• No results found

BOARD OF DIRECTORS RESPONSIBILITIES FOR CYBERSECURITY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "BOARD OF DIRECTORS RESPONSIBILITIES FOR CYBERSECURITY"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Berkeley Research Group | 810 Seventh Avenue, Suite 600 | New York, NY | 10019

WHITE PAPER | DECEMBER 2015

Bob Kurtz

bkurtz@thinkbrg.com 646.862.0978

Prepared By:

Financial Services

RESPONSIBILITIES FOR CYBERSECURITY

(2)

Copyright ©2015 by Berkeley Research Group, LLC. Except as may be expressly provided elsewhere in this publication, permission is hereby granted to produce and distribute copies of individual works from this publication for non-profit educational purposes, provided that the author, source, and copyright notice are included on each copy. This permission is in addition to rights of reproduction granted under Sections 107, 108, and other provisions of the U.S. Copyright Act and its amendments.

Disclaimer: The opinions expressed in this publication are those of the individual authors and do not represent the opinions of BRG or its other employees and affiliates. The information provided in the publication is not intended to and does not render legal, accounting, tax, or other professional advice or services, and no client relationship is established with BRG by making any information available in this publication, or from you transmitting an email or other message to us. None of the information contained herein should be used as a substitute for consultation with competent advisors.

(3)

Companies are finding that data breaches have become both common and expensive to treat. Companies spend more on their investigations, notifications, and responses when their sensitive and confidential information has been lost or stolen. The average per capita cost to a company in 2014 was US$3.79 million, an increase of 12 percent from 2013.1 That cost does

not include bad press, embarrassment, future lawsuits, etc.

Global Study at a Glance

2

In recent years, boards of directors’ conversations have shifted from IT enhancements to enterprise cybersecurity due to high-profile cases involving companies such as Sony, Anthem, T-Mobile, Kmart, Home Depot, Staples, and JP Morgan, and cyber-attacks from foreign entities on U.S. entities such as the U.S. Postal Service and Social Security Administration.3 In fact,

“Cybersecurity is often at the top of agendas for audit committees and management at companies of all sizes and industries, since the pervasiveness of cyber issues connects them to financial concerns and internal controls. The audit committee has started to play a vital role in monitoring management’s preparation for and response to cyber threats.”4

Cyber risk has taken its place next to credit risk, liquidity risk, and operational risk as a pressing threat to the health of the enterprise. Particularly after the attack on Target, the largest ever for a U.S. retailer, there is increasing pressure to hold boards accountable. Board governance is becoming an area of focus in shareholder lawsuits, and disclosure obligations have made their way to the board level.5 As Luis A. Aguilar, a commissioner of the U.S. Securities and Exchange Commission (SEC), noted

in a speech last year, boards of S&P 200 companies are now “nearly universally” taking responsibility for oversight in cyber risk management.6

CYBER RISK MANAGEMENT

“Cyber risk management” is a framework an organization adopts to deal with new and evolving technology-based risks relating to cyberspace coming from within and outside the company. In this framework, the key actors are the board, the C-suite or executive team, and frontline top management in charge of executing cyber risk management.7

1 “Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis,” Ponemon Institute blog (May 5, 2014), available at http://www.ponemon. org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

2 Ponemon Institute (2014).

3 Ernst & Young, 2012 Global Information Security Survey (2012).

4 “Top issues for Audit Committees in 2014,” The Wall Street Journal (October 15, 2015), excerpted from Deloitte, Audit Committee Brief (November-December 2013).

5 Taylor, Julia, Cyber Security News and Blog, Bournemouth University, United Kingdom (July 31, 2015).

6 Aguilar, Luis A., “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” U.S. SEC (June 10, 2014).

7 Bonime-Blanc, Andrea, Emerging Practices in Cyber Risk Governance, Conference Board, CEO Strategic Implications (October 27, 2015). Ms. Bonime-Blanc is the CEO and founder of GEC Risk Advisory LLC.

Study Encompasses 350 Companies in 11 Countries $3.79 million is the average total cost of data breach per company

23% increase in total cost of data breach since 2013

$154 is the average cost per lost or stolen record

(4)

How should boards take responsibility for cybersecurity? A company’s board needs to set the tone for enhancing security and determine whether the full board or a committee should have oversight responsibility. In some cases, a risk, executive, operating, or audit committee may be given oversight responsibilities. However, many boards of directors do not have any person or group on the board that possesses cybersecurity skills and is capable of functioning in that capacity. Boards may want to consider bringing on someone with a deep understanding of IT issues.

The Commerce Department provides the National Institute of Standards and Technology (NIST) cybersecurity framework as a risk-based compilation of guidelines designed to help companies assess current capabilities and draft a roadmap toward improved cybersecurity practices.8 A starter recommendation is to add a cybersecurity subcommittee to the audit committee

of the board that can assist in overseeing management’s activities by periodically reviewing a continuously upgraded and comprehensive cybersecurity plan that keeps abreast of new risks and technical mitigations. Many boards are beginning to make time to review even relatively minor internal incidents and staying up to date on incidents and developments outside the company, with a special focus on threats and events affecting their industry.

Boards should have a clear understanding of the types of threats most likely to represent a risk at their organizations, and they should continuously educate themselves about evolving legal and regulatory developments. A board’s cybersecurity action plan will depend on a company’s level of maturity in managing security risks. It may require more attention and time in sectors where these risks and the potential for damages are highest, such as financial services institutions.

Audit committees should inquire about the state of specific security programs and ask for benchmarks. They should also seek an explanation of the measures in place to prevent or detect attacks.

Businesses feel pressure to cut costs where they can. Technology helps but also creates new risks. Companies always want to increase operational flexibility; however, in doing so, they may not do enough to mitigate the potential risks of cybersecurity attacks. Many who have taken measures are employing encryption techniques and stronger oversight of the contract management process for cloud service providers. The question becomes: “Is that enough?”

Threats can occur from within the organization, too. Organizations must go beyond protecting the perimeter. They should also focus on protecting the data itself. It will take money and resources to train employees across the enterprise to keep information safe. Yet few companies plan to spend more on cybersecurity in the next 12 months.9 Putting the right processes

in place would be a step forward. The majority of organizations don’t have a structured, effective framework for assessing and managing security risks. Instead, they rely on a patchwork of nonintegrated, complex, and fragile defenses.

Companies may use social media to enhance their brand by interacting with customers, but social media represents a threat, too. The around-the-clock availability of social media means that a company’s reputation may be damaged in a small amount of time or with limited effort. Challenges include data security, privacy concerns, regulatory compliance, and concerns about employees’ use of work time and equipment to engage in social media. Many companies don’t have a coordinated approach to social media usage and security within or by the organization.10

The financial consequences of a cyber-attack, as with technology itself, are often not well understood. Theft of funds and intellectual property is not the only risk. There are costs associated with losses of profits and business, and expenses associated with remediation. A breach could affect overall financial performance, ultimately reducing earnings per share and the company’s market value.

8 Harvard Law School, Audit Committees: 2015 Mid-Year Issues Update, Forum on Corporate Governance and Financial Regulation (June 16, 2015). 9 Ernst & Young (2012).

(5)

RECOMMENDATIONS

Companies that form a cybersecurity subcommittee as a part of an audit committee of the board of directors will be fulfilling oversight responsibilities for the system of internal control, the audit process, and the company’s process for monitoring compliance with laws and regulations and the code of conduct, specifically as if relates to malicious attempts to penetrate corporate technology devices. The subcommittee should have authority to conduct or authorize investigations, within its scope of responsibility, and should be empowered to:

Appoint, compensate, and oversee the work of any enterprise security firm employed by the organization

Pre-approve cybersecurity software/hardware and consulting and third-party services

Retain independent enterprise security experts or others to advise the committee or assist in conducting cybersecurity investigations

Seek information from employees—all of whom are directed to cooperate with the committee’s requests—or external parties

Meet with the company’s chief information officer (CIO), chief information security officer (CISO), chief security officer (CSO), and IT auditor, as necessary

The cybersecurity subcommittee should consist of at least one member of the audit committee. The board or its nominating committee, not management, should appoint committee members and the committee chair. Members should be independent and technically literate, and at least one member should be designated as the “technical expert.”

The subcommittee should meet at least quarterly, with authority to convene additional meetings as circumstances require. All subcommittee members would be expected to attend each meeting, in person or via teleconference or videoconference. The subcommittee should be able to invite members of management, technology personnel, auditors, and others to attend meetings and provide pertinent information, as necessary. The subcommittee should hold private meetings with the company’s IT professionals and executive sessions, as necessary.

Meeting agendas and appropriate briefing materials should be prepared and provided to members in advance. Minutes should be prepared afterward for distribution and approval.

The committee should:

Consider the effectiveness of the company’s technology control system, including overall enterprise system controls.

Understand the scope of internal and external auditors’ reviews of system controls over operational and financial matters. Obtain reports on significant findings and recommendations, together with management’s responses.

Approve the cybersecurity charter and ensure that policies, procedures, and incident response practices are in place, current, and tested regularly.

Approve decisions regarding the appointment and removal of the CIO and CSO. Ensure there are no unjustified restrictions or limitations. Review and concur in the appointment, replacement, or dismissal of executives.

Approve the annual cybersecurity plan and major changes to the plan. Review the company’s activity performance relative to its plan.

(6)

Review the chief security officer’s budget, resource plan, activities, and organizational structure.

At least once per year, review the performance of the CIO and CSO and concur with the annual compensation and salary adjustment.

Review the effectiveness of the enterprise security function, including conformance with ISACA’s Corbit Framework, SIM’s Advanced Practices Council on the Coalition for Open Security, and AICPA’s Professional Standards and Technical Practice Aids.

Meet separately/regularly with the chief audit executive and CIO to discuss matters that the committee or internal audit or IT believes should be discussed privately.

A company must protect itself starting from the top, engrain proper security protocol in its everyday culture, and try to anticipate or patch holes where problems are detected.

Turn your board’s intent to get serious about cybersecurity into a company-wide plan of action. Important action items should include buying insurance; creating a cybersecurity action plan; and involving all company communities, including employees, vendors, customers, and consultants.

BUYING CYBERSECURITY INSURANCE

According to Inga Lloyd, CEO of Lloyd’s of London, cyber-attacks cost companies $400 billion in 2014, including the damage itself and subsequent disruption to the normal course of business. Beale said that the coverage companies have purchased is a fraction of what companies are losing on account of hacks. The firms best prepared for cyber-attacks usually wind up buying insurance. About 90 percent of cyber insurance is purchased by U.S. firms, leaving other companies around the world exposed.

If the potential for financial loss weren’t enough motivation to buy cybersecurity insurance, the SEC and the Financial Industry Regulatory Authority are watching for firms not operating under a “reasonable standard” to protect against the loss of critical data. These watchdogs will not hesitate to take enforcement action.

Reducing the potential for a data breach naturally falls to the IT department. But even though IT specialists are well versed in selecting and running a company’s applications, they have less experience in mitigating the potential of security breaches. Hence, third-party consultants are in demand to help identify shortcomings.

Insurance falls into two broad categories: first party and third party. First party typically refers to payments to the company to cover damage from the policyholder’s own loss of data and for other harm to the business, such as theft, fraud, and the cost of forensic investigations. Third party, which covers litigation and regulatory costs as well as credit monitoring, is far more prevalent in the United States than in Europe because of legal requirements to notify customers in the event of a data breach.

(7)

CREATING THE CYBERSECURITY ACTION PLAN

Many experts recommend that businesses start with a strategic approach to cybersecurity. This approach should include plans to secure existing systems and keep businesses secure going forward. A comprehensive cybersecurity plan should focus on three key areas:

Solutions, policies, and procedures need to be identified to reduce the risk of attacks.

Plans and procedures need to be in place to determine the resources that will be used to remedy a threat in the event of a computer security breach.

Companies need to be prepared to address the repercussions of a security threat with their employees and customers to ensure that any loss of trust or business is minimal and short lived.

A good cybersecurity plan takes into account inside and outside attacks, and the particulars of the organization that requires the security. A company must thoroughly understand what its most important assets are. That is not always so easy to determine, as companies such as Sony and Ashley Madison found out. Although there are best practices for and approaches to computer security, there is no “one size fits all.”

Security planning starts with a thorough assessment of the equipment, software, and processes of your entire IT system. Analyze IT resources, intellectual property concerns, data architecture, physical perimeter security, and concerns specific to the company’s particular industry, and map out your particular threat landscape. Ask questions such as: What assets might be especially valuable or vulnerable? Are regulatory issues involved? What security measures are currently in place? Have employees been trained in data security fundamentals? Is there a viable plan in place should a breach or intrusions occur?

INVOLVING ALL COMPANY COMMUNITIES IN PROTECTING DIGITAL

ASSETS

Effective security in today’s complex social and technological organizations must address risk and failure as emergent properties of modern enterprise IT infrastructures. From BYOD to Big Data to the cloud, technology is constantly used, repurposed, and innovated upon by not only the organization but also users, vendors, and third parties. The concept of centrally controlled enterprise IT is fading, and companies must work across people, process, and technology infrastructures to both protect digital assets and ensure competitiveness and business success.11

Organizations need to understand where cultural and behavioral risks exist. Risks happen when priorities and values conflict with one another: for example, the conflict between a control that makes a system more protected and the productivity lost should that control also render the system less usable. In cases of conflict, the dominating culture wins, and this may not always include optimal security decisions.

Cultural and behavioral risk analysis enables enterprise leaders to design strategies that optimize and balance between competing security and business priorities in a cost-effective and measurable way. Assumptions and tradeoffs are identified and can be managed to reduce uncertainty and risks to security and other business goals. Most important, these conflicts are made explicit, allowing for objective cost-benefit analyses to be conducted around information security.12

11 Hayden, Lance, The “Cultural Firewall”: Reducing Security Risk by Transforming Security Culture and Behavior, white paper, Berkeley Research Group (2015).

(8)

About

the Author

Robert Kurtz (Bob), CPA, CISA, CIA, CSP, CDP

Robert “Bob” Kurtz is a renowned subject-matter expert in digital content management and global enterprise requirements planning (ERP) systems. His areas of expertise include business development, process improvement, business and IT strategy/transformation, customer relationship management, content and digital asset/rights management, ERP integration, financial management, supply chain management, IT strategy development, outsourcing/ASP management, governance, risk management, project/program management, shared service center creation, and systems development.

Before joining BRG, Mr. Kurtz was a founder and member of a management and technology consulting firm serving Fortune 500 and mid-sized clients. He served as president and managing director. He was also previously a vice president of information technology at a major American cable telecommunications company, where he oversaw a 150-person IT department. He was also executive director of corporate technology at The New York Times. Mr. Kurtz also was a director and practice leader on two of the Big Four media and digital asset management teams.

Mr. Kurtz has advised clients in the areas of new product development, service offerings, and key hiring decisions. He is frequently called upon to provide advice on financial-related technology matters including feasibility studies, software requirements and selection, and ROI analysis.

(9)

About

Berkeley Research Group

Berkeley Research Group, LLC (www.thinkbrg.com) is a leading global strategic advisory and expert consulting firm that provides independent advice, data analytics, authoritative studies, expert testimony, investigations, and regulatory and dispute consulting to Fortune 500 corporations, financial institutions, government agencies, major law firms, and regulatory bodies around the world. BRG experts and consultants combine intellectual rigor with practical, real-world experience and an in-depth understanding of industries and markets. Their expertise spans economics and finance, data analytics and statistics, and public policy in many of the major sectors of our economy, including healthcare, banking, information technology, energy, construction, and real estate. BRG is headquartered in Emeryville, California, with offices across the United States and in Asia, Australia, Canada, Latin America and the United Kingdom.

References

Download now ( PDF - 9 Page - 687.14 KB )

Related documents

Dignity as the foundation of Human Rights

Es de esta manera que la tesis que me propongo defender aquí es: la vida humana es el fundamento absoluto de los derechos huma- nos, pero no la mera vida hablando en

Charter for the Board of Directors

 No member of the Board of Directors may have dual capacity by concurrently serving as a member of the Board of Commissioners, a member of the Board of Directors, or an

Full version is >>> HERE

omeopatica, candida albicans microscope, candida albicans pathogenic or nonpathogenic, candida albicans characteristics pdf, candida albicans fungus cancer, candida cure now,

Audit Committee Charter

The primary responsibilities of the Audit Committee (the "Committee") of the Board of Directors (the "Board") of Och-Ziff Capital Management Group LLC

A cross-sectional study of newborn feeding practices and support at healthcare facilities in Gauteng

The Ten Steps include the following: the facility has a clear breastfeeding policy, staff need to be trained to have and teach knowledge and skills with respect to breastfeeding,

Proposal for a High Street Project Including a brief study of retail history Peter Cox, North London U3A, July 2020

• Councils give ‘healthy’ businesses rates discounts • Business rates relief for improving public health • All businesses selling food to reduce calories • Local authorities

Near infrared fluorescence imaging in surgery:seeing more?

25 However, in another study that used methylene blue as a fluorescent dye in laparoscopic colorectal surgery, this technique was not found to be superior to conventional white