Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education and knowledge to effectively oversee the risks. At the same time, the dynamic nature of cyber threats, combined with the proliferation of regulatory frameworks and the lack of welldefined metrics makes it a challenge for C-suite executives to succinctly contextualize information and demonstrate progress to the Board. To address this challenge, BITS conducted primary research including holding two regional meetings in 2016 (February 12 in Atlanta and April 21 in New York City) and an in-person meeting (June 9 in Washington, DC) for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to discuss various approaches to presenting cybersecurity risk information to the board and how best to facilitate an effective dialog. The following provides a summary of key topics that were discussed during these meetings. KEY THEMES What are Board Directors Looking For? During the June 9, Washington DC meeting, George Anderson who leads Spencer Stuart s Board Effectiveness practice discussed trends in corporate governance and noted that board directors with technology expertise are increasingly in demand. For various reasons, however, there has been a period of reduced turnover in the boardroom and when board positions do open, there is often pent up demand for other qualifications that may surpass technology expertise. Overall, many boards continue to lack directors with a background in cybersecurity or technology and may rely on the CISO, executive management, or other external advisors to help them understand cyber risks. Anderson, along with Tucker Bailey from McKinsey and Company and Marc Loewenthal from Promontory Financial Group, shared what they hear most often from board directors when it comes to cyber risk management, including the following: board directors receive too much data with insufficient insights into what the data means for the company; that it is difficult to tell where to focus attention; and that progress is difficult to measure. What the board wants is a conversation around actual risk as related to risk tolerance. For CISOs and CIOs in financial services firms, the challenge can be translating the board s moderate risk tolerance to the operator level and giving the statement meaning. Many meeting participants noted that they use frameworks like the NIST Cybersecurity Framework to demonstrate and help visualize the firm s 1
cyber maturity level. Others noted their board s desire to compare the company s cyber practices to those of their peers. On the whole, based on this research and related discussion, the primary interests of board directors appear to be: The threat landscape and trends in the industry For example, what does the Swift breach mean for the industry and the firm in particular? Response and recovery Is the company prepared to respond to a breach? How are these response and recovery plans evolving to remain effective? How are they exercised (e.g. comprehensiveness, frequency) to find gaps and make modifications? Board responsibilities Board directors want to ensure they are fulfilling their responsibility to oversee cyber risk management programs, and that the firm has a framework for prioritizing cyber efforts and effective planning and executing on key issues. Technology tools Does the company have the technology necessary to protect against threats? If not, what will it take to improve technologies? Talent Does the company have the right people with the right skills to protect against threats? Communication with the Board Over the last five years, the board s involvement in cybersecurity has evolved and grown in importance. The combination of high-profile breaches at major companies, combined with increased regulatory requirements has led many financial firms to reorganize board reporting around cyber risk. Some firms have created an enterprise risk committee or a technology committee to oversee cyber risk management. As this has occurred, the reporting relationship between CISOs, CIOs and Chief Risk Officers has also evolved with CISOs and CIOs, in particular, spending more time interacting with the board. For most firms, CISOs and/or CIOs provide quarterly briefings to the board on cybersecurity, including at least one or two to the full board. In between meetings, some firms provide a written cyber update, particularly when an incident occurs either within the firm or the broader industry. At least one firm provides a weekly report that covers events happening globally, their impact on the firm and what the firm is doing to address it. Others provide memos to the board to address or respond to issues at other firms when reported in the media. In these conversations, board directors often focus on issues of recovery and resiliency. This may stem from events in the news such as the widely publicized Target attack, ransomware attacks or the Swift interbank payments system breach. In looking at the event, the board needs to be informed on how vulnerable the company is to that type of attack including operational, client and reputational risk and the preparation to respond and recover should it occur. 2
Typical contents of a board report include: Executive summary (2-3 pages) issues management is currently dealing with, regulatory or legislative activity, information security incidents. Outcomes of risk assessments and internal audits many companies use third parties to assess their cyber programs against frameworks like NIST or the FFIEC Cybersecurity Assessment Tool or, when operating internationally, with similar frameworks such as ISO. Internal roadmap progress against the company s cyber risk management program. State of the world firms are more actively including information for educational purposes, providing an overview of what s happening with fraud, DDoS attacks, destructive malware, etc. and helping boards develop a more comprehensive understanding of the state and nature of cyber risk. In communicating with the board, many highlighted that using business language rather than techspeak is important to fostering an effective dialogue. Another common suggestion was to use vignettes or stories to help provide context and to dimensionalize the types of attacks by explaining how they fit in the overall threat landscape and their impact on the industry and other firms. For example, cyber incidents affecting large banks may be a form of retaliation against U.S. sanctions and the indictment of international hackers by the Department of Justice for crimes going back several years. This ability to put events in context and tie them together can facilitate better understanding and awareness among board directors. Board Education Many CIOs and CISOs highlighted the importance of providing regular education sessions to board directors on technology and cybersecurity risks. A number of executives reported concerted efforts to educate directors over a number of years and stated that the conversation today with their board has evolved and is now quite robust. Some of the tools and methods used to help board directors understand cybersecurity threats and the company s risk management procedures include: Annual education sessions Many companies schedule annual education sessions for board directors, separate from regular board meetings. Often times, companies bring in a third party expert (e.g., legal firm or network security company) to provide training on board responsibilities or what happens in the event of a breach. Videos Using a video showing how a hacker attacks the company and how the company responds can build a narrative and provide helpful context for board directors. Tour of operations center Providing a tour of the cyber operations center during which directors can hear and see how an attack works and how the company responds can further their understanding. This can allow directors to see how investments in cybersecurity tools are used in day-to-day operations. Attend board dinners Attending board dinners provides an informal opportunity to build relationships and dialogue with directors on cyber risks. 3
Informal one-on-one meetings Private lunch meetings with individual directors provides an opportunity for informal discussion around cyber risks. Use of Frameworks and Metrics The number of frameworks and regulatory requirements to assess financial services firms cybersecurity operations has expanded dramatically in recent years, leading to concern that a disproportionate amount of time and scarce cybersecurity expertise is devoted to regulatory compliance tasks as opposed to identifying and addressing actual risks and operational needs. How best to present the company s performance as measured against varying frameworks, has become quite a challenge during board presentations. Many firms have reported organizing board presentations around the NIST framework and are now seeking ways to also incorporate the FFIEC CAT Tool. Larger firms with more complex businesses or global footprints have resourced efforts to create their own set of metrics that blend aspects of multiple sources (e.g. NIST, FFIEC, ISO, internal) to provide the most accurate and complete picture of the company s cybersecurity program. A common question of board directors is how the company s performance compares to the rest of the industry. To address this question, some CISOs reported using an outside firm to conduct an assessment against the NIST framework or the CAT Tool and then compared the aggregated or anonymized results against other companies for which that firm had also done work (often across multiple industries). To address the possibility that a third party assessment firm might skew the results in order to create further business opportunity, one CISO recommended prohibiting that firm from doing any additional business with the company for 18 months. Challenging topics to address Another discussion point during the cybersecurity board governance meetings was topics that are difficult to address with board directors. For example, the question Are we secure? can be challenging because it requires a nuanced response that may seem unsatisfactory. Similarly, measuring and demonstrating progress to the board can be difficult. While a firm may be making progress against its cybersecurity improvement plan, the board needs to understand that there could still be a breach. Additional topics reported as difficult to address with the board include: Are we spending enough on cyber? For some companies the more important point is not cyber investment but managing its implementation without disrupting the business. One way to address this is to have an executive committee or steering committee composed of key members of management (CIO, COO, etc.) determine priorities and manage the implementation of investments. Providing an accurate assessment of risk due to third party relationships The reliance on third parties can make it more difficult to provide a current assessment of company cybersecurity risks due to the inability to have real-time access to vendors facilities and networks. 4
Strong third party risk management programs and programs to ensure company data is going to the right place at the right time and is properly secured, can help address third party risk concerns and meet oversight requirements for regulated firms. The role of the CISO The complex role of the CISO the need to balance multiple priorities quickly during an event, determine when to engage law enforcement, what to tell customers and when may not be well understood by some directors and may contribute to questions that are difficult to answer or that elicit an unsatisfactory response. Engaging board directors through education sessions, the use of videos or operations center tours could provide a better understanding of the CISO and cyber risk management programs. Next Steps BITS plans to host a meeting for board directors to discuss many of these same issues in early 2017. The board-level meeting will focus on helping directors deepen their understanding of cyber risk management practices within the industry and engage in a dialogue with peers to share experiences. The meeting will incorporate the feedback we have received from CISOs, CIOs and our research with advisory and consulting partners. In addition, we will hold another meeting for CISOs and CIOs in the spring or summer of 2017. That meeting will focus on industry trends in cybersecurity board governance and provide a forum for sharing experiences and best practices. If you have any questions or would like additional information on BITS cybersecurity board governance program please contact Heather Hogsett, Vice President of Technology & Risk Strategy at Heather. Hogsett@fsroundtable.org or (202) 589-1930 or Chris Feeney, President of BITS at Chris.Feeney@ fsroundtable.org or (202) 589-2437. 5