How board members can oversee cyber security5 min read . Updated: 10 Aug 2018, 12:35 PM IST
In the digital age, cyber threats are not a technology issue but a business risk and steps need to be taken to ensure the safety of digital assets.
Given how the threat landscape is evolving and how regulators are holding company boards accountable for breaches, it is high time that cyber security became a boardroom agenda. While CIOs and CISOs can take care of the technological aspects and, in some cases, compliance, the business risk which is increasingly becoming apparent after the emergence of endless breaches in large conglomerates, can best be understood and managed in the boardroom. Cybersecurity Ventures - Cybercrime Report 2017, which forecasts cyber crime losses to reach $6 trillion by 2021 from $3 trillion in 2015 – gives enough reasons to consider cyber security a business risk and states why it is imperative for boards to also rise up to the challenge.
Why boards are not fully empowered
We know that regulators and shareholders have already mounted pressure on company boards to report breaches and material loss in their filings. The boards of many banks, credit rating agencies, e-commerce, and healthcare companies have swung into action - they regularly discuss, review, and plan cyber risks in their meetings. However, their numbers are small. More companies need to embrace this thinking; the perception that cyber security is a technology issue needs to done away with as soon as possible.
To get on this bandwagon, a huge challenge lies in the lack of a robust mechanism that allows the board to oversee cyber security. Boards traditionally like to assess everything on measurable metrics (performance rating points). While these metrics are present for other functions, for cyber security there aren’t any.
For a board the only source of information is the audit committee assessment, which only has a historic view. It does not guide it to take action and help it to plan ahead. On the other hand, to maintain real time supervision, boards need to know how many threats were detected in a defined timeframe, how were they responded to, how breach attempts were handled, how many system outages were encountered, in what time the company recovered from the outages, how many system gaps/vulnerabilities were detected and fixed, and if the company chalked out a plan to fend off future unknown threats. Since there are no measurable metrics in cyber security, this information remains unavailable to them today.
What can boards do?
In that case, what can boards do? Probably the only way to address the regulatory scrutiny and to play the role of a guardian in the true sense of the word, boards can resort to asking management the right questions. While boards will never be expected to know everything related to cyber risk, the questions they ask can give them a macro view.
Here are some examples:
Do we have the information?
In response to this, the management can be asked to facilitate regular meetings with the company’s top security owner, CIO or CISO. Besides, they can engage an outside expert for additional insights on the security trends and risks. During these discussions, boards will be able to enquire about the company’s threat environment and its resistance to cyber attacks.
How effective is our cyber security strategy?
Boards should ask the management about the company’s comprehensive strategy for addressing data security, whether it is effective and whether the programme includes innovative technologies to monitor, identify and respond to cyber threats or incidents.
How do we protect sensitive information handled, stored and transmitted by third-party vendors?
The company’s third parties (suppliers, contractors, service providers and others) may have access to sensitive information on the company’s network— which can result in a potential cyber security breach. Boards should understand how the company selects, vets and monitors third parties, along with how these parties protect the company’s sensitive information. They should also understand the company’s legal rights related to the third party, particularly if there is a breach.
Do we have cyber insurance?
The frequency and severity of cyber attacks has many companies considering cyber insurance. Boards need to know about the company’s cyber insurance policy (if purchased) and how the cyber insurance market is changing, particularly as underwriters become more sophisticated.
How do we stay current in the threat landscape?
It’s important that boards ask what their company is doing to learn from others to improve its own resilience and cyber security.
Do we have a tested cyber incident response plan?
A security breach can cause serious damage to a company’s reputation and financial position. Boards should discuss the company’s incident response plan with the management - what it entails regarding cyber security, how the management tests the plan and if it could be improved upon to be made more effective.
Reporting cyber security
While putting pressure on the management for cyber security resilience is important, companies are required to adopt a board reporting framework for cyber security, which is based on global standards and incorporates five core functions - Identify, Protect, Detect, Respond and Recover. This will give boards the desired insights – like the number of threats detected, vulnerabilities addressed, breaches handled and the strategy for unknown future threats.
A board reporting framework, which is essential for handling and addressing cyber security challenges, has to have four key elements:
Threat horizon: It should include information about the threat landscape, how it is growing in sophistication as well as complexity and how it challenges their business.
Industry challenges: It should include an overview of the key cyber security trends, threats/breaches/vulnerabilities overall, to their sector and to their company. Besides, it should note what the industry and their competitors are doing to fight these threats.
Regulatory requirements: It should incorporate information about changing regulations like GDPR, the Data Protection Bill, RBI guidelines, etc.
Technology evolution: At the same time, it needs to be able to update systems regularly as the technology or threat landscape evolves.
Board members are becoming increasingly answerable to regulators, investors and customers. Adopting a cyber security board reporting framework empowers them with the thorough insights needed to defend companies from external and internal threats and the steps that need to be taken to ensure the safety of digital assets. Just to reiterate: in the digital age, cyber threats are not a technology issue but a business risk.
This article has been authored by Sivarama Krishnan, Leader – Cyber Security, PwC India. Cyber security is one of the fastest growing practices within the firm. With over 25 years of global experience across diverse sectors including the government, BFSI, FMCG, energy, oil and gas, metals and mining, infrastructure, healthcare, etc., Krishnan is actively involved in NASSCOM’s Cyber Security Task Force (CSTF). Apart from his role in leading the cyber security practice at PwC, Krishnan also leads the new Product and Services platform for the firm.