Creating a Structure for Cyber Risk Management

In 93 percent of data breaches, the targeted systems were compromised within minutes. Eighty-three percent of the time, those breaches were not discovered for weeks, leaving the attackers with plenty of time to do their damage and exfiltrate data, according to the 2016 Verizon Data Breach Investigations Report. The average consolidated cost of a U.S. data breach in 2016 was $7 million, and the average cost incurred for each lost or stolen sensitive data record was $221, according to the Ponemon 2016 Cost of Data Breach Study: United States.

In response to the evolution in the complexity of cyber risk, the National Association of Corporate Directors (NACD) released the 2017 edition of its NACD Director’s Handbook on Cyber-Risk Oversight. The guidance consists of the following five key principles:

Enterprise Risk
Historically, cybersecurity has been considered an IT function; however, cyber risk oversight is a board-level responsibility, and directors need to approach it as an enterprise-wide risk management issue. Some of the highlighted areas for directors to engage management on include:

• Crown jewels: Management should have an understanding of the organization’s most critical data assets—where they reside, how they flow through the organization and who has access to them. This foundational understanding supports a focused and efficient protection and cyber risk reduction strategy.
• Third-party risk: Management should understand cyber risks present not only within their own organization’s infrastructure, but also within the larger ecosystem of partners, suppliers, affiliates and customers within which it operates. The degree of connectivity that the organization has with third parties can increase its cyber risk exposure, as several well-known and significant breaches were initiated through third parties.

Legal Implications
The board and the individual directors should have an understanding of the cybersecurity legal and regulatory landscape that is applicable to the organization. This includes liability, public disclosure and reporting (e.g., Securities and Exchange Commission), information sharing, infrastructure protection, and data breach notifications. Some areas of emphasis for this principle:

• Table top exercises: As a result of the varied manner in which company executives have handled data breaches at their organizations, it has become clear that proper incident response planning is not just a necessity for IT staff and management, but also for corporate executives and directors. Corporate brands have been impacted by unclear and inconsistent executive communication. The NACD handbook recommends that directors participate in simulations or table top exercises to become familiar with their incident response procedures and communication approach.
• Board minutes: Formal board meeting minutes should reflect when cyber risk issues are on the agenda or discussed, whether by the full board or key committees.

Cyber Expertise
While NACD research has shown that an increasing number of boards discuss cyber risk on a regular basis, it also indicates that most boards do not have an adequate understanding of it. In lieu of adding single-purpose directors with cybersecurity expertise, boards can close this gap in other ways:

• Deep dive briefings or examinations
• Leveraging existing independent advisors, such as external auditors and outside counsel
• Participating in director education programs

Cyber Risk Management Framework
Directors should set the expectation that management will adopt an enterprise-wide cyber risk management framework with adequate staffing and budget. This is important for every organization, but particularly for more distributed and decentralized organizations to establish a consistent approach to managing risk. The handbook states that organizations should at least consider the adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Board-Management Cyber Discussions
Alignment between board and management with respect to cyber risk should be obtained by having discussions of which risks to avoid, accept, mitigate or transfer through insurance.

NACD research indicates that over 50 percent of boards assign cyber risk oversight to the audit committee. Given that this is where cyber risk governance discussions with management are occurring for many organizations, the role of internal audit to provide an independent and objective assurance of cyber risk management is critical. A report by the Institute of Internal Auditors—Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk: Roles of the Three Lines of Defense—provides some valuable guidance on how to achieve this coverage through internal audit.