[BreachExchange] Creating a Structure for Cyber Risk Management

Mon Oct 16 20:43:43 EDT 2017

https://www.bankdirector.com/index.php/issues/risk/creating-structure-cyber-risk-management/

In 93 percent of data breaches, the targeted systems were compromised
within minutes. Eighty-three percent of the time, those breaches were not
discovered for weeks, leaving the attackers with plenty of time to do their
damage and exfiltrate data, according to the 2016 Verizon Data Breach
Investigations Report. The average consolidated cost of a U.S. data breach
in 2016 was $7 million, and the average cost incurred for each lost or
stolen sensitive data record was $221, according to the Ponemon 2016 Cost
of Data Breach Study: United States.

In response to the evolution in the complexity of cyber risk, the National
Association of Corporate Directors (NACD) released the 2017 edition of its
NACD Director’s Handbook on Cyber-Risk Oversight. The guidance consists of
the following five key principles:

Enterprise Risk
Historically, cybersecurity has been considered an IT function; however,
cyber risk oversight is a board-level responsibility, and directors need to
approach it as an enterprise-wide risk management issue. Some of the
highlighted areas for directors to engage management on include:

Crown jewels: Management should have an understanding of the organization’s
most critical data assets—where they reside, how they flow through the
organization and who has access to them. This foundational understanding
supports a focused and efficient protection and cyber risk reduction
strategy.
Third-party risk: Management should understand cyber risks present not only
within their own organization’s infrastructure, but also within the larger
ecosystem of partners, suppliers, affiliates and customers within which it
operates. The degree of connectivity that the organization has with third
parties can increase its cyber risk exposure, as several well-known and
significant breaches were initiated through third parties.

Legal Implications
The board and the individual directors should have an understanding of the
cybersecurity legal and regulatory landscape that is applicable to the
organization. This includes liability, public disclosure and reporting
(e.g., Securities and Exchange Commission), information sharing,
infrastructure protection, and data breach notifications. Some areas of
emphasis for this principle:

Table top exercises: As a result of the varied manner in which company
executives have handled data breaches at their organizations, it has become
clear that proper incident response planning is not just a necessity for IT
staff and management, but also for corporate executives and directors.
Corporate brands have been impacted by unclear and inconsistent executive
communication. The NACD handbook recommends that directors participate in
simulations or table top exercises to become familiar with their incident
response procedures and communication approach.
Board minutes: Formal board meeting minutes should reflect when cyber risk
issues are on the agenda or discussed, whether by the full board or key
committees.

Cyber Expertise
While NACD research has shown that an increasing number of boards discuss
cyber risk on a regular basis, it also indicates that most boards do not
have an adequate understanding of it. In lieu of adding single-purpose
directors with cybersecurity expertise, boards can close this gap in other
ways:

Deep dive briefings or examinations
Leveraging existing independent advisors, such as external auditors and
outside counsel
Participating in director education programs

Cyber Risk Management Framework
Directors should set the expectation that management will adopt an
enterprise-wide cyber risk management framework with adequate staffing and
budget. This is important for every organization, but particularly for more
distributed and decentralized organizations to establish a consistent
approach to managing risk. The handbook states that organizations should at
least consider the adoption of the National Institute of Standards and
Technology (NIST) Cybersecurity Framework.

Board-Management Cyber Discussions
Alignment between board and management with respect to cyber risk should be
obtained by having discussions of which risks to avoid, accept, mitigate or
transfer through insurance.

NACD research indicates that over 50 percent of boards assign cyber risk
oversight to the audit committee. Given that this is where cyber risk
governance discussions with management are occurring for many
organizations, the role of internal audit to provide an independent and
objective assurance of cyber risk management is critical. A report by the
Institute of Internal Auditors—Global Technology Audit Guide (GTAG):
Assessing Cybersecurity Risk: Roles of the Three Lines of Defense—provides
some valuable guidance on how to achieve this coverage through internal
audit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171016/0ad6cba4/attachment.html>