No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Governance

Cyber Governance – Sticking Your Head in the Sand Is Not an Option

by Theresa Grafenstine
April 4, 2016
in Governance
The Board must play an active role in cyber governance

I recently attended an event where a panel of lawyers provided a “pearl of wisdom” to Board members, stating, “If you don’t understand your cybersecurity risk, don’t try to.” They went on to advise that whatever you do, don’t hire someone to conduct an independent cyber assessment. Otherwise, you might learn where your risks are and open yourself up to liability that your ignorance is protecting you from. After I recovered from my initial shock, I wanted to yell from the rooftop that sticking your head in the sand does not make the very real threat of a cyber attack to your organization go away.

Such behavior is not only risky, it is immoral and it is contrary to the strategic, legal and fiduciary responsibilities that you have assumed as a Board member to your shareholders, customers and employees. A breach can expose data that is the legal obligation of the organization to maintain private. It can compromise the credit of the organization’s customer base, impacting their personal lives for years. It can expose proprietary and trade secrets of the organization, impacting competitive advantage. In fact, markets are increasingly realizing that all data has some intrinsic level of value; therefore, any breach exposes the organization to a degree of loss through exposure. When taking into account that an estimated 84 percent of the total value of the Fortune 500 consists of intellectual property and other intangible assets,[1] a cyber attack could represent the single largest off-balance-sheet risk that exists today for organizations.

When retailers are breached, it can bring harm to customers and damage the corporate brand. In the aftermath of the 2013 Target data breach, the CEO stepped down and Target agreed to pay $10 million to settle a class-action lawsuit.[2] If you think that you are safe because you don’t store credit card information, you are wrong. Hackers are not just interested in stealing credit card information. They have also found it profitable to hold data hostage. For example, a hospital recently paid a $17,000 ransom in bitcoin to a hacker who seized control of its computer systems.[3] Still, cyber breaches are not always about generating a monetary profit. The U.S. federal government is not only responsible for protecting national secrets, it is also entrusted with the data of its citizens and employees. In the widely publicized Office of Personnel and Management (OPM) breach, a nation state has been reported to have stolen the personally identifiable information (including fingerprints!) of more than 22 million employees with security clearances.[4] The motivation for that attack is less about monetary rewards and more about gaining access to classified information by amassing human intelligence. Regardless of the motivation, cyber risk is not going away.

For those of us entrusted with governance responsibilities, do we just give up? Is this problem too hard? No, but we do need to get smart on the topic. Standard frameworks for establishing and maintaining the cybersecurity of organizations are readily available, such as the National Institute of Standards and Technology (NIST) guidance or ISACA’s COBIT. While personal liability should not be the primary driver for Board members concerning themselves with cybersecurity, it is a real possibility that, with the severity of harm possible and the simplicity of basic preventive measures available, ignorance will soon cease to be a reasonable defense. Regardless, as a conscientious Board member, you will understand that you need to be concerned and engaged. But if you are not a cybersecurity or IT professional, this may seem daunting. What can you do?

The Path Forward

Fortunately, you do not have to go back to school to get a master’s degree in cybersecurity to provide value-add in your Board role. Here are some areas where you need to make sure proper strategy is being developed and oversight is being exercised.

First, make sure the Board is fully leveraging the audit committee. The audit committee is a critical component of the governance and oversight structure. Board members should ask whether the organization’s audit committee is taking active steps to address the growing cybersecurity threat. If they are not, they should be. While the audit committee’s traditional responsibility has been related to financial reporting and disclosure, the role of the audit committee has evolved to include regulatory compliance and enterprise risk management activities. Given that information technology supports just about every facet of business operations, cyber risk is a critical component of enterprise risk management.

Further, audit committees generally have oversight responsibilities of the internal auditing department. This gives the audit committee the ability to receive independent assurance as to whether effective IT security controls are in place. However, here’s the problem: According to the Institute of Internal Auditors’ “2016 Pulse of the Profession of Internal Audit” report,[5] while 69 percent of Chief Audit Executives (CAEs) state that internal audit should make significant or extremely significant efforts to communicate cybersecurity risks to the Board and executive management, only 40 percent do so. Moreover, while 63 percent of CAEs agree that internal audit should make significant or extremely significant efforts to provide cyber assurance, only 26 percent do so. A contributing factor to this is that 52 percent of CAEs reported that their internal audit teams lacked the requisite expertise to address cybersecurity risk.

Some might argue that the risk of lacking cyber expertise in the internal audit department can be mitigated by appointing a Chief Information Security Officer (CISO) with strong cyber skills. While having a capable CISO is critical, this approach overlooks the value to the Board of getting independent assurance on the effectiveness of controls. Although outsourcing the IT audit function can serve as a short-term fix, internal audit departments need to develop this expertise if their objective is to address the largest threats facing their organizations. One approach is to embed language in IT audit contracts that requires the outside experts to train the internal audit staff. Another option is to hire internal audit staff that already possess the requisite IT auditing skills. Whatever approach is taken, it is incumbent on the Board and the audit committee to ensure that addressing cybersecurity risks is built into the audit plan.

Considerations

So what questions should the Board be asking management? A good indicator of executive support for cybersecurity can be found in the budget. If there is scant evidence of funding for the people, processes and technology needed to address cyber risks, chances are it is not happening. On the flip side, throwing a lot of money at a problem does not always fix it. The right people, processes and technology need to be in place to be effective. Start with asking questions about the people. Is someone tasked with cybersecurity as their primary responsibility, or is it a collateral duty? Depending on your cyber risk profile, this may warrant a part-time effort, a one-person shop or an entire team. Next, ask about the types of qualifications this person (or team) has. In addition to experience, professional credentials are a means to independently judge whether someone is qualified. However, if you are putting a lot of weight in professional credentials to establish qualifications, it needs to be more than a paperwork exercise. Make sure the credential has an experience requirement. For example, ISACA recently launched its Cybersecurity Nexus (CSX) credential.[6] The CSX credential goes beyond a memorization exercise. It requires book knowledge along with demonstrated cyber proficiency (e.g., defending against attacks in a virtual server environment).

Even if an organization has skilled people, a common mistake is to invest a lot of money into shiny, new technology without ensuring the right processes are in place. Third-party evaluation of cyber plans and implementation can be helpful in providing independent assurance that the team is heading in the right direction. Another question to ask is does the team have a data management strategy? Not all data needs to have iron-clad protection. Funding and efforts should be focused on protecting critical data (e.g., personally identifiable information, intellectual property, etc.) as opposed to publicly available information.

Last but not least, make sure management is covering the basics: patch, patch and patch again! According to the latest Verizon breach report, more than 99.9 percent of exploits occurred more than one year after the vulnerability was identified.[7] This means that if organizations routinely installed patches, it would prevent the most common means to gain unauthorized access to their systems. Board members should not take for granted that this is being done: Ask the question.

A Final Observation

After the breach, once the data is lost, there is only damage control that can be done. The lost competitive advantage associated with the proprietary information cannot be recovered. The customers’ personal information cannot be recaptured. Reputational damage might be managed, or it might be irreversible. Sticking your head in the sand will not prepare you to assess your level of risk or to make wise investments against those risks—and, as governance professionals, we need to yell this from the rooftops.

 

[1] Ocean Tomo, “Intangible Asset Market Value,” March 2015, www.oceantomo.com/2015/03/04/2015-intangible-asset-market-value-study

[2] National Public Radio, “Target Offers $10 Million Settlement In Data Breach Lawsuit,” March 2015, www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit

[3] Los Angeles Times, “Hollywood hospital pays $71,000 in bitcoin to hackers; FBI investigating,” February 29, 2016, www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

[4] ABC News, “22 Million Affected by OPM Hack, Officials Say,” July 9, 2015, www.abcnews.go.com/US/exclusive-25-million-affected-opm-hack-sources

[5] Institute of Internal Auditors, “2016 Pulse of Internal Audit,” February 2016, www.theiia.org/services/Pages/Pulse-of-Internal-Audit.aspx

[6] www.isaca.org/cyber

[7] Verizon, “2015 Data Breach Investigations Report,” www.verizonenterprise.com/DBIR/2015


Tags: Data Governance
Previous Post

Will the FCPA Go Down Under (Again)?

Next Post

Promoting Collaboration to Improve Risk Management

Theresa Grafenstine

Theresa Grafenstine

April 4 - Theresa Grafenstine headshot (266x400)Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA is a member of ISACA’s Board of Directors and the inspector general of the U.S. House of Representatives (House). Over the past 20 years, she has served in the inspector general community in both the legislative and executive branches of the federal government. She is the chair of ISACA’s Relations Board and Finance Committee, is past president and committee chairman of the ISACA National Capital Area Chapter and has served as ISACA’s Communities Committee chair and on ISACA’s World Congress: INSIGHTS program development task force. Grafenstine was recently nominated for the U.S. Federal Government Disruptor of the Year Award for her speeches on reforming audit in 2014. As the inspector general, she is responsible for planning and leading independent, non-partisan audits, advisories and investigations of the financial and administrative functions of the House. Prior to joining the House OIG, Grafenstine served at the Department of Defense (DoD) Office of Inspector General, where she led acquisition audits of major weapons systems and was selected to respond to high-profile Congressional audit requests. Grafenstine earned the 2014 John Kuyers Best Speaker/Conference Contributor Award from ISACA.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
Risk management must work with internal audit and compliance to effectively mitigate risk

Promoting Collaboration to Improve Risk Management

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT