Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity in the Boardroom

1,057 views

Published on

A Briefing Guide for C-Level Executives to Threats,
Tactics, and Strategies.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Cybersecurity in the Boardroom

  1. 1. Technology Risk E-Book Audit | Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
  2. 2. Cybersecurity in the Boardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
  3. 3. Cybersecurity in the Boardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
  4. 4. Cybersecurity Escalates to the Board Level
  5. 5. Cybersecurity in the Boardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
  6. 6. Cybersecurity in the Boardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
  7. 7. Assessing Responsibilities for Cybersecurity
  8. 8. Cybersecurity in the Boardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
  9. 9. Cybersecurity in the Boardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
  10. 10. The Board of Directors: Achieving Cybersecurity Excellence
  11. 11. Cybersecurity in the Boardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
  12. 12. Cybersecurity in the Boardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
  13. 13. Cybersecurity in the Boardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
  14. 14. Looking Ahead
  15. 15. Cybersecurity in the Boardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
  16. 16. Cybersecurity in the Boardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
  17. 17. www.crowehorwath.com Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.

×