Over the past few years, many companies have seen a dramatic change in the cyber-risk landscape. The change is driven by a rise in the importance of digital assets, growing sophistication of cyber-attacks (sometimes called Advanced Persistent Threats), and the extension of the corporate network to include the networks of customers, suppliers, and others.
Cyber-criminals frequently seek to extort money, cause business interruption, steal Personal Identifiable Information (e.g., Social Security Numbers, patient and client data) and gain access to intellectual property (e.g., business plans, trading algorithms, product designs, and source code).
High-profile breaches and their monetary impact have caused boards and audit committees to take notice. Target’s now infamous cybersecurity breach has cost the company $162 million to date in breach discovery, response and notification, litigation and fines. Other well-known data breaches—including Anthem, Vodaphone, Adobe, Sony, Home Depot, and JP Morgan Chase—have cost shareholders additional millions.
According to a recent Ponemon Institute/IBM study, an average breach can cost as much as one to two hundred dollars per record. In such cases, companies typically incur both direct costs (forensics experts, lawyers, victim identity protection services) and indirect costs (time, effort, and resources to resolve a breach). In addition, there is increased scrutiny by federal and state agencies among them the SEC’s Office of Compliance Inspections and Examinations (SEC OCIE), Health and Human Services’ Office for Civil Rights (HHS OCR), Office of Comptroller of the Currency (OCC), state attorneys general, and state insurance regulators.
Because the board and audit committee has oversight for cyber-risk, they need to communicate the importance of cybersecurity to management and staff. They must ensure that management is allocating the necessary resources to implement an effective, enterprise-wide cybersecurity risk-management program.
The National Association of Corporate Directors (NACD) recommends that audit committees and corporate boards follow these five key principles to help their organizations manage cyber-risk:
Historically, organizations have characterized cybersecurity as an information technology issue to be handled by the IT department. Yet, many decisions are made on a day-to-day basis throughout the organization which can significantly raise a company’s cyber-risk profile. For instance, contracting with third-party service providers, such as cloud vendors may elevate cyber-risk as can acquiring a company with poor cybersecurity controls or introducing a new service or product that handles sensitive customer information.
Business operations must ensure that the company’s Information Security Officer is involved in the deliberative process for initiatives that may increase cyber-risk exposure.
The legal risks of cybersecurity can affect both the organization and the individual directors or audit committee members. For instance, contracts with customers and third-party suppliers may be executed without the involvement of the general counsel or may contain language that does not effectively protect the organization from lawsuits.
Ensuring that contracts are reviewed by counsel before being approved can help to protect the organization against lawsuits. Also, contracts should be reviewed periodically to ensure that they adequately address changes to cybersecurity and privacy laws and regulations.
According to a recent NACD survey, 87 percent of corporate boards need to improve their understanding of IT risk.
In response, some boards are considering adding directors with cybersecurity/IT risk expertise, while others seek out regular briefings from third-parties, external auditors, outside counsel, and others with the requisite expertise and industry knowledge. The Chief Information Officer and/or Information Security Officer should provide the board with regular briefings on the company’s cyber-risk management activities.
Oversight begins with setting priorities. Management should allocate adequate resources and incentives to implement a comprehensive, integrated, enterprise-wide risk management program. That program should be supported by a robust cybersecurity framework, such as those established by the National Institute of Standards and Technology (NIST), the International Organization of Standardization (ISO), and other organizations.
Total absence of cyber-risk is virtually impossible in a connected world, but boards and audit committees need to consider cyber-risk mitigation investments and how they should be allocated, options available to transfer certain cyber-risks, how the impacted cyber events should be assessed, and how the organization should respond in the event of a breach.
Board and audit committee members should ensure that management includes these tactics when devising and implementing a cybersecurity risk-management plan:
If the board or audit committee lacks the expertise or resources to evaluate cyber-risk, or wants to validate the company’s program, an outside party can provide a valuable perspective.
Outside experts should have the resources and expertise to:
For more information on this topic, or to learn how Baker Tilly technology risk specialists can help, contact our team.
 Source includes the Cyber-Risk Oversight Director’s Handbook Series 2014 by the National Association of Corporate Directors.