The Role of the Board in Effective Risk Assessment
The year 2021 has proven itself to be a tumultuous one in the field of cybercrime, with several high-profile attacks and breaches making the headlines. What is new about the crimes this year (as opposed to previous years) is both the blast radius – extending far beyond a single server housed in an IT department, as well as the legal and financial repercussions that are to follow. These are highly significant events in the life of a company. They are not minor IT activities. The potential they have to negatively impact a company’s future, makes board level involvement an absolute necessity.
Some examples, with names removed, include:
- Companies that have suffered a major ransomware attack and have found out that their insurance company will not cover the cost of the ransom payment
- Companies that have suffered a ransomware attack or vandalism and that are now facing litigation, including class-actions due to the impact that the attack had on other people and businesses
- Companies that have been involved in a supply chain attack that occurred through a trusted technology vendor, which had been approved at the board level
- Companies that have, unwittingly or otherwise, found themselves to be pawns in a nation-state attack, and/or involved in a data breach in violation of powerful data protection rules, or similar government laws or statutes
These are just four examples that show just how impactful and widespread cybercrime already is, and how cyber risk has become one of the top enterprise-wide risks facing companies. Threat actors are becoming increasingly experienced, sophisticated, and confident, and no organization of any size is immune.
Such a dire outlook should be old news, but sadly, it is not. Stories abound of companies and public infrastructure facilities being hacked due to poor cyberhygiene, outdated technologies, or general ignorance. If they were isolated physically, then the problem would be theirs to fix. But because they, and everyone else in the world is connected, these myriad problems belong to us all.
Historically, the Board of Directors has a mandate to navigate a company safely through the events of its life, ostensibly answerable to its shareholders, or stakeholders. Much of the day-to-day management is delegated to levels through the organizational hierarchy, but nonetheless the board still holds a responsibility to be proactive in understanding the threats that the company could face.
Issues dealing with IT and cybersecurity are similarly delegated downwards. C-level officers, usually a Chief Information Officer (CIO) focusing on internal progress, a Chief Technology Officer (CTO) focusing on technology that interacts with the outside, and a Chief Information Security Officer (CISO) focusing on cyberthreats and defence, would then be the conduits of strategic and practical information to the Executive and the Board.
It sometimes helps to remove the word cyber from the lexicon of management. A cyberthreat is a threat. It should not be siloed. A breach has very real dangers to the entire organization. When peoples’ data has spilled out onto the internet, it affects cash flow, reputation, and brand, and puts the company in a situation that will take years to recover from, if it ever can. Ransomware can bring a company to a grinding halt, and in many cases, this has immediate negative effects on the community that surrounds it. Recovery from ransomware can cost millions when the ransom is paid and can take months to restore operations back to full power. Espionage and vandalism may leave hidden time bombs that continue to steal or wreak havoc for years to come.
The board and departments, like internal audit, must work together to ensure that all the organization’s data assets, and the potential cyber threats that could jeopardize those assets, have been adequately mapped out. This should not be a one-time thing or an annual event. Defence in depth means constant vigilance and war games such as penetration testing to ensure vulnerabilities, insider threats and external threats are being constantly monitored, and that new technologies like artificial intelligence are being brought into the fold to analyse patterns and irregularities. This is information that board members must be comfortable with, and that IT and security specialists must be able to explain in a language that makes the seriousness of the situation clear.
Assurances agreed in the audit plan should reflect the organization’s cyber risk appetite, which itself should be determined by, or at least fully understood by, the Board. For example, what is the organization’s risk appetite toward having employees continue to work from home? What is the risk appetite for handing over mission critical operations to a managed cloud services provider? What is the risk appetite for hiring a well-known vendor over a lesser known one? These sound like questions that belong further down the chain of command, but in fact, they belong in the boardroom.
As described by Tyler Cybersecurity on their blog:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal and regulatory implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the Board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
This demands a complete understanding of the risks involved in anything cyber-related. Then it takes everything to additional levels, such as:
- How risks are disclosed
- How a crisis management plan and a business continuity plan will be developed and deployed
- How security events will affect governance and compliance
- What role the board should play during a cyber incident
- Communication policies between the board, senior management, and management
Most individuals who are invited to sit on a Board of Directors already have a wealth of business experience. That’s why they are there. But there is more needed than wisdom gleaned from the past. Today’s Director must be willing and able to grab on to a fast-moving train in which threats and incidents happen by the minute. In 2020, in the US alone, there were 65,000 ransomware events – seven every hour. DDoS and similar types of attacks are happening constantly.
How an Experienced CGRC Professional Can Help
Directors and leaders need people in the field who can feed them the information required for sound decision making and action. An experienced CGRC certified professional can help guide and facilitate directors by blending their education and experience in cybersecurity with a capacity to communicate clearly and authoritatively on the situations at hand, whether they are preventative or while in crisis. Directors and Board Members have the responsibility to understand the true nature of cyber as it applies to their company and the ecosystem in which it works. A CGRC certified professional is there to help them achieve these goals.