Boards are asking for best practices relating to the oversight of cybersecurity risks. Having done some recent research into this question, we thought we would share our findings.
What is ‘Cyber Risk’?
The Institute of Risk Management defines ‘cyber risk’ as ‘any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.’ As noted by Marsh Canada, “while the benefits of utilizing e-business strategies and internet-based technologies are numerous, so are the risks. The internet and other networked operations have created exposures that were unheard of a decade ago. In addition, the wave of privacy related regulation has created an entirely new area of risk, untethered from technology; risk based solely upon the potential mishandling of confidential information.” According to Robert Mueller, former Director of the FBI, “there are only two types of companies – those that have been hacked and those that will be.”
Board Oversight of Risk
Cyber risk is but one of the many risks that a company faces. It has been well-established that a governing board is not expected to manage risks – that responsibility is delegated to the CEO and management team. The board is, however, expected to understand what the principal risks are facing the company and to ensure that management has good systems in place to identify, evaluate, manage and monitor risks. Applying this principle to cyber risk, a board is expected to understand and monitor:
- The company’s most critical/sensitive information or data
- The fast-changing landscape of potential cybersecurity threats
- The potential implications for the company of cybersecurity breaches
- The policies and systems that management has put into place to minimize and respond effectively to cyber risks
- The roles and responsibilities of the various players within the company with cybersecurity as part of their mandate
- How the company’s cyber risk management stacks up against others
- What the company is doing to promote a cybersecurity culture in the workplace
Good Oversight Questions to Ask
Some good questions for the Board to ask the Chief Executive Officer (CEO) and the Chief Information Officer (CIO) include:
1. Have we undertaken a cyber-security risk assessment? If so, can management walk us through the results of that assessment?
Such an assessment would involve:
(a) identifying information assets and making a priority list of what needs to be
(b) locating the information assets and listing where they reside within the protected organization (e.g. file servers, workstations, laptops, removable media, PDAs and phones, databases, etc.)
(c) Classifying the sensitivity of information assets according to a rating scale
(d) Conducting a threat modeling exercise to rate the threats that top-rated
(e) Developing a security plan that addresses the areas of highest risk first.
2. How can the security of IT systems be breached and who is typically behind such breaches?
In general terms, the security of IT systems can be threatened when:
- Unauthorized users gain access to the company’s network – this can occur if employees inappropriately share their confidential logon IDs and passwords, leave their computer workstations unattended, lose technology equipment or mobile storage devices, etc.
- Opportunistic hackers gain access to corporate networks through weaknesses in the system – this can include phishing emails that populate viruses or spyware across a network if someone opens them, downloaded software that include viruses, etc. These hackers are issuing blanket threats to many organizations and just take advantage of whatever pops up.
- Criminal hackers who very deliberately target proprietary information assets of specific companies for commercial benefit.
3. What are the potential consequences of a significant cybersecurity breach?
According to KPMG, potential consequences for a company might include:
- Intellectual property losses including patented information and trademarked material, client lists, and commercially sensitive data
- Legal expenses including damages for data privacy breaches, compensation for delays, regulatory fines and the cost associated with defence information assets face
- Reputational loss which may lead to a decline in market value, and loss of goodwill and confidence by customers and suppliers
- Time lost and distraction due to investigating how the breach occurred and what information (if any) was lost and keeping key stakeholders advised
- Administrative cost to correct the impact such as restoring client confidence, communications to authorities, replacing property, and restoring the organization’s business to its previous levels.
4. Who is responsible for cybersecurity within the company?
The cybersecurity roles and responsibilities of everyone from the front-line employee to the CEO should be made clear and documented in policy.
5. What policies are in place to provide guidance to our employees and potential third parties relating to cybersecurity?
Our research suggests that cybersecurity-related policies should, at a minimum, give executives and employees the answers to the following basic questions:
- Who in my organization is responsible for cybersecurity?
- What are the rules that govern my use of company resources (computers, smartphones, tablets)? How can I be kept aware of updates to these rules?
- If I suspect that I have a cybersecurity issue (malware, spyware), who should I contact within my organization?
- Does my organization have a policy on bringing personal devices into the workplace?
- What am I allowed to connect to my company’s system and could my device infect the system?
A cybersecurity policy should also include:
- An emphasis on the importance of cyber security
- Training on effective password management
- How to detect phishing and other scams
- The need for regular updates and patches to anti-malware programs, web browsers and other programs
- The need for secure encrypted file transfer for sensitive information being sent outside the company
- The expectation that employees will lock and store securely computers and other mobile devices
- The need to quickly report lost or stolen devices
- The importance of employees playing an active role in protecting the company’s information assets
- A strong recommendation that employees apply maximum privacy settings to their social media accounts
The organization’s cybersecurity policy should be incorporated into the employment agreement in some way and regular cybersecurity training should be scheduled to make sure that employees understand the guidelines.
6. What controls and other risk management strategies do we have in place to keep our information assets safe? Are the resources that we allocate to cybersecurity adequate?
Our research indicates that there are basic rules that all companies should follow in practising good cybersecurity include:
- Every user should have their own account with particular rights and restrictions. These rights should be limited to what the employee needs to perform their job duties.
- Users should have strong passwords requirements and should be prompted to update those passwords at regular intervals.
- Employees’ cybersecurity responsibilities should be clearly identified in job descriptions, policy statements, or other company documents (like procedures manuals). Companies should update their employees’ and contractors’ security credentials as they move through the organization. Often, employees will still have access to systems despite moving to new areas that do not require such access or even upon leaving the company. Contractors may retain remote access to systems or sites even after their work is completed; companies should make concerted efforts to limit and prevent this remove access once outside vendors’ contracts are complete.
- Security patches on software should be updated regularly.
- Older versions of software should be removed.
There is also a need to be mindful of the company’s physical assets as well. For example, misplaced devices or computers in remote locations without adequate access control and monitoring can present risks.
Finally, a company’s cyber risk management systems need to be the subject of regular training, assessment and system hardening.
According to an August 2014 article in Fast Company entitled “Top 10 Most Effective Cybercrime Policies”, the most effective methods used to fight e-crime are:
- Engage in internal employee monitoring
- Have a written inappropriate use policy
- Require employees and contractors to sign acceptable use policies
- Monitor Internet connections
- Require internal reporting to management of insider misuse and abuse
- Host employee education and awareness programs
- Develop a corporate security policy
- Conduct new employee security training
- Conduct regular security audits
7. Do we allow third parties to connect to our network and if so, what protections do we have in place to minimize the risk of them transferring malware or spyware to our system?
The company’s CIO will be able to identify third parties with access to the company’s network. He/she will also be able to speak to what systems are in place to minimize risks associated with third party access to your network.
8. How do we stay on top of the changing tricks that hackers use to penetrate systems like ours?
Again, the CIO will be in a position to share with the the Board or the Risk Committee how he/she and his/her team stay abreast of and share internally the ever-changing cybersecurity threats facing the company.
9. What cyber attacks have occurred at the company?
The CIO will be able to explain how and when the corporate network was exposed to malware or spyware.
10. How are we set up to respond to potential cybersecurity threats?
The CIO will be able to describe the system security monitoring and testing that is done on a regular basis. He/she can also describe what the process is for employees to report cybersecurity suspicions to the Help Desk and what the escalation process is from there.
The Board will want to know and perhaps set some guidelines regarding who, internally, is to be advised of any cyberattacks. It will also want to know when it would be appropriate to secure external forensic expertise and to contact law enforcement in the event of a significant breach. Finally, it will want to know that the company has a disaster recovery plan and a crisis communications plan in place to address business interruptions due to cyber attacks.
11. Do we need cyber risk insurance? If we have a policy in place, is it adequate?
According to Marsh Canada, “traditional insurance policies do not typically address cyber risks in an effective way and, in fact, internet and network exposures are increasingly subject to exclusion from these policies.” The same firm also describe available coverage as follows: “Cyber and privacy risk insurance provides financial protections for information and technology related risks. “Information risks” extend beyond the risks associated with internet communications or e-commerce transactions. Losses, often arising from lost client data or unauthorized access or use of computer systems, cross every industry and every business that uses computers to communicate/transact business. Coverages are available for direct loss, including: loss of electronic data, business interruption and extra expenses from technology failure/system outage, liability coverage for defense expenses and damages stemming from claims. Coverage also responds to out of pocket expenses included by an insured to comply with privacy regulations, as well as defending the insured in a regulatory action involving a violation of a privacy regulation.”
12. How do we organize ourselves as a Board to provide effective cyber risk oversight?
Risk oversight is an important board responsibility. Some boards delegate specific risk oversight responsibilities to board committees while others prefer to monitor the risk environment at the full board level. Boards should review their organization’s risk management framework and the current structure for risk oversight and consider the following questions:
- Is cybersecurity currently an explicit risk in the organization’s risk management framework?
- Will the full board monitor cyber risks along with all of the other risks or will risk oversight (including cyber risks) be delegated to a specific committee?
- Is risk oversight included on the board’s annual macro agenda? Is there an annual robust discussion of the principal risks facing the company and the policies and systems in place to minimize and manage these risks?
- If a board committee has responsibility for risk oversight, is time set aside for that topic on the committee’s annual work plan?
- Has the company reviewed all of its procurement, contractor and visitor documents to make sure that third parties agree to abide by its cybersecurity standards and policies?
- How do cyber risks factor into the annual internal audit plan?