I recently attended an event where a panel of lawyers provided a “pearl of wisdom” to Board members, stating, “If you don’t understand your cybersecurity risk, don’t try to.” They went on to advise that whatever you do, don’t hire someone to conduct an independent cyber assessment. Otherwise, you might learn where your risks are and open yourself up to liability that your ignorance is protecting you from. After I recovered from my initial shock, I wanted to yell from the rooftop that sticking your head in the sand does not make the very real threat of a cyber attack to your organization go away.
Such behavior is not only risky, it is immoral and it is contrary to the strategic, legal and fiduciary responsibilities that you have assumed as a Board member to your shareholders, customers and employees. A breach can expose data that is the legal obligation of the organization to maintain private. It can compromise the credit of the organization’s customer base, impacting their personal lives for years. It can expose proprietary and trade secrets of the organization, impacting competitive advantage. In fact, markets are increasingly realizing that all data has some intrinsic level of value; therefore, any breach exposes the organization to a degree of loss through exposure. When taking into account that an estimated 84 percent of the total value of the Fortune 500 consists of intellectual property and other intangible assets,[1] a cyber attack could represent the single largest off-balance-sheet risk that exists today for organizations.
When retailers are breached, it can bring harm to customers and damage the corporate brand. In the aftermath of the 2013 Target data breach, the CEO stepped down and Target agreed to pay $10 million to settle a class-action lawsuit.[2] If you think that you are safe because you don’t store credit card information, you are wrong. Hackers are not just interested in stealing credit card information. They have also found it profitable to hold data hostage. For example, a hospital recently paid a $17,000 ransom in bitcoin to a hacker who seized control of its computer systems.[3] Still, cyber breaches are not always about generating a monetary profit. The U.S. federal government is not only responsible for protecting national secrets, it is also entrusted with the data of its citizens and employees. In the widely publicized Office of Personnel and Management (OPM) breach, a nation state has been reported to have stolen the personally identifiable information (including fingerprints!) of more than 22 million employees with security clearances.[4] The motivation for that attack is less about monetary rewards and more about gaining access to classified information by amassing human intelligence. Regardless of the motivation, cyber risk is not going away.
For those of us entrusted with governance responsibilities, do we just give up? Is this problem too hard? No, but we do need to get smart on the topic. Standard frameworks for establishing and maintaining the cybersecurity of organizations are readily available, such as the National Institute of Standards and Technology (NIST) guidance or ISACA’s COBIT. While personal liability should not be the primary driver for Board members concerning themselves with cybersecurity, it is a real possibility that, with the severity of harm possible and the simplicity of basic preventive measures available, ignorance will soon cease to be a reasonable defense. Regardless, as a conscientious Board member, you will understand that you need to be concerned and engaged. But if you are not a cybersecurity or IT professional, this may seem daunting. What can you do?
The Path Forward
Fortunately, you do not have to go back to school to get a master’s degree in cybersecurity to provide value-add in your Board role. Here are some areas where you need to make sure proper strategy is being developed and oversight is being exercised.
First, make sure the Board is fully leveraging the audit committee. The audit committee is a critical component of the governance and oversight structure. Board members should ask whether the organization’s audit committee is taking active steps to address the growing cybersecurity threat. If they are not, they should be. While the audit committee’s traditional responsibility has been related to financial reporting and disclosure, the role of the audit committee has evolved to include regulatory compliance and enterprise risk management activities. Given that information technology supports just about every facet of business operations, cyber risk is a critical component of enterprise risk management.
Further, audit committees generally have oversight responsibilities of the internal auditing department. This gives the audit committee the ability to receive independent assurance as to whether effective IT security controls are in place. However, here’s the problem: According to the Institute of Internal Auditors’ “2016 Pulse of the Profession of Internal Audit” report,[5] while 69 percent of Chief Audit Executives (CAEs) state that internal audit should make significant or extremely significant efforts to communicate cybersecurity risks to the Board and executive management, only 40 percent do so. Moreover, while 63 percent of CAEs agree that internal audit should make significant or extremely significant efforts to provide cyber assurance, only 26 percent do so. A contributing factor to this is that 52 percent of CAEs reported that their internal audit teams lacked the requisite expertise to address cybersecurity risk.
Some might argue that the risk of lacking cyber expertise in the internal audit department can be mitigated by appointing a Chief Information Security Officer (CISO) with strong cyber skills. While having a capable CISO is critical, this approach overlooks the value to the Board of getting independent assurance on the effectiveness of controls. Although outsourcing the IT audit function can serve as a short-term fix, internal audit departments need to develop this expertise if their objective is to address the largest threats facing their organizations. One approach is to embed language in IT audit contracts that requires the outside experts to train the internal audit staff. Another option is to hire internal audit staff that already possess the requisite IT auditing skills. Whatever approach is taken, it is incumbent on the Board and the audit committee to ensure that addressing cybersecurity risks is built into the audit plan.
Considerations
So what questions should the Board be asking management? A good indicator of executive support for cybersecurity can be found in the budget. If there is scant evidence of funding for the people, processes and technology needed to address cyber risks, chances are it is not happening. On the flip side, throwing a lot of money at a problem does not always fix it. The right people, processes and technology need to be in place to be effective. Start with asking questions about the people. Is someone tasked with cybersecurity as their primary responsibility, or is it a collateral duty? Depending on your cyber risk profile, this may warrant a part-time effort, a one-person shop or an entire team. Next, ask about the types of qualifications this person (or team) has. In addition to experience, professional credentials are a means to independently judge whether someone is qualified. However, if you are putting a lot of weight in professional credentials to establish qualifications, it needs to be more than a paperwork exercise. Make sure the credential has an experience requirement. For example, ISACA recently launched its Cybersecurity Nexus (CSX) credential.[6] The CSX credential goes beyond a memorization exercise. It requires book knowledge along with demonstrated cyber proficiency (e.g., defending against attacks in a virtual server environment).
Even if an organization has skilled people, a common mistake is to invest a lot of money into shiny, new technology without ensuring the right processes are in place. Third-party evaluation of cyber plans and implementation can be helpful in providing independent assurance that the team is heading in the right direction. Another question to ask is does the team have a data management strategy? Not all data needs to have iron-clad protection. Funding and efforts should be focused on protecting critical data (e.g., personally identifiable information, intellectual property, etc.) as opposed to publicly available information.
Last but not least, make sure management is covering the basics: patch, patch and patch again! According to the latest Verizon breach report, more than 99.9 percent of exploits occurred more than one year after the vulnerability was identified.[7] This means that if organizations routinely installed patches, it would prevent the most common means to gain unauthorized access to their systems. Board members should not take for granted that this is being done: Ask the question.
A Final Observation
After the breach, once the data is lost, there is only damage control that can be done. The lost competitive advantage associated with the proprietary information cannot be recovered. The customers’ personal information cannot be recaptured. Reputational damage might be managed, or it might be irreversible. Sticking your head in the sand will not prepare you to assess your level of risk or to make wise investments against those risks—and, as governance professionals, we need to yell this from the rooftops.
[1] Ocean Tomo, “Intangible Asset Market Value,” March 2015, www.oceantomo.com/2015/03/04/2015-intangible-asset-market-value-study
[2] National Public Radio, “Target Offers $10 Million Settlement In Data Breach Lawsuit,” March 2015, www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit
[3] Los Angeles Times, “Hollywood hospital pays $71,000 in bitcoin to hackers; FBI investigating,” February 29, 2016, www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
[4] ABC News, “22 Million Affected by OPM Hack, Officials Say,” July 9, 2015, www.abcnews.go.com/US/exclusive-25-million-affected-opm-hack-sources
[5] Institute of Internal Auditors, “2016 Pulse of Internal Audit,” February 2016, www.theiia.org/services/Pages/Pulse-of-Internal-Audit.aspx
[7] Verizon, “2015 Data Breach Investigations Report,” www.verizonenterprise.com/DBIR/2015