Cyber risk in the board­room: The questions you need to ask

By Jason N Smolanoff, Senior Managing Director and Global Head of Cyber Risk, and Greg Michaels, Managing Director and LATAM Practice Leader of CyberRisk, at Kroll 

A new year typically brings a renewed sense of optimism; however, 2021 brings with it promises of unparalleled challenges for board members as their role in cyber risk oversight and increasing organisational resilience has never been more important.

Over the course of 2020, as organisations shifted already overburdened staff to build capacity to support remote working, threat actors aggressively exploited weaknesses exposed in the transition. This shift continues, as evidenced by the fact that ransomware attacks are at an all-time high as we head into 2021, surpassing business email compromise for the first time as the attack of choice, and it doesn’t stop there.[1] Sophisticated threat groups lodged deep inside organisational networks have mastered exploiting the trust relationship established across entities in the supply chain.

Unfortunately, even though securing an organisation is challenging enough in normal times, the regulatory landscape continues to shift underfoot, adding pressure to already uncertain conditions. Driven by larger and larger breaches, how organisations manage and protect customer data is pushing American states to introduce stricter legislation, such as the California’s Privacy Rights Act (CPRA) which strengthens the California Consumer Privacy Act (CCPA). From a US federal perspective, the introduction of the Cybersecurity Maturity Model Certification (CMMC) is forcing hundreds of thousands of suppliers across the defence industrial base to transition from an attestation-based compliance model to an onsite validation of controls by a certified assessor.

As a result, 2021 will require boards to ensure they have the appropriate metrics and intelligence to hyper-focus cyber risk oversight on:

• Quantifying the risk of a large-scale attack across all impact categories (e.g. financial, operational, brand, reputation, etc)
• Leveraging validated threat intelligence to reassess the risk appetite and tolerance to address cyber resilience, data privacy and third-party risk management
• Identifying the best methods to minimise or transfer risk, using an updated risk profile

Minimise business interruption (cyber resilience)

With the adoption of broader remote working, boards need to ensure the closure of security controls that were set aside or exempted in lieu of expeditiously getting employees connected and productive. New business operating models dictate the establishment of an entirely new set of security monitoring capabilities to identify potentially malicious and unauthorised access and activity.

As such, boards must proactively determine if existing incident response and cyber crisis management capabilities are adequate for the new workforce paradigm. Investments that help improve threat detection and response mobilisation must be prioritised. Effective questions to ask security leadership include:

• Does the organization maintain a list of its critical information, systems and third parties required to operate the business? Is there a program in place to protect the critical information assets?
• How resilient are our systems? In the latest incident, how many systems were compromised and for long?
• How precise are our controls? Is the security team able to concentrate on high-severity alerts?

Building digital trust (data privacy)

Boards that have historically treated compliance with a ‘check-the-box’ mentality will find 2021 challenging due to an uptick in regulator actions and consumer-driven litigation to protect sensitive data. Data privacy changes require organisations take a hard look at consent for data collection and use, in addition to the actual data being protected. When it comes to revisiting data governance, effective questions to ask legal and information security leadership include: 

• Does consent for personal information collection satisfy legislative criteria?
• Is the data collected being used for legitimate business purposes?
• Is customer data stored for the least possible amount of time?
• Are we sufficiently transparent on how the data is used?
• Have we given data subjects enough control over their information, including the right to be forgotten?

With the legislative spotlight shining on data governance, boards should take the opportunity to update a company’s inventory of digital assets, which could also prove valuable during potential M&A activities.

Strengthening supply chain (third-party cyber risk management)

Recent global supply chain attacks place third-party cyber risk management front and centre in 2021 and legislation, such as CCPA and the EU’s extra-territorial General Data Protection Regulation (GDPR), make organisations liable for incidents originating in third parties. This forces boards to take a hard look at whether there is necessary visibility to determine the maturity of organisational cybersecurity and data privacy controls. But how do boards do this? Effective questions to ask legal and information security leadership include: 

• Do we have visibility into the cybersecurity and data privacy maturity of our supply chain?
• For vendors with access to critical systems or sensitive data, have we included contractual protections in the event of an incident such as a right to audit or requirements for reducing data exposure?

Mitigating and transferring risk

When it comes to managing cyber risk, boards must understand the current organisational risk profile, including the company’s risk appetite and risk tolerance. As a part of a robust risk transference strategy, a fundamental question each board must evaluate is the adequacy of cyber insurance. This seemingly simple question may lead to some unexpected findings when the risks are carefully considered and requires an accurate cost analysis to determine potential loss from a cyberattack.

For example, some cyber insurance underwriters now require stricter cybersecurity controls be in place before writing or renewing policies. This brings the board full circle as these mandatory controls may require investments in unanticipated areas. When calculating the amount of required coverage, boards must determine the need and cost for external counsel, retainer-based digital forensics, crisis public affairs support, potentially crippling regulatory fees and possible post-incident litigation.

It has been said that hope is not a strategy. In 2021, some organisations around the world are hoping for the return to some semblance of pre-pandemic operations; however, for many organisations and boards, the new normal will be nothing like the past. The new year vows a complex array of previously unconsidered challenges. The collective of board recommendations noted herein are centred on establishing a deeper understanding of the cyber risk maturity of organisations and its leadership with the goal of reducing cyber risk and increasing organisational resilience.

About The Authors

Jason Smolanoff is a senior managing director, global cyber risk practice leader, based in the Los Angeles office, and a fellow at the Duff & Phelps Institute. He brings more than 20 years of federal law enforcement and information security experience and has played a leading role in some of the most significant cybersecurity investigations in history.

Greg Michaels is a managing director and LATAM practice leader with Kroll’s Cyber Risk practice, based in the Secaucus office. In this role, Greg partners with clients at the strategic and operational level to build proactive information security programs, helping them to comply with regulatory requirements and minimise enterprise risk.