The Business Value of including Cybersecurity and Vendor Risk in ERM

Transcription

1 The Business Value of including Cybersecurity and Vendor Risk in ERM Yo Delmar, Vice President, Customer Engagement, MetricStream RMA GCOR XI April 4 5, 2017 Hyatt Regency, Cambridge, MA Tuesday 2:30 pm

2 Challenge Risk leaders must bring visibility and encourage meaningful dialogue around the size, scale and scope of the most urgent risks facing their organizations

3 Need Programs that align directly with strategic objectives and address not only risks, but also opportunities for competitive advantage add tremendous value to the business.

4 Let s Look. At how emerging risks from vendors and cybersecurity in the 'extended enterprise' hit business value at its center and demand inclusion in ERM programs.

5 Vendor and Cyber Risk Directly Impact Business Performance Business Risks Contractual Risk Risk Domains Financial Stability Disruption Transaction / Operational Vendor Risks Cyber Risks Reputation IT Security Geo-political Compliance 5

6 Losses Due to Vendors Has your organization experienced a significant risk exposure due to a third party in the last 18 months? 21% Loss incidents of respondents 5 of greater than $10million 79% Source: MetricStream Research Yes No 6

7 What was the loss impact in U.S. dollars? Please rate the impact of the risk exposure 8.3% 25.0% 25.0% 8.3% 8.3% 25.0% 58.3% 41.7% Less than $1 million Greater than $10 million $1 million to $10 million Don't know Source: MetricStream Research High Medium Low Don't know 7

8 Cyber Risk Source: MetricStream Research

9 Number of Cyberattacks NUMBER OF CYBERSECURITY ATTACKS FACED BY YOUR ORGANIZATION WITHIN THE PAST 12 MONTHS? ARE THESE ATTACKS INCREASING OR DECREASING COMPARED TO PREVIOUS YEARS? UNKNOWN 33.8% 14.7% % 16.2% % 0% 10% 20% 30% 40% 100% 50% 0% 55.9% 2.9% 14.7% 22.1% 4.4% INCREASING DECREASING ABOUT THE SAME UNKNOWN OTHERS 66.2% of the organizations have faced at least one cybersecurity attack within last one year 33.8% are unware of the number of attacks faced Attacks have increased in the past year for 56 % of the organizations Source: MetricStream Research

10 Recent Attacks Which Concern the Most WITH RESPECT TO YOUR CYBERSECURITY READINESS, WHICH OF THE FOLLOWING MAJOR CYBER ATTACKS THAT OCCURRED WITHIN THE PAST YEAR CONCERN YOU THE MOST? SWIFT SYSTEM ATTACKS MORGAN STANLEY DOW JONES WELLS FARGO SCOTTRADE OTHERS CARBANAK 7.4% 10.3% 10.3% 13.2% 13.2% 19.1% 26.5% 0% 5% 10% 15% 20% 25% 30% Recent SWIFT system attacks concern most of the organizations Source: MetricStream Research 10

11 1 st of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 11

12 Does your enterprise have a dedicated third party risk management (TPRM) function? Overall Company Size-wise Yes 44.3% Yes 55.7% No No 0% 20% 40% 60% 80% Source: MetricStream Research 5,001 and greater 251-5,000 employees 12

13 Is third-party risk management in your enterprise currently included within other risk management or compliance programs? 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Overall Enterprise IT risk Compliance Business risk management management continuity management management Anti-bribery Source: MetricStream Research 80% 60% 40% 20% 0% Company Size-wise 251-5,000 employees 5,001 and greater Enterprise risk management IT risk management Compliance management Business continuity management Anti-bribery 13

14 Cybersecurity Managed as a Component of ERM Is cybersecurity a formal part of the enterprise risk management program for your organization? 7.4% 91.2% Cybersecurity is a part of ERM program for more than 90% of the organizations Yes No Source: MetricStream Research

15 Scope of the Cybersecurity Program Is the scope of your cybersecurity program internal or does it cover third parties as well? 8.8% 20.6% 70.6% For 71% of the organizations, the scope of their cybersecurity program covers third-parties as well Internal to the organization Includes third-parties Unsure/Don t know Source: MetricStream Research

16 Reporting for Cybersecurity Function TO WHICH ORGANIZATION DOES THE CYBERSECURITY FUNCTION REPORT DIRECTLY? OFFICE OF THE CSO OR CISO 55.9% OFFICE OF THE CHIEF RISK OFFICER 20.6% SENIOR LEADERSHIP (CEO OR CFO) 11.8% BOARD OF DIRECTORS 5.9% 0% 10% 20% 30% 40% 50% 60% For majority of organizations (56%), the cybersecurity function reports to CSO/CISO Source: MetricStream Research

17 Board/CEO Involvement What level of involvement do the board of directors and CEO have in your cybersecurity program? (7 = highly involved, 1 = not involved) 30% 25% 20% 15% 10% 5% 0% 25.0% 26.5% 22.1% 19.1% 20.6% 13.2% 16.2% 10.3% 11.8% 5.9% 4.4% 5.9% % 7.4% Board Involvement CEO Involvement Source: MetricStream Research 17

18 Who within your organization is ultimately responsible for third party risk management? Corporate Audit Executive 3% Other 18% Chief Compliance Officer 16% Chief Information Officer 5% Source: MetricStream Research Chief Risk Officer 32% Chief Procurement officer 10% 18 Chief Information Security Officer 12% Chief Legal Officer 4%

19 Which of the following best describes your third party repository? 60% 50% 40% Comprehensively covers all third parties for all regions and business functions in the enterprise Inconsistently covers some third parties, but not others 30% 20% 10% Is tailored to a specific set of third parties or a specific business function, but does not cover all third parties of the enterprise Other 0% 251-5,000 employees 5,001 and greater Source: MetricStream Research

20 2 nd of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 20

21 What are the most significant criteria for determining whether to place a third party in the highest risk tier? 0% 10% 20% 30% 40% 50% 60% 70% 80% Critical component or service 71% Potential for disruption to operations 55% Regulatory requirement 41% Spend Limited availability of alternative sources 28% 31% Country risks 12% Size of company Other We do not risk tier third parties 5% 5% 3% Source: MetricStream Research 21

22 Which risk parameters are most important when evaluating third parties? 0% 10% 20% 30% 40% 50% 60% 70% 80% Data protection/privacy Financial viability Ability to maintain service levels Regulatory compliance requirements IT Security Business continuity risks Vendor s management (experience, turnover) Vendor s regulatory and legal environment Additional vendors in the vendor s supply chain Business model compatibility Vendor s employees Geopolitical environment Trustworthiness of public disclosures Architectural compatibility Currency fluctuations 19% 16% 12% 9% 5% 3% 3% 2% Source: MetricStream Research 22 33% 45% 59% 59% 57% 57% 67%

23 How often do you assess third parties in Various Risk tiers? 60% 50% 40% 30% 20% 10% 0% Highest risk tier Never Overall At least quartery Other Second highest risk tier At least monthly At least yearly Third and lower risk tiers Source: MetricStream Research How often do you assess third parties in Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 4% 24% At least quartery 33% 16% At least yearly 50% 52% Never 0% 0% Other 13% 8% How often do you assess third parties in Second Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 0% 12% At least quartery 8% 24% At least yearly 54% 48% Never 4% 0% Other 33% 16% How often do you assess third parties in the Third Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 0% 12% At least quartery 4% 4% At least yearly 42% 48% Never 4% 12% Other 50% 24% 23

24 Does your organization perform continuous monitoring of third parties? Don t know, 3.4% No, 8.6% OVERALL Yes - All parties, all the time, 34.5% Some (only highest risk third parties), 27.6% Occasionally (incon sistently applied), 25.9% Source: MetricStream Research 24

25 Actors Compromised In An Attack WHICH OF THE FOLLOWING ACTORS WERE COMPROMISED IN YOUR ORGANIZATION DURING AN ATTACK? 60% 50% 40% 30% 20% 10% 0% 48.5% EMPLOYEES (CURRENT & FORMER) 22.1% CUSTOMERS 13.2% 11.8% 10.3% 8.8% OTHER THIRD- PARTIES (CONSULTANTS, VENDORS, ETC.) PARTNERS IT SERVICE PROVIDERS SUPPLIERS Primary sources for cyber attacks Employees, customers, partners, suppliers and other third-parties Source: MetricStream Research 25

26 After an incident, what measures have been taken to prevent future risk incidents? 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% Collaborate with the third party Re-assess the risk of the third party Modify contract terms Increase the frequency of assessments Reduce business volume Temporarily suspend business relationship Terminate the business relationship Source: MetricStream Research 26

27 Readiness to Share Cybersecurity Information How prepared is your enterprise to share cybersecurity information with government agencies/regulators, and others in the industry? 60% 40% 20% 0% 50.7% 38.8% 35.8% 31.3% 6.0% 17.9% 7.5% 11.9% Unprepared Somewhat Prepared Prepared Already sharing Government Agencies/Regulators Others in the industry 75% of the organizations are either prepared or somewhat prepared to share their cybersecurity information with the government, but only 18% are already doing so 82% of them are either prepared or somewhat prepared to share this information with their peers in the industry, but only 12% are already doing so Source: MetricStream Research 27

28 Cyber Security Program Maturity Source: MetricStream Research

29 3 rd of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 29

30 The Business Value Balancing Act Direct Risk People Failures COST BENEFIT Efficiencies Governance Opportunity Future Ready Difficult to Calculate Cost Difficult To See The Benefits Why Building a Business Case For GRC Is Complicated Bad News is Big News When a GRC Program fails it gains higher visibility and impacts the brand value/reputation. An impact which difficult to quantify. No News is Good News When an effective GRC program is in place it will operate seamlessly without hindering the business of the organization.

31 Seven Steps to Business Value 7. Accrued Benefits 1. Strategic Alignment 2. Needs Business value ultimately depends on the vision and scope of the GRC program, organizational readiness and speed of deployment. 6. Investment s 3. Readiness The goal of most organizations is optimize business value by choosing the level of investments across a portfolio of initiatives that support strategic objectives. 5. Roadmap 4. Value

32 1. Align with Strategic Objectives Identify Organization s Strategic Goals Identify Values which are critical Strategic Goal Achievement Identify key Risks to the enterprise goals, objectives and values Articulate Business Objectives for every level of the organization Identify Risks to Business Objectives at each level of the organization Enterprise Business Unit Business Unit Risk Risk Risk Risk Business Risk Risk

33 2. Understand and Prioritize Needs * See OCEG CRO at the Center

34 2. Understand and Prioritize Needs * See OCEG CRO at the Center

35 3. Measure Maturity and Readiness

36 4. Value: The Benefit Side 1 Risk Align to Performance Goals Risk Identification, Analysis, Intelligence Losses Remediation 2 3 Efficiencies Governance Rationalized Controls Redundancy Rationalize Systems Decision Making Culture Reporting Agility BENEFITS 4 Domains Cycle Time Personnel and Systems Streamlining Resource Allocation Scale Efficiencies

37 4. Value: The Cost Side 1 Direct Consulting Services Hardware and Software Cost Implementation and Support cost COST People Failures Opportunity Direct Personnel cost Contributors from business Management Effort Reporting Cost Staff for Support Regulatory fines Business Interruption Losses Market Cap Erosion Fraud related losses Losses due to Risk Blindness Misses Opportunities Misaligned Strategy Poor business risk management

38 5. Roadmap Consider Time to Value on the Roadmap Governance and Plan Applications Portfolio Eco-system Integration Considerations App Considerations Platform Considerations

39 6. Investments: Make the Case

40 7. Accrue Realized Benefits Business Case Continuous Improvement Continuous Rollout Realized Benefits

41 A Little Bit About Automation.. Then Recommendations

42 For what purposes would you apply (or are applying) a third party risk management software solution? (Average rating) On-boarding and due diligence of third parties Tracking vendor KPI and KRI Manage contracts, track compliance to contracts Create a single system of vendors across the enterprise Proactively identify and mitigate risks Replace old or home-grown solutions Avoid spreadsheet chaos Improve visibility across the extended value chain Ensure compliance to regulations Ensure business continuity Source: MetricStream Research 42

43 What technology do you use for third party risk management? (select all that apply) 50.0% 45.0% 40.0% 35.0% 30.0% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% Office productivity software (e.g., spreadsheets) Knowledge management software (e.g., SharePoint) In-house built software Third party risk management software on a GRC platform Third party risk management software on a procurement platform Niched third party risk management software Other (please explain) Source: MetricStream Research 43

44 Tools Utilized to Combat Cybersecurity WHAT TOOLS DO YOU UTILIZE IN YOUR CYBERSECURITY PROGRAM? VULNERABILITY MANAGEMENT IT RISK MANAGEMENT BUSINESS CONTINUITY MANAGEMENT SECURITY AND INFORMATION EVENT MANGEMENT MULTI-FACTOR AUTHENTICATION THREAT INTELLIGENCE IT GRC 38.2% 51.5% 82.4% 79.4% 79.4% 70.6% 63.2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Some of the most commonly used tools are for vulnerability management (82.4%), IT risk management (79.4%), business continuity management (79.4%), and security and information event management (70.6%)

45 Standards Adopted for Cybersecurity WHICH STANDARDS HAVE YOU ADOPTED TO MANAGE CYBERSECURITY RISK? NIST CYBERSECURITY FRAMEWORK ISO 27001/27002 COBIT FFIEC CYBERSECURITY ASSESSMENT TOOL SANS CIS CRITICAL SECURITY CONTROLS COSO ISF STANDARD OF GOOD PRACTICE FOR ISO RFC % 2.9% 13.2% 30.9% 27.9% 25.0% 45.6% 45.6% 42.6% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% NIST Cybersecurity Framework and ISO 27001/27002 are the two most widely adopted standards for managing cybersecurity risk

46 Aligning Vendor, Cyber Risks with ERM Programs Top Down Approach Identify which vendors and assets are critical to achieving business objectives Bottom Up Approach Identify risks to systems, assets and data the vendor supports. Identify vendor personnel risks Track KPIs and Vendor KRIs Assess how vendor and cyber risks impact the business objective KPIs Promote Business Value Show how the program improves business performance - Disruption of operations, regulatory risks, social storms, privacy and data protection, FCPA Identify business processes and vendor present risk relationships to IT and enterprise risks Logical integration 46

47 Thank you