied to an organization’s existing enterprise risk management (ERM) to track cyber risks. The handbook outlines five key principles for boards to properly oversee cyber risks:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
- Board management discussions about cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.
Second, follow a cyber risk management methodology such as the U.S. National Institute of Standards and Technology (NIST) Risk Management Framework or the Australian government’s 2015 Risk Management Benchmarking Programme documents, which provide useful information for establishing and running a risk management program and selecting a target maturity state, as well as typical characteristics of the various risk management maturity levels for which one might aim.