Addressing Cyber Risks: Best Practices for Board of Directors
By: Andrew Royce, Co-Founder & President of BlueStone Advisors
March 10, 2015
Global business risks continue to rapidly evolve, in large part due to the cyber risks that are exponentially accelerated by our appetite for new technologies and big data.
According to Dave DeWalt, CEO of FineEye, 97% of ALL companies are getting breached or have been breached. FBI Director, James Comey, told 60 Minutes, "There are two kinds of big companies in the United States…those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese." JP Morgan Chase spends in excess of $250M every year on network security, which includes hiring “military-grade cyberwarriers” from NSA headquarters. Yet despite their best efforts to strengthen Network Security, JPMorgan Chase neglected to install a simple security fix on one remote server in a vast network that led to a data breach of over 83 Million of its account holders. 2014 included other big name breaches, prompting many board members across the country to fill their reading tablets with Enterprise Risk Management and Cyber Security literature. Here we have compiled a brief summary of best practices to consider when incorporating cyber risk oversight into your organization’s enterprise risk management program.
Step 1: Holistic Understanding of Firm Risk
Discuss and prioritize top risks that threaten the organization. NCS and Proviti recently conducted a study of the top business risks for 2015. One of the findings concluded that directors and senior management are not always in agreement on the top risks that threaten the organization, or they prioritize the risks differently. The board and senior managers must first align risk priorities. Senior management can’t and won’t be effective if board priorities and expectations are skewed from their own.
Further, because employees can play an important role in risk mitigation, it becomes important for the board and senior management to be in agreement so that a unified tone can be set from the top.
Once established, senior management - under the board’s oversight - must seek and reinforce the “everyone is responsible” mantra, meaning that those responsible for each operating unit establish proper communication and reporting channels back to senior management. A fundamental tenant of Enterprise Risk Management is to establish a culture where the unit managers and supporting staff communicate risks up to executive management.
Step 2: Understanding Financial, Reputational, and Brand Impact
First establish the immediate financial impact of a breech. Costs following an impact can include:
- Notification expenses
- Legal defense and counsel
- Public relations
- Crisis services
- PCI fines and penalties
- Regulatory defense
- Regulatory fines
- Insurance Costs
(When?) The average cost per breached account was ___, the average cost of legal defense was____ and the average cost of legal defense was ____. Analyzing the above costs will help you gain an understanding of the financial impact to your organization. The next step is to obtain a cyber insurance policy to transfer some of the financial risks.
Will the organization suffer reputational damage following a breach? Last year, Target suffered a 10% loss in their stock price when it tumbled from $___ to $54 per share following a data breach. It took 14 months for Target to fully recover, when it closed above $74 in Feb. 2015. Understand the immediate financial impact and longer-term reputational costs to adequately assess the risk.
Step 3: Put the Right Resources in Place
Identify your cyber security and breach response team now. Has senior management identified the cyber response team inclusive of outside counsel, forensic and investigation consultants, insurance broker and public relations? Does your company have a cyber security team on retainer and a disaster recovery plan in place? When it comes to forensic consultants, it is a good idea to negotiate a retainer so that the response team will gain working knowledge of your organization. In addition, a retainer can provide response time guarantees for your organization, which can be important if resources are limited at the time of a breach.
Once on retainer, most forensic teams can also conduct onsite pre-loss mitigation education, webinars, and training to the unit managers and staff. In 2014, 24% of all data breaches arose from staff mistakes and rogue employees. Pre-loss mitigation training and education can work to reduce the threat of cyber breaches originating from internal mistakes. To help prevent a rogue employee from leaking data or stealing valuable corporate property, predictive behavior software can be implemented to help provide warning signals to senior management about disgruntled employees. There are additional resources to consider for assistance in preventing a breach and mitigating the damage - if and when it does occur.
Step 4: Continuous Risk Evaluation
Establish a formal risk oversight committee where the board and senior managers have a dialogue about current and emerging risks affecting the organization. Work to establish a sustainable risk process to address the next big risk before it becomes media worthy. Discuss and prioritize risks and external threats that could endanger earnings, reputation and the brand. An organization’s risk profile and appetite for taking on risk can evolve over time. Be certain to correlate the risks with the organization’s ability to address them.
For some boards, Risk Management has other competing priorities on the agenda – below is a short list of questions to assist board members to discuss preparedness, evaluate risks and engage in a dialogue:
- Are board members cognizant of management risk concerns?
- Does the board agree with why these risks are significant?
- Do directors understand the organization’s responses to these risks?
- Is there a periodic review of the organization’s risk profile?
- Does management appraise the board in a timely manner of changes in the organization’s risk profile?
- Is there a process in place for identifying emerging risks?
- Is there a board dialogue regarding management’s appetite for risk?
- Does the organization’s culture facilitate an open dialogue on identifying and evaluating opportunities for risks, including the education of significant risk issues warranting the attention by executive management and the board?
The board that commits to addressing risk sets a tone from the top on down and undergoes a critical first step in a coordinated effort towards enterprise risk. While a breach seems inevitable for most companies today, the costs of a breach can be significantly mitigated by an organization’s cohesive preparedness for the breach event.