By John Riggi – Former FBI Executive and Head of BDO USA’s Cybersecurity Practice
As the recent WannaCry ransomware attacks proved, there is no doubt that cyberattacks and data breaches are growing – in number, sophistication and severity – and are a great cause for concern for small and large businesses alike.
The increasing number of major breaches across the globe has prompted regulators to act. In many jurisdictions, businesses are now required to meet strict cyber risk management mandates or face penalties. New regulations not only require organisations to put appropriate security measures in place to protect personal information (of their people, their clients/customers and their suppliers), but also to have mandatory data breach notification systems in place to report privacy breaches to authorities and individuals whose information was compromised. The tightening regulatory environment has prompted boards of directors to take an increasingly active role in implementing effective cyber risk management programmes within their organisations in an effort to mitigate the risk of disruption to their business operations, avoid costly fines and damage to their brand as well as significant financial losses.
The EU General Data Protection Regulation comes into force in May 2018 and significantly expands the scope and enforceability of the EU’s data privacy regime. Companies are required to inventory all personal data, incorporate risk-based cybersecurity measures and report any data breach to the supervisory authority within 72 hours. Non-compliant organisations may be fined up to four per cent of annual global turnover or €20million (whichever is greater).
Similarly, in the US, the New York Department of Financial Services (NYDFS) recently issued a first-of-its-kind cyber regulation impacting all New York-regulated financial institutions, including New York branches of foreign banks. The NYDFS regulation mandates the implementation of a risk-based cyber risk management programme, the appointment of an individual to oversee the programme and, in an unprecedented step, the ground-breaking regulation holds company board members and senior officers personally liable for annual compliance certification.
Taking on responsibility
Approximately three-quarters of public company directors say that their board is more involved with cybersecurity than it was 12 months ago and 80 per cent say they have increased company investments by an average of 22 per cent over the past year to defend against cyberattacks.
This is the third consecutive year that board members have reported increases in time and dollars spent on cybersecurity. Additionally, the number of boards with cyber incident response plans in place has increased from 45 per cent to 63 per cent. Nevertheless, barely one-quarter are sharing information and threat intelligence on cyberattacks with entities outside of their business – a practice that must become more prevalent for reasons of public safety, protection of a nation’s critical infrastructure, national security and economic security.
Generally, larger organisations with well-funded and mature cybersecurity programmes are well-positioned to contribute valuable technical cyber threat intelligence along with a cyber adversary’s identified tactics, techniques and procedures, which would assist in the defence all of organisations… and the defence of nations.
The ascension of cybersecurity
There is no doubt that cybersecurity continues to move up on the boardroom agenda. Corporate directors are briefed more frequently on the organisation’s cybersecurity posture and related vulnerabilities. They are responding with increased budgets to address this critical area of enterprise risk, However, significant vulnerabilities remain, as less than half of board members surveyed worked with their organisations to prioritise the identification and development of solutions to protect their critical digital assets. Even fewer organisations have put cyber risk requirements in place for third-party vendors – a major source of data breaches.
Beyond ticking the boxes
Executive boards allocate resources and provide management with the necessary tools to identify and mitigate cyber risks. Cyber-responsible boards go beyond checking policy, overseeing, verifying and advancing cybersecurity measures so that they keep – or better yet, exceed – pace with the latest developments in cybercrime.
Organisations have adapted to new cyber requirements in a very pragmatic way, often relying on compliance criteria to determine their corporate cybersecurity policies. This approach to cybersecurity often results in a ‘tick the box’ security posture, failing to appropriately address the organisation’s greatest vulnerabilities and identify areas for improvement. A compliance-driven stance on cybersecurity can jeopardise its effectiveness.
It is the responsibility of board members to ensure their companies strike a balance between effectively meeting compliance requirements and implementing a risk-based cyber programme that addresses the areas of vulnerability unique to each organisation. In a position to command resources and influence strategy, boards should push their organisations to new levels of innovation, not only in service and product offerings, but also in cyber risk management in order to ensure adequate protection from cyber threats.
Guarding the ‘crown jewels’
A board’s cybersecurity responsibilities are among its most complex – requiring members to actively engage in informed oversight of the organisation’s overall cybersecurity. Among their responsibilities, board members should:
1. Develop a deep understanding of the business’ critical assets
Quantify these assets by modelling the potential financial impact if the organisation experiences a cyberattack that disables, limits access to, or destroys these assets.
2. Understand the risk to those business assets
In order to understand how to mitigate risk, boards must determine the current state of their organisation’s cyber risk profile. And performing a cybersecurity risk assessment is far less expensive than the cost of reacting to a breach, which can not only cause reputational harm, but can also find them in breach of regulation for not having been prepared. By conducting a risk assessment and gap analysis, boards can quickly assess current policies and operations, identify holes and prioritise remediation initiatives.
3. Take inventory of sensitive company data
Information is often an organisation’s most valuable asset. And today, more than ever before, the confidentiality, integrity and access to that information is at risk. The increased threat of cyberattacks in recent years, along with the creation of new data privacy regulations, only emphasise the need for boards to implement strong policies to achieve compliance and mitigate information-related risks. Understanding what information the organisation has, where it resides, and its purpose, are key factors in identifying the highest risk areas and developing a mitigation strategy.
4. Develop and implement an incident response plan
A rapid response during a data breach can make all the difference. Boards should oversee the development of a comprehensive, regularly tested and updated incident response plan that not only outlines immediate action, but also considers company processes, internal and external communications, legal and regulatory issues, contact with law enforcement, crisis management plans, and the roles and responsibilities of individuals throughout the firm in order to manage and mitigate the impact of a breach.
5. Examine insurance plans to ensure adequate levels of cyber coverage
Cyber insurance may be purchased as a stand-alone policy or included as an additional coverage under a professional liability policy. However, coverage levels and terms can vary greatly and work in conjunction or conflict with other insurance policies held by the organisation. Boards should evaluate current policies and levels of coverage, particularly if cyber coverage is added to another policy, to ensure their organisations are properly protected from the potential losses from a cyber incident.
About the Author:
John Riggi leads BDO USA’s Cybersecurity practice, having spent nearly 30 years as a highly decorated veteran of the FBI, and a former representative to the White House Cyber Response Group and Financial Services Steering Committee. During his time at the FBI, John developed mission critical partnerships in the healthcare sector and all critical infrastructure industries for the investigation and exchange of information related to national security and criminal cyber matters, as well as national initiatives to warn of specific cyber threats. Between 2014 and 2016, he played a strategic role in the investigation of every major cyber incident in the U.S. John also has extensive experience investigating complex healthcare fraud and related financial crime schemes.
John presently works with the American Hospital Association to lead strategic cybersecurity risk management training for the organization’s more than 5,000 hospital CEO members. In partnership with the Health Information Trust Alliance (HITRUST), John, who was named a member of the governing board, played a key role in the development and implementation of the new HITRUST Threat Catalogue, a first-of-itskind tool aligned with the HITRUST CFS Controls, designed to improve a healthcare organization’s ability to prioritize security program activities based on a greater understanding of the risks they face. In addition, John is an official private sector validator for the White House’s Presidential Policy Directive (PPD) on U.S. Cyber Incident Coordination, a policy intended to improve collaboration between the public and private sectors to combat significant cyber threats potentially impacting public health and safety, national security or economic security.