Cybersecurity and the Board of Directors

Similar documents
CYBER RESILIENCE & INCIDENT RESPONSE

Cybersecurity and the Board of Directors

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Healthcare HIPAA and Cybersecurity Update

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Effective Cyber Incident Response in Insurance Companies

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cybersecurity in Higher Ed

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

YOUR WEAKEST IT SECURITY LINK?

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cybersecurity for Health Care Providers

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

How to Prepare a Response to Cyber Attack for a Multinational Company.

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cyber Risks in the Boardroom Conference

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Cyber Resilience - Protecting your Business 1

CA Security Management

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SOC for cybersecurity

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

The Business Value of including Cybersecurity and Vendor Risk in ERM

Changing the Game: An HPR Approach to Cyber CRM007

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Department of Management Services REQUEST FOR INFORMATION

THE POWER OF TECH-SAVVY BOARDS:

Run the business. Not the risks.

CISO as Change Agent: Getting to Yes

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

ISAO SO Product Outline

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

The University of Queensland

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Position Description IT Auditor

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Best Practices in ICS Security for System Operators

Bringing Cybersecurity to the Boardroom Bret Arsenault

Keys to a more secure data environment

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

MITIGATE CYBER ATTACK RISK

Symantec Business Continuity Solutions for Operational Risk Management

Cyber Security Program

Skybox Security Vulnerability Management Survey 2012

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

A new approach to Cyber Security

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Big data privacy in Australia

Risk Advisory Academy Training Brochure

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

2 The IBM Data Governance Unified Process

Turning Risk into Advantage

Accelerate Your Enterprise Private Cloud Initiative

Protecting your next investment: The importance of cybersecurity due diligence

European Union Agency for Network and Information Security

GUIDANCE NOTE ON CYBERSECURITY

SFC strengthens internet trading regulatory controls

Business continuity management and cyber resiliency

BUSINESS CONTINUITY MANAGEMENT

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

SOLUTION BRIEF Virtual CISO

State of Cloud Survey GERMANY FINDINGS

Are we breached? Deloitte's Cyber Threat Hunting

WHEN THE GOING GETS TOUGH, THE TOUGH GET GOING

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

What It Takes to be a CISO in 2017

FOR FINANCIAL SERVICES ORGANIZATIONS

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

ITU Regional Cybersecurity Forum for Asia-Pacific

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

NCSF Foundation Certification

Why you should adopt the NIST Cybersecurity Framework

Cyber Security: Threat and Prevention

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Sage Data Security Services Directory

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Transcription:

Cybersecurity and the Board of Directors An essential responsibility in financial services A DELTA RISK WHITE PAPER APRIL 2016 2016 Delta Risk Cybersecurity and the Board of Directors 1

Cybersecurity should be on the agenda in every boardroom. A spate of high-profile, high-impact cyber breaches at several of the largest financial institutions in the United States has brought attention to a point that cybersecurity professionals have long taken as an article of faith: boards of directors need to take an active role in the management of cyber risk. Yet, there are several factors that tend to prevent effective engagement in cybersecurity risk at the board level. These factors define the challenge that banks and other financial institutions can no longer ignore: In financial services, leaders rarely have an independent understanding of cybersecurity. Board members do not have to be cyber experts, but they do need an understanding of the issues at the leadership level. The newness of the cybersecurity field, its still-arcane nature, and the complexity of the issues it presents make cyber expertise unusual amongst those likely to serve as financial services board members. Cybersecurity risks do not fit well in financial services risk management frameworks and approaches. Different from other types of risk, particularly in how it is measured and managed, cybersecurity risk is often the red-headed stepchild of the risk management world. Integrating cyber risk is a problem at both the theoretical and practical levels, and it presents a challenge in financial services where risk management is so central to operations. Cybersecurity is frequently seen as a technology problem for the IT department to solve. Although there is a strong technology component to cybersecurity, the management of cyber risks is much larger. For banks, as information organizations, information security intersects with every part of the business. It has policy, legal, compliance, human resources, customer relationship management, public relations, and many other components, to say nothing of its potential to directly affect the brand and the bottom line. There is a communications gap between business leaders and cybersecurity practitioners. While the business leadership is frequently not well-versed in cybersecurity, security professionals often do not have sufficient understanding of the priorities and decision models of the organization s business leaders. And they typically do not speak the language of business leaders. This communications gap works against the effective management of cybersecurity. 2016 Delta Risk Cybersecurity and the Board of Directors 2

Four Focus Areas Although the proper degree of board involvement in cyber issues depends on many factors, there are four key areas that boards should focus on: Ensuring that board members themselves receive cybersecurity training that is appropriate to their level and role. Incorporating cybersecurity into the organization s Statement of Risk Appetite. Driving the implementation of a cyber risk management program that integrates with the institution s broader enterprise management of all risks, such as financial risk (e.g., market, liquidity, credit), compliance risk, and other operational risks (e.g., fraud, litigation, reporting, safety, physical security). Fostering a cybersecurity culture throughout the institution. Board-appropriate Training As with other risks, the management of cybersecurity risk is best driven from the top. To effectively manage cybersecurity, board members must have a leadership-level understanding of the cyber landscape, at least as it directly affects their business and their industry. This leadership-level understanding will allow the gut-feel faculty of senior business leaders to come into play to sense risk and to identify the questions needed to challenge management. What sort of training would give board members the understanding they uniquely need? Key topics for board members to converse with include the interplay of compliance with security, the evolving legal and regulatory landscape, the management of cyber risks, cyber incident response, and the big picture of cybersecurity at the policy and political levels (both domestically and internationally). A seminar format is often best because it fosters dialog, although other approaches may be applicable in individual cases. Statement of Risk Appetite The Statement of Risk Appetite, defined and required for banks by the Basel II accords, has been widely adopted throughout the financial services sector. The Statement is a key channel for the board to communicate the organization s risk boundaries and requisite rationale. Despite the broad embrace of the Statement of Risk Appetite, these statements typically are silent on cyber risks. This is a missed opportunity. Articulating the organization s stance on cybersecurity risks in a formal statement at the board level is a key step in making the management of cyber risks integral to an organization s operations. A formal statement can also provide the context for ongoing dialog with senior management. Crafting the language of the cyber portion of the Statement is a tricky but healthy undertaking because the process focuses the board on crystallizing the topics that matter most. A cyberinclusive Statement of Risk Appetite should be concise yet specific and should: 2016 Delta Risk Cybersecurity and the Board of Directors 3

Articulate the business value of information. The Statement should broadly identify the information that is most valuable to the organization based on business considerations; legal and compliance requirements; the financial impact of denial, disclosure, loss, or other exploitation of that information; and other factors. Establish priorities on protecting information and information resources. Corollary to identifying the information with the most business value is clarifying expectations on how this data is to be protected. Broad statements can be applied here such as This category of information shall be protected with the most stringent security controls and the highest degree of operational oversight. The Statement of Risk Appetite can also be used to establish specific risk-oriented requirements that are tied directly to business strategy. For example, up-time requirements for consumer online banking (e.g., On-line banking is available to our customers 99.9 percent of time throughout the year. ) or other business services may be appropriate. This statement of priorities would ride above policies that the organization may (and should) establish for the classification and categorization of information within the enterprise. Set performance expectations for cybersecurity. Another consideration, depending on the structure of the Statement, is to use it as a mechanism for the board to clearly communicate their core expectations for the performance of their organization s senior executives on matters of cybersecurity. For example, the statement might outline that management is Expected to develop and implement a comprehensive organization-wide cybersecurity risk management program that systematically addresses cyber risks from policy through operations within the Risk Appetite Framework¹ [or other broad risk management framework depending on the organization]. Establishing such expectations is foundational to the board s oversight role with respect to the cybersecurity program and the management of cyber risks. Communicate expectations about cyber metrics. The board should also foster the establishment and reporting of metrics to measure cybersecurity. Cybersecurity-specific key performance indicators (KPIs) and key risk indicators (KRIs) can give the board a fact-based sense of their cyber risk posture, and inform their decision-making process. By including cyber in the Statement of Risk Appetite, the board sends a clear message that cyber risks are on the same footing as other operational risk exposures. 1 The multi-national Financial Stability Board defines Risk Appetite Framework as: The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the financial institution, as well as to the institution s reputation vis-à-vis policyholders, depositors, investors and customers. The RAF aligns with the institution s strategy. (FSB, Principles for an Effective Risk Appetite Framework, November 18, 2013) 2016 Delta Risk Cybersecurity and the Board of Directors 4

Integrate Cyber Risk Management As an operational risk (which are risks that arise from failed internal processes, people, systems, or from external events) cybersecurity has much in common with the other types of risk in this category such as physical security, fraud, and safety. The board should expect the organization s executive leadership to integrate cybersecurity risk management with other operational risks, as well as with the other financial services domains that present risk such as credit, market, and liquidity. The value of this type of integration is easy to see but difficult to realize due to many factors, including the fact that cyber risks are difficult to measure. Although financial institutions are at the forefront of risk data aggregation, it still remains a challenge. Two keys to integrating cyber risk with the other risk domains are: Developing cyber-related metrics that can be included in the risk aggregation data model. Looking forward, the ability to automate the collection of these metrics will be increasingly important. 2016 Delta Risk Cybersecurity and the Board of Directors 5

Incorporating cybersecurity into scenario-driven stress testing and other self-assessments, which due to regulatory mandates and other influences are increasingly becoming part of risk management frameworks. Example Cyber Risk and Performance Indicators Together, these factors can provide a basis for quantifying the business impact of cyber risks. Sources of the cybersecurity risk message include the following four categories of information: Top risk exposures and how they relate to the statement of risk appetite (possibly in graphical, quantitative, or dashboard formats). Potential future exposures (probably in narrative form) based on strategic threat intelligence analysis. Key Risk Indicators (KRIs) metrics that provide an early warning of increasing risk exposures. Well-designed KRIs are leading indicators of risk. Predictive threat intelligence analysis is the most likely source of KRIs. They could also be derived from analysis of other risks that may intersect with cybersecurity. For example, the cybersecurity risk posture of outsourcing providers, other partner companies and vendors, and acquisition targets can present future risks as these entities get connected to the enterprise network. Risk Management Key Performance Indicators (KPIs). KPIs are usually lagging indicators of whatever process they measure. The KPI idea can be applied to cybersecurity risk management by developing cyber-related status metrics that are appropriate at the board level. See inset box. Lagging (KPIs) Status of security controls Current policy deviations (e.g., ports and protocols, access controls, devices, passwords, etc.) Vulnerability scanning results Risk assessment results Root Cause Analysis results Project schedule variances Disaster Recovery test results Malware event rate Mean-Time-to-Discovery of malicious attacks Indicators of compromise Leading (KRIs) New classes of threats Data on current attacks on vendors, trading partners, and other industry players Analysis of state sponsored hacker capabilities Evidence of ongoing surveillance of the enterprise network Analysis of social network data associated with known hackers or hacker personas 2016 Delta Risk Cybersecurity and the Board of Directors 6

Cybersecurity risk also needs to be communicated horizontally across business units and functions, as well as within the information security domain itself. This will enable process links that are important because true integration demands that risk information be embedded into the workflow that drives the operation. Foster a Culture of Cybersecurity A culture of cybersecurity advances a risk management mindset throughout the organization, from front office to back office, and across all functional areas (such as human resources and marketing). However, a board cannot simply create a culture from scratch. It takes time. A culture is comprised of many parts that need to be nurtured, including authentic viewpoints, values, behaviors, and legacy of the people in the organization. What does the culture of cybersecurity look like? A culture calls for cybersecurity awareness and attention that turns into a daily routine: Everyone working in the organization (employees, consultants, contract workers, third-party vendors) should be aware that cybersecurity presents risks, and they should also know how to behave and respond when practicing cybersecurity. All employees (including the executives) should have a high sensitivity to phishing and other social engineering methods because the unwitting can quite easily become an inside agent for a serious threat actor. Similarly, all employees should be aware of the security risks associated with their private online activities, such as indiscreet use of social media, use of public clouds for proprietary information, and mixing company data with private data on mobile devices. Most organizations address these concerns in security policies and acceptable use policies, and enforcement is essential. Cybersecurity should be a priority in all parts of the business, for all of the organization s people, and in all its processes. Third parties that work for the organization or provide products and services should be required to agree to conform to organizational security-related and privacyrelated policies and procedures. All leaders, including (and especially) those whose primary roles are not in cybersecurity should visibly take ownership of cybersecurity. Paying attention to cybersecurity in the daily workflow should be a front-of-mind issue for everyone in the organization, including the leaders. There is clearly great business value in having a strong cybersecurity culture, one in which cybersecurity is taught, practiced, and enters into decision-making. The board can foster this culture by keeping the cybersecurity issue visible and instilling the active involvement of senior executives to drive cybersecurity as a priority. 2016 Delta Risk Cybersecurity and the Board of Directors 7

Conclusion Cybersecurity is of critical importance to all financial services institutions. Despite highly visible cybersecurity incidents, inadequate attention to cybersecurity is often taken for granted until an incident takes place. Four key activities should be priorities for boards of directors: Investing in cybersecurity training specifically for board members. Delta Risk Can Help If your organization is challenged with establishing a boardlevel approach to cybersecurity, Delta Risk may be able to help. With our independent and objective focus on cyber strategy, policy, and operations, we can help you think through the ideas presented in this viewpoint as they apply to your organization, understand and prioritize your cybersecurity challenges, and devise and implement tailored approaches to address them. Incorporating cybersecurity into the Statement of Risk Appetite. Integrating cybersecurity with enterprise risk management. Establishing a culture of cybersecurity throughout the organization. 2016 Delta Risk Cybersecurity and the Board of Directors 8

About Delta Risk Delta Risk LLC is a global provider of strategic advice, cybersecurity, and risk management services to commercial and government clients. We believe that an organization s approach to cybersecurity should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have. http://www.delta-risk.net/ info@delta-risk.net 106 S. St. Mary s Street, Suite 601 San Antonio, TX 78205 (210) 293-0707 4600 N. Fairfax Dr., Suite 906 Arlington, VA 22203 (571) 483-0504 2016 Delta Risk Cybersecurity and the Board of Directors 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback