CYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

Transcription

1 CYBERSECURITY Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

2 An Interview with the Department of Homeland Security s Office of Cybersecurity Since government agencies have a significant interest in protecting U.S. corporations and citizens from cyber crime, we partnered with the Department of Homeland Security to discuss emerging cyber risks that U.S.-based companies face today. In this exclusive interview, one of the field s leading experts, Dr. Andy Ozment, Assistant Secretary of the Department of Homeland Security s Office of Cybersecurity and Communications, provides guidance for boards of directors on how to assess and prioritize actions that protect organizations against the financial, regulatory and reputational impacts of a cyber attack. 2

3 What are the potential consequences of cyber attacks? Theft of intellectual property or classified, sensitive, personal or proprietary information; destroyed or altered data; harm to reputation and public confidence; financial loss; disruption of critical services; and damage to or destruction of critical infrastructure. Cyber attacks may also lead to legal and regulatory actions or sanctions. 3

4 What emerging risks should corporate directors have on their radar? At a tactical and operational level, the United States Computer Readiness Team (US- CERT) posts alerts about the latest threats and vulnerabilities on its website. An updated summary of the most frequent, high impact types of security incidents currently being reported to US-CERT can be viewed at At the strategic level, read the newspaper. If a foreign nation is in a conflict with the US even if the conflict is limited to sanctions or a war of words, consider whether your company could become a target for that foreign nation. How can non-technical stakeholders assess and prioritize cybersecurity risks? Identify your crown jewels, and consider the following: What are our company s most critical data assets? Where do they reside? Are they located on one or multiple systems? How are they accessed? Who has permission to access them? If the crown jewel is a service (instead of data), what is the impact of the service not functioning? 4

5 We are starting to see more cybercriminals who are socially-minded, though this is more common in the political arena. As the motivations of hackers change, how should businesses be responding? An attacker s motivation is only one factor to consider when evaluating the level of cyber risk to an organization. Networks should be secured no matter who is trying to get in, or why. As hacktivism becomes increasingly common, organizations of all types must be more vigilant of the need for cybersecurity. Organizations that traditionally were not susceptible to cyber attacks may now become targets because of political affiliation, social values, religious beliefs, and other forms of social identity. All organizations should put mechanisms in place to prevent breaches and theft of data. How could a director ensure the corporation has adequate personnel to assess and monitor cybersecurity risk? First, establish ownership of the problem on a cross-departmental basis. A senior manager with cross-departmental authority, such as the CFO or chief risk officer, (not the chief information officer) should lead the team. Second, appoint a cross-organization cyber-risk management team. All substantial stakeholder departments must be represented, including business unit leaders, legal, internal audit and compliance, finance, human resources, IT, and risk management. Third, maximize your intelligence by sharing information with your industry peers through sector-specific Information Sharing and Analysis Centers. These will soon be supplemented by the more generalist (rather than sector-specific) Information Sharing and Analysis Organizations. Are there examples or best practices from the private sector that corporate directors should look to regarding cyber risk mitigation or prevention? Cybersecurity should be considered at the board level, and cyber risk management should be part of every company s overall risk management plan. To manage cyber risk, consider investing approximately 80 percent of resources in best practices, such as the Cybersecurity Framework, 15 percent in information sharing, and 5 percent in incident response and recovery. Organizations that implement best practices and share cyber threat information with the government and each other will increase the cost of an attack for adversaries and stop many threats. Although cybersecurity is about risk management, it is impossible to eliminate all risk. There exists no perfect cyber defense strategy, and eventually adversaries will successfully attack or intrude upon a target organization. Companies must be able to quickly and effectively respond to incidents. 5

6 What should directors be asking management to ensure the cybersecurity risks are being addressed adequately by the company? Some questions management should consider include the following: How is our executive leadership informed about the current level and business impact of cyber risks to our company? What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks? How does our cybersecurity program apply industry standards and best practices? How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership? How comprehensive is our cyber incident response plan? How often is it tested? One tell-tale sign of an unempowered Chief Information Security Officer (CISO) deals with foreign travel. If you are traveling to countries well known to engage in espionage, does your IT team give you a clean mobile phone and laptop to use? In other words, you should take a phone and a laptop that don t have any data on them, and assume that they will be hacked. You should turn them in when you return. If your CISO hasn t asked you to do this, ask them why! What are some key components that every company should have in their cyber-response plan? In building a comprehensive risk management program, situational awareness in both normal operations and in a crisis is essential to achieving cyber resilience. In times of crisis, it is of the utmost importance to quickly halt the attack and mitigate its effects. After a cyber attack, ask the following questions: What information was taken? Was the cause an internal or external actor? Who should be told? Have operations been compromised? How was the attack discovered? What is being done to mitigate the attack? What weaknesses allowed it to occur? What can be done to ensure it doesn t happen again, and what can be done to mitigate losses of the attack? The plan should also cover insurance (when do you call your insurer?), notification of the Board and other senior leaders, a public affairs plan, and examples of pre-written notification materials. One of the best cybersecurity resources available to private sector organizations is DHS s NCCIC. After a cyber attack, DHS recommends that an organization call the NCCIC to leverage all its capabilities and help to mitigate the effects of the attack. To report a cyber event to the NCCIC, call

7 Is there a framework that companies use to mitigate these risks? The Cybersecurity Framework, created through collaboration between industry and government, consists of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and costeffective approach of the Framework can also help private sector organizations improve their cybersecurity. For more information, visit The Critical Infrastructure Cyber Community (C³, pronounced C-Cubed ) Voluntary Program supports the practical application of the Cybersecurity Framework by facilitating access to free technical assistance, tools, and other resources to help private sector organizations strengthen their capacity to manage cyber risks. The goals of the C³ Voluntary Program are to support industry in increasing cyber resilience, increase awareness and use of the Cybersecurity Framework, and encourage organizations to manage cybersecurity as an all-hazards approach to enterprise risk management. The C³ Voluntary Program provides resources including Cybersecurity Questions for CEOs, a slick sheet that provides key questions to guide leadership discussions about cybersecurity risk management, as well as questions CEOs should ask about cyber risk. The full list of C³ Voluntary Program resources can be found on 7

8 In addition to applying the tenets of the Framework, there are a variety of tools and services available to help private sector organizations identify vulnerabilities and prevent an attack. Organizations may wish to transfer risk through an insurance provider. When choosing a cyber insurance partner, it is important for an organization to choose a carrier with the breadth of global capabilities, expertise, market experience, and capacity for innovation that best fits the organization s needs. DHS s National Cybersecurity and Communications Integration Center (NCCIC) can help private sector organizations prepare for, respond to, and recover from a cyber attack. The NCCIC analyzes data to develop mitigation recommendations, shares actionable threat information, provides onsite assessments to determine an organization s cybersecurity posture, and can assist organizations with recovery and mitigation efforts in the wake of a cyber attack. For more information, visit 8

9 Best Practices for Boards & Management to Mitigate Cybersecurity Risk 1. Join CISCP to share information with DHS and your peers. 2. Join or form an Information Sharing and Analysis Organization (ISAO) to share cyber threat information with other companies. 3. Participate in the C³ Voluntary Program. 4. Talk to a Commercial Service Provider and pay for Enhanced Cybersecurity Services (ECS). 5. Subscribe to US-CERT s National Cyber Awareness System (NCAS), which delivers targeted, timely, and actionable information about cybersecurity topics and threats. If your organization experiences a cyber incident, contact the NCCIC immediately at

10 What government resources are available to corporations who want to better understand this subject matter? National Cybersecurity and Communications Integration Center (NCCIC) DHS s NCCIC is a 24/7 information sharing, analysis, and incident response center. During cyber incidents, the NCCIC serves as the national response center, bringing the full capabilities of the Federal Government to bear in a coordinated manner with state, local, and private sector partners. For more information, visit United States Computer Readiness Team (US-CERT) US-CERT develops timely and actionable information for distribution in the form of alerts, warnings, reports, and mitigation guidance regarding incidents, threats, and vulnerabilities. For more information, visit Critical Infrastructure Cyber Community (C³) Voluntary Program The C³ Voluntary Program supports the practical application of the Cybersecurity Framework by facilitating access to free technical assistance, tools, and other resources to help critical infrastructure entities strengthen their capacity to manage cyber risks. The full list of C³ Voluntary Program resources can be found on Cyber Information Sharing and Collaboration Program (CISCP) CISCP was established for information sharing and collaboration with our critical infrastructure partners. Through CISCP, DHS shares cyber threat, incident, and vulnerability information in near-real time, and enhances collaboration in order to better understand threats and improve network defense for the entire community. For more information, ciscp_coordination@hq.dhs.gov. Enhanced Cybersecurity Services (ECS) Program The ECS Program helps protect U.S.-based public and private sector entities from unauthorized network intrusions. DHS shares sensitive and classified cyber threat indicators with qualified Commercial Service Providers (CSPs), enabling them to better protect their customers. For more information, visit Cyber Resilience Review (CRR) The CRR is a no-cost, non-technical assessment to measure organizational resilience and provide a gap analysis for improvement based on recognized industry best practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. To conduct a CRR, visit To schedule an on-site facilitated session, cse@hq.dhs.gov. 10

11 DR. ANDY OZMENT Assistant Secretary of the Office of Cybersecurity and Communications Dr. Andy Ozment is the Assistant Secretary of the Office of Cybersecurity and Communications (CS&C) within the National Protections and Programs Directorate (NPPD) of the Department of Homeland Security (DHS). In this role, Dr. Ozment oversees a budget of almost $930 million and leads a Federal employee workforce charged with enhancing the security, resilience, and reliability of the Nation s cyber and communications infrastructure. Dr. Ozment has worked in the cybersecurity field as a programmer, operator, researcher, policymaker, and executive. Prior to joining DHS, he served at the White House as the President s Senior Director for Cybersecurity where he led a team that developed national policy and coordinated federal cybersecurity efforts in the areas of critical infrastructure protection, cybersecurity legislation, executive branch security, privacy and civil liberties, information sharing, and incident response. Dr. Ozment was responsible for the development and the implementation of President Obama s Executive Order (EO) on Improving Critical Infrastructure Cybersecurity. The EO led to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and resulted in a significant increase in threat information sharing from the government to the private sector. Dr. Ozment also established the Cross Agency Priority (CAP) goal for cybersecurity and led the development of the National Strategy for Trusted Identities in Cyberspace (NSTIC), a signature initiative by the Administration to improve security and privacy across the Internet. Prior to joining the White House, Dr. Ozment led an operational security group at DHS that oversaw compliance, metrics, and security authorization for the department s Chief Information Security Officer. Previously, Dr. Ozment served in cybersecurity roles with the Office of the Secretary of Defense, National Security Agency, MIT Lincoln Laboratory, Merrill Lynch, and Nortel Networks. In his academic career, Dr. Ozment worked at MIT Lincoln Laboratory, where he published 11 refereed academic publications on software vulnerabilities, DNS and HTTP security, the economics of cybersecurity, and security usability. Dr. Ozment earned a Bachelor of Science degree in Computer Science from Georgia Tech. While studying in the United Kingdom on a Marshall Scholarship, he earned a Master of Science degree in International Relations from the London School of Economics, and a Ph.D. in Computer Science from the University of Cambridge. 11

12 ENLIGHT RESEARCH ABOUT US Enlight Research provides independent financial and corporate governance information, and news with sentiment analysis in one place and in real time. Leveraging advanced technology, our software offers a simple and seamless way for boards, management, investors, and advisors to view, evaluate, and convey upto-the minute company performance and corporate governance data and trends in a relevant context. Founded in 2012, Enlight is headquartered in Durham, North Carolina. Contact Us info@enlightresearch.com enlightresearch.com