Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Similar documents
Enterprise resilience and the role of Standards

M&A Cyber Security Due Diligence

Cyber Threat Landscape April 2013

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

CYBER RESILIENCE & INCIDENT RESPONSE

Public vs private cloud for regulated entities

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cyber Risks in the Boardroom Conference

A new approach to Cyber Security

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

CYBER INSURANCE: MANAGING THE RISK

Big data privacy in Australia

GDPR: An Opportunity to Transform Your Security Operations

Cybersecurity and the Board of Directors

Department of Management Services REQUEST FOR INFORMATION

The value of visibility. Cybersecurity risk management examination

MITIGATE CYBER ATTACK RISK

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Clarity on Cyber Security. Media conference 29 May 2018

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

Moving from Prevention to Detection March 2017

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

The Cyber Savvy CEO Getting to grips with today s growing cyber-threats

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Cyber risk Getting the boardroom focus right

Effective Cyber Incident Response in Insurance Companies

SOC for cybersecurity

Security Awareness Training Courses

Cybersecurity. Securely enabling transformation and change

Security and Privacy Governance Program Guidelines

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Sage Data Security Services Directory

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

BHConsulting. Your trusted cybersecurity partner

Incident Response Services

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Making trust evident Reporting on controls at Service Organizations

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

Rethinking Information Security Risk Management CRM002

IMPROVING NETWORK SECURITY

Cyber Resilience. Think18. Felicity March IBM Corporation

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Jeff Wilbur VP Marketing Iconix

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

BHConsulting. Your trusted cybersecurity partner

locuz.com SOC Services

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Angela McKay Director, Government Security Policy and Strategy Microsoft

Canada Life Cyber Security Statement 2018

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Why you should adopt the NIST Cybersecurity Framework

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

2016 KPMG AS, a Norwegian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG

Securing Your Digital Transformation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Data Sheet The PCI DSS

ISACA Cincinnati Chapter March Meeting

SOLUTION BRIEF Virtual CISO

SEC Issues Updated Guidance on Cybersecurity Disclosure

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Symantec Business Continuity Solutions for Operational Risk Management

GDPR: A QUICK OVERVIEW

Cybersecurity Protecting your crown jewels

How to be cyber secure A practical guide for Australia s mid-size business

It s Not If But When: How to Build Your Cyber Incident Response Plan

Cyber Risk Having better conversations on cyber

INTELLIGENCE DRIVEN GRC FOR SECURITY

POSITION DESCRIPTION

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Cybersecurity in Higher Ed

Cyber Security. Building and assuring defence in depth

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

Building the trust to succeed in digital business

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Cyber Security Strategy

Cybersecurity in Government

Integrated Access Management Solutions. Access Televentures

The University of Queensland

POSITION DESCRIPTION

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

ENISA EU Threat Landscape

Vulnerability Assessments and Penetration Testing

Cyber Security Incident Response Fighting Fire with Fire

Transcription:

www.pwc.co.uk Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors Dr. Richard Horne Cyber Security Partner PwC January 2017

Board governance is often framed in terms of principles. I propose seven concise, but comprehensive, principles for the governance of cyber security to enable boards to step-up their response to cyber security as an existential risk issue; explain their approach to stakeholders, and drive good practice. The Corporate World needs to step up Many boards recognise that cyber security is a risk that requires their specific attention. However, most struggle to define a comprehensive board approach to cyber security that genuinely manages risk rather than implementing standard control frameworks in the hope they are sufficient. As a result, the question remains as to whether their response to cyber security threats is adequate. From my board engagements in all economic sectors, it is apparent that there is a need for a pragmatic, recognised approach to governing cyber security risk that is grounded in practical experience. There are many frameworks for the management of cyber security focusing on the definition and build of security controls. But there is little practical guidance as to what boards should consider in the governance of their organisations with regard to cyber security. All organisations are different and each board needs to set its own direction and tone for cyber security. Given the nature of cyber security, this will impact all aspects of a business including strategy, business development, supply chain, staff and customer experience. In coming years, managing cyber security risk will potentially require radical change to businesses and their operations to make themselves more securable as well as building security controls. For this reason, a rigid standard would not be appropriate for governing cyber security, but a principles-based approach allows each board to establish and review its own direction within a recognised framework. Generic principles have been proposed by others, but a more meaningful, concise and comprehensive set is proposed here. Investors are increasing their attention Investors are becoming increasingly concerned about Cyber Security. In PwC s 2017 Global Investor Survey, over 550 investment professionals gave their views on threats and opportunities facing companies. 73% of respondents identified cyber threats as an area of concern. A landmark case in 2016 underlined how important cyber security is becoming for investors. Security research company MedSec partnered with investment firm Muddy Waters Research LLC to short sell stock in St Jude Medical Inc. They then disclosed what they claimed were security vulnerabilities in medical devices manufactured by St Jude. The claimed vulnerabilities were disputed by St Jude, and legal action was taken. Regardless of the outcome or ethics of the case, it is an illustration of the growing link between cyber security and company value. An extreme example? Perhaps, but many other significant breaches such as that of Yahoo, that came to light in 2016, illustrate the potential damage to reputation and brand that can be caused, and even the possibility for corporate acquisitions to be impacted. Institutional investors are dedicating resource to research and probe cyber security risk management within companies they invest in. However, feedback from investors is that discussions between them and boards on cyber security yield little clarity on a governance approach that extends beyond implementation of technical controls or often-vague discussion of risk appetite. A set of pragmatic principles for the governance of cyber security will provide structure for discussions between boards and investors. They will enable investors to ask more meaningful questions, and obtain greater insight. 2

Seven principles for governance of cyber security risk In order to assist boards and investors, I propose seven principles for boards to adopt for the governance of cyber security. The seven principles are that boards should ensure they, and their organisations: 1. Have a real understanding of exposure; 2. Have appropriate capability and resource dedicated to cyber security; 3. Adopt a holistic framework and approach, including meaningful measurement; 4. Submit to independent review and test; 5. Have sufficient incident preparedness and a track record of identifying, responding to, and learning from, incidents; 6. Have a considered approach to legal and regulatory environments for cyber security, and 7. Make an active community contribution. Appropriate capability and resource Holistic framework and approach Independent review and test Real understanding of exposure Considered approach to legal and regulatory environment Incident preparedness and track record Active community contribution These principles are briefly described below, and examples of factors to be considered for each are listed in the table that follows. Consideration of these principles would enable boards to: Structure their governance of cyber security risk; Debate and make the tough decisions required (both by management and boards) to build an adequate response to cyber security threats; Challenge themselves and their executive management as to whether their response is adequate and evolving sufficiently rapidly as the risk develops; Structure a discussion with investors as to the appropriateness of their management of cyber security risk; Engage with investors to help them compare and contrast differing approaches to the management of cyber security risk, and Facilitate a discussion as to what would be appropriate for companies to report publically with regard to cyber security. 3

1 Real understanding of exposure 4 Independent review and test 2 3 Many organisations fail to understand properly why they might be targeted; what might make them vulnerable, and how a successful attack might impact them. The understanding needs to extend beyond the enterprise. It must reflect relationships that could make them a target and the complexity of digital connections that could cause them to be vulnerable: suppliers, service providers, partners, cloud services, critical data feeds, staff and customers to name a few. It must also reflect what data the organisation manages, why and where. Building this understanding, and ensuring it stays current, is critical to ensuring that the response to the risk is adequate. Appropriate capability and resource Effective cyber security requires capable skilled resource that is empowered and resourced to shape an organisation to be secure. Boards need to be confident in the capability of their security function and its leadership, their ability to drive a broad response to cyber security across the whole enterprise, and rapid access to wider capability when required. Effective executive ownership is critical, with the CEO taking an active role. For boards to be effective in this area, they themselves require sufficient capability to probe, challenge and support management. Board-level time needs to be devoted to drilling into detail, since that is where significant issues can lie. Capable non-executives are required, potentially supported by a board sub-committee with additional expertise. Holistic framework and approach A holistic approach to managing cyber security needs to not just build and operate effective cyber security controls. It must also reduce the complexity of the technology and data estate to which those controls are applied (inside and outside the organisation); address process and cultural/human vulnerabilities that attackers are increasingly targeting, and embed cyber security consideration in all business decision making. Process vulnerabilities are often overlooked, but common targets. Examples include weak registration processes to online services or distributing sensitive data to an inappropriate third party for processing. A simple, but often exploited human vulnerability is poor password management, such as reuse of credentials across applications. Recognised frameworks, such as those published by the US National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) can help define required cyber security controls, but taking a broader approach is critical. Meaningful measurement is crucial, not just of controls but also extent of exposure. 5 6 7 As with other significant issues, boards require independent validation and testing of their believed cyber security posture. This is achievable through independent expert review of cyber security frameworks and approaches, and even certifications of specific elements. Strength of individual critical controls and systems needs to be tested and techniques such as red team testing by skilled penetration testers can assess effectiveness of overall response to specific likely attack techniques (but only at a point in time). The speed with which issues identified through independent review and test are resolved should be measured. Incident preparedness and track record Cyber security incidents are inevitable. Governance of cyber security risk is important but effective governance when the risk materialises is critical. Ensuring that focussed, practiced plans exist to respond to, and recover from, the most likely scenarios is essential. These need to consider not just technical resolution, but also business management, reputation management and management of legal and regulatory risk. Incidents need to be tracked, accurately reported, and lessons learnt. In addition, organisations need to be able to respond appropriately to the reporting of vulnerabilities that could make products, services or internal processes vulnerable to attack. The approach to incidents and vulnerabilities needs to be considered through suppliers and service providers, and not just within the perimeter of the organisation itself. Exercising response at all levels is crucial, including the executive committee and board. Considered approach to legal and regulatory environment Cyber security cuts across an increasingly complex legal and regulatory environment globally. Industry regulation, data protection regimes, national security legislation, reporting requirements and product liability are a few examples of legal and regulatory environments that need to be understood, and a considered global response developed and maintained. Active community contribution No organisation can protect itself in isolation. Attackers commonly breach one organisation in order to target another, and replicate successful attack techniques rapidly. Thus collaboration is essential: between organisations within industries; through supply chains; between public and private sectors; between companies and law enforcement/intelligence agencies, and even with customers. 4

Examples of factors to be considered for each principle Real understanding of exposure Clear view of data and processes and products if relevant that might be targeted Clear view of data, processes and products that might have disproportionate impact if breached Clear view of geographies that might heighten risk, and approach to segmenting business and technology Broad and deep view of risks introduced through supply chain and approach to managing them (including integrity of data feeds that are relied upon) Understanding of customers that might heighten risk Understanding of how corporate culture might impact cyber security risk Threat Intelligence/situational awareness understanding of who might target the organisation, for what gain and likely attack types Embedding Cyber Security in other risk types, including quantified appetite for risk events caused by cyber breaches where appropriate Approach to wider risk mitigation (e.g. accurate understanding of what cyber breach coverage is provided by insurance policies) Appropriate capability and resource Approach to ensuring appropriate board capability (e.g. expertise of NEDs, skilled board subcommittee, etc.) Sufficient board time devoted to drilling in to cyber security both at main board and subcommittee level Clear executive committee accountability Credentials and experience of the leader responsible for cyber security and their reporting line Size and skill of security team Appropriate use of outsource providers to supplement skills gaps, provide burst capacity (e.g. during incidents) Extent to which the organisation provides industry leadership for cyber security matters Turnover of key roles Approach to setting, reviewing and protecting budget for building and operating cyber security controls Incident preparedness and track record Transparency over incidents and significant vulnerabilities including in supply chain and service providers Approach to ensuring root causes of incidents are understood Speed of remediation of issues identified by incidents and vulnerability reporting Crisis plan ready and exercised, including: detailed playbooks for most likely cyber security incidents; clear decision rights, and communication priorities Process for the reporting, qualification and remediation of potentially high-impact vulnerabilities (in products, services or business processes) Evaluation of near misses technical breaches with minimal impact that could have had significant impact Clear triggers for escalation to executive and non-executive board members Holistic framework and approach Cyber Security consideration embedded in Board and executive committee decision making processes Holistic approach to cyber security embodying people and processes not just technical controls Structured reporting and measurement framework Clear decision framework for reviewing and accepting changes to cyber security through business developments (e.g. new products, geographies, M&A activities, completing integrations, outsourcing, high-risk customers) Recognised framework used for ensuring completeness of security controls (e.g. NIST or ISO27001) Approach to managing proliferation of data Approach to managing risk from supply chain and other external connections Complexity of technology and data estate (both internal and outsourced/cloud) Independent review and test Independent review of security and approach Testing of key controls (not just in IT) Independent red team testing of security effectiveness Strength of internal oversight through three lines of defence Speed of action to remediate issues identified through independent review and test Considered approach to legal and regulatory environment Understanding of complexity of legal and regulatory environment in which organisation operates (e.g. differing national environments for: national security, law enforcement, privacy, reporting, product and service liability) Considered response to the legal and regulatory environments Coordinated reporting to (and influence on) regulators where appropriate Oversight, and accountability for, relationships with law enforcement and intelligence agencies Active community contribution Approach to information sharing and industry protection with others in industry Approach to upskilling supply chain Relationships with national law enforcement and intelligence agencies Support to global and national initiatives Approach to upskilling customer base if relevant 5

About the Author and PwC About the Author Dr Richard Horne is a specialist partner in PwC UK for cyber security, advising boards of global and national organisations on the subject. A recognised authority and press commentator on cyber security, he is also a board advisor to a number of early-stage cyber security companies. Prior to joining PwC, he led cyber security for a global universal bank, and was seconded to the UK government to help shape the national plan for cyber security. Richard can be contacted at richard.horne@pwc.com, and would be delighted to receive comment or suggestions to improve the seven principles. About PwC With offices in 157 countries and more than 223,000 people, PwC is among the leading professional services networks in the world. We help organisations and individuals create the value they re looking for. Our purpose is Building trust in society and solving important problems, and in today s digital world that requires a focus on cyber security. We help clients across society to understand their cyber security risk; build and assure their defences; identify and respond to attacks, and to navigate the complex legal and regulatory environment for cyber security. For more information please visit www.pwc.co.uk/cybersecurity The content of this document remains copyright of PricewaterhouseCoopers LLP, 2017. The seven principles may be quoted or used subject to recognising the author or PwC. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. 170110-144818-CU-OS

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback