Cyber Risks: Best Practices for Board of Directors
By Andrew Royce, March 26, 2015
Global business risks continue to rapidly evolve, in large part due to the cyber risks that are exponentially accelerated by our appetite for new technologies and big data.
According to Dave DeWalt, CEO of FireEye, a leader in cyber security, “…97% of all companies are getting breached or have been breached.”  FBI Director, James Comey, told 60 Minutes, "There are two kinds of big companies in the United States…those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese." JP Morgan Chase spends in excess of $250M every year on network security, which includes hiring “military-grade cyberwarriers” from NSA headquarters. Despite this, they neglected to install a simple security fix on one remote server in a vast network that led to a data breach of over 83 million of its account holders. 2014 included other big name breaches, prompting many board members across the country to fill their reading tablets with Enterprise Risk Management and Cyber Security literature. Here we have compiled a brief summary of best practices to consider when incorporating cyber risk oversight into your organization’s enterprise risk management program.
Step 1: Gain a Holistic Understanding of Firm Risk
Discuss and prioritize the top risks that threaten the organization. NC State Poole College of Management and Proviti Risk & Business Consulting recently conducted a study of the top business risks for 2015 . One of their findings concluded that directors and senior management are not always in agreement on the top risks that threaten the organization, or they prioritize the risks differently. The board and senior managers must first align risk priorities. Senior management cannot and will not be effective if board priorities and expectations are skewed from their own. Further, because employees can play an important role in risk mitigation, it becomes important for the board and senior management to be in agreement so that a unified tone can be set from the top.
Once established, senior management - under the board’s oversight - must seek and reinforce the “everyone is responsible” mantra, meaning that those responsible for each operating unit establish proper communication and reporting channels back to senior management. A fundamental tenant of Enterprise Risk Management is to establish a culture where the unit managers and supporting staff communicate risks up to executive management.
Step 2: Understand the Financial, Reputational, and Brand Impact
First, establish the immediate financial impact of a breach. Costs following an impact can include:
- Notification expenses
- Legal defense and counsel
- Public relations
- Crisis services
- PCI fines and penalties
- Regulatory defense
- Regulatory fines
- Insurance Costs
In 2014, the average cost for Legal Defense was $698,797 and the average cost for Crisis Services was an additional $366,3834 . Fines and Penalties can be as much as $1,000 per breached account and regulators may adjust the fines to be reflective of the corporation’s risk management efforts. Analyzing the above costs for your own firm will help to gain an understanding of the financial impact to the organization.
Will the organization also suffer reputational damage following a breach? Last year, Target suffered over 13% loss in their stock price when it tumbled from $63.55 to $55.12 per share in the 60 days following the data breach. It took 14 months for Target to fully recover, when it finally closed above $82 per share in March 2015. Understand the immediate financial impact and longer-term reputational costs to adequately assess the risk.
Step 3: Put the Right Resources in Place
Senior management should identify a cyber security and breach response team, inclusive of outside counsel, forensic and investigative consultants, insurance brokers, and public relations. Does your company have a cyber security team on retainer and a disaster recovery plan in place? When it comes to forensic consultants, it is a good idea to negotiate a retainer so that the response team will gain a working knowledge of your organization. In addition, a retainer can provide response time guarantees for your organization, which can be important if resources are limited at the time of a breach.
Once on retainer, most forensic teams have the ability to conduct onsite pre-loss mitigation education, webinars, and training to the unit managers and staff. In 2014, 24% of all data breaches arose from staff mistakes and rogue employees. Pre-loss mitigation training and education can work to reduce the threat of cyber breaches originating from internal mistakes. To help prevent a rogue employee from leaking data or stealing valuable corporate property, predictive behavior software can be implemented to provide warning signals to senior management about disgruntled employees. There are additional resources to consider for assistance in preventing a breach and mitigating the damage - if and when it does occur.
Step 4: Continuous Risk Evaluation
Establish a formal risk oversight committee to give the board and senior management an outlet for dialogue about current and emerging risks affecting the organization. Work to establish a sustainable risk process to address the next big risk before it becomes media worthy. Discuss and prioritize risks and external threats that could endanger earnings, reputation and the brand. An organization’s risk profile and appetite for taking on risk can evolve over time. Be certain to correlate the risks with the organization’s ability to address them.
For some boards, Risk Management has other competing priorities on the agenda – below is a short list of questions to assist board members to discuss preparedness, evaluate risks and engage in a dialogue:
- Are board members cognizant of management risk concerns?
- Does the board agree with why these risks are significant?
- Do directors understand the organization’s responses to these risks?
- Is there a periodic review of the organization’s risk profile?
- Does management appraise the board in a timely manner of changes in the organization’s risk profile?
- Is there a process in place for identifying emerging risks?
- Is there a board dialogue regarding management’s appetite for risk?
- Does the organization’s culture facilitate an open dialogue on identifying and evaluating opportunities for risks, including the education of significant risk issues warranting the attention by executive management and the board?
The board that commits to addressing risk sets a tone that can filter down through the entire organization. This is a critical first step in a coordinated effort towards enterprise risk management. While a breach seems inevitable for most companies today, the costs of a breach can be mitigated by an organization’s cohesive preparedness for the breach event.
 ExecutiveBiz. (12/1/2014). FireEye Study on Attach Data Reveals Vulnerability in 97% of Cases Underground. Fromhttp://blog.executivebiz.com/2014/05/david-dewalt-fireeye-study-on-attack-data-reveals-vulnerabilities-in-97-of-cases/
 Matt Lichfuss. (5/22/2014). 60 Minutes, the “97 Percent”, and the Criminal Underground. Hacksurfer. From http://www.hacksurfer.com/posts/60-minutes-the-97-percent-and-the-criminal-underground
 NC State Poole College of Management & Proviti Risk & Business Consulting. (2015). Executive Perspectives on Top Risks for 2015” Fromhttp://erm.ncsu.edu/library/article/research-report-on-executive-perspectives-of-top-risks-for-2015
 NetDiligence. (2014). Cyber Claims Study” Fromhttp://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf