Cyber Security and the Board of Directors

Transcription

1 Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Cyber Security and the Board of Directors An essential responsibility in financial services

2 About Delta Risk is a global provider of strategic advice, cyber security, and risk management services to commercial and government clients. We believe that an organization s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have All rights reserved.

3 Cyber security belongs as an agenda item in every boardroom. A spate of high profile, high impact cyber breaches at some of the largest financial institutions in the United States has focused attention on something that cyber security professionals have long taken as an article of faith: that boards of directors need to take an active role in the management of cyber risk. Yet there are several factors that tend to prevent effective engagement in cyber security risk at the board level. These factors define the challenge that banks and other financial institutions can no longer ignore: Financial services leaders rarely have an independent understanding of cyber security. Board members do not have to be cyber experts, but they do need an understanding of the issues at the leadership level. The newness of the field, its still-arcane nature, and the complexity of the issues it presents make cyber expertise unusual among those likely to serve as financial services board members. Cyber security risks do not fit well in financial services risk management frameworks and approaches. Different from other types of risk, particularly in its dynamism, its potential impact, and how it is managed, cyber security risk is often the red-headed stepchild of the risk management world. Integrating cyber risk is a problem at both the theoretical and practical levels, and it presents a challenge in financial services where risk management is so central to operations. Cyber security is frequently seen as a technology problem for the IT department to solve. Although there is a strong technology component to cyber security, the management of cyber risks is much larger. For banks, as information organizations, information security intersects with every part of the business. It has policy, legal, compliance, human resources, customer relationship management, public relations, and many other components, to say nothing of its potential to directly affect the brand and the bottom line. There is a communications gap between business leaders and cyber security practitioners. While the business leadership is frequently not well versed in cyber security, cyber security professionals often do not have a sufficient understanding of the priorities and decision models of the organization s business leaders. And they generally do not speak the language of business leaders. This communications gap works against the effective management of cyber security. Page 1

4 What To Do Although the proper degree of board involvement in cyber issues depends on many factors, there are four key areas that boards should focus on: Ensuring that board members themselves receive cyber security training that is appropriate to their level and role. Incorporating cyber security into the organization s Statement of Risk Appetite. Driving the implementation of a cyber risk management program that integrates with the institution s broader enterprise management of all risks, such as financial risk (e.g., market, liquidity, credit), compliance risk, and other operational risks (e.g., fraud, litigation, reporting, safety, physical security). Fostering a cyber security culture throughout the institution. Well known to boards of directors in financial services is the fact that regulatory requirements are increasingly putting cyber security and privacy from governance through operations on the board agenda. 1 Beyond regulatory compliance, however, cyber security and privacy are business needs in their own right and demand attention. Board-appropriate Training As with other risks, the management of cyber security risk is best driven from the top. To do this effectively board members must have a leadership-level understanding of the cyber landscape, at least as it directly affects their business and their industry. This leadership-level understanding will allow the gut feel faculty of senior business leaders to come into play to sense risk and to know the questions with which to challenge management. What sort of training would give board members the understanding they uniquely need? Key topics for board members to be conversant with include: the interplay of compliance with security; the relationship between cyber security and privacy; the evolving legal and regulatory landscape; the management of cyber risks; cyber incident response; and the big picture of cyber security at the policy and political levels both domestically and internationally. A seminar format that explores these topics is often best because it fosters dialog, though other approaches may be more fitting in individual cases. Statement of Risk Appetite The Statement of Risk Appetite, defined and required for banks by the Basel II accords, has been widely adopted throughout the financial services sector. The Statement is a key channel for the board of directors to communicate the organization s risk boundaries and the rationale behind them. Despite the broad embrace of the Statement of Risk Appetite, these statements typically are silent on cyber risks. This is a missed opportunity. Articulating the organization's stance on cyber security risks in a formal statement at the board level is a key step in making the management of cyber risks integral to the 1 The Gramm-Leach-Bliley Act, for example, requires the protection of customer financial data, and these requirements are further specified in implementing regulations. Other regulations in the financial sector seek to address system testing requirements, business continuity and recovery planning, and the cyber risks that have potential systemic impact. Overall, cyber security as an operational risk has become a specific focus of the financial oversight agencies. Page 2

5 organization s operations, and it can also provide the context for ongoing dialog with senior management. Crafting the language of the cyber portion of the Statement is a tricky but healthy undertaking because it focuses the board on crystallizing the topics that matter most. A cyber-inclusive Statement of Risk Appetite should be concise yet specific and should: Articulate the business value of information. The Statement should broadly identify the information that is most valuable to the organization based on business considerations, legal and compliance requirements, the financial impact of denial, disclosure, loss, or other exploitation of that information, and other factors. Establish priorities on protecting information and information resources. Corollary to identifying the information with the most business value is clarifying expectations on how it is to be protected. Broad statements can be applied here, such as This category of information shall be protected with the most stringent security controls and the highest degree of operational oversight. The Statement of Risk Appetite can also be used to establish specific risk-oriented requirements that are tied directly to business strategy. For example, up-time requirements for consumer online banking (e.g., on-line banking is available to our customers 99.9% of time throughout the year. ) or other business services may be appropriate. This statement of priorities would ride above policies that the organization may (and should) establish for the classification and categorization of information within the enterprise. Set performance expectations for cyber security. Another consideration, depending on the structure of the Statement, is to use it as a mechanism for the board to clearly communicate its core expectations for the performance of the organization s senior executives on matters of cyber security and privacy. For example, it might state that management is expected to develop and implement a comprehensive organization-wide cyber security risk management program that systematically addresses cyber risks from policy through operations within the Risk Appetite Framework 2 [or other broad risk management framework depending on the organization]. Establishing such expectations is foundational to the board s oversight role with respect to the cyber security program and the management of cyber risks. Communicate expectations about cyber metrics. The board should also direct the establishment and reporting of metrics. Cyber security-specific key performance indicators (KPIs) and key risk indicators (KRIs) can give the board a fact-based sense of the cyber risk posture and inform its decision-making process. By including cyber in the Statement of Risk Appetite, the board sends a clear message that cyber security and privacy risks are on the same footing as other operational risk exposures. 2 The multi-national Financial Stability Board defines Risk Appetite Framework as: The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the financial institution, as well as to the institution s reputation vis-à-vis policyholders, depositors, investors and customers. The RAF aligns with the institution s strategy. (FSB, Principles for an Effective Risk Appetite Framework, November 2013). Page 3

6 Integrate Cyber Risk Management As an operational risk (which are those risks arising from failed internal processes, people, or systems, or from external events) cyber security has much in common with the other types of risk in this category such as physical security, fraud, and safety. The board should expect the organization s executive leadership to integrate cyber security risk management with other operational risks as well as with the other risk domains important to financial services such as credit, market, and liquidity. The value of such integration is easy to see though difficult to realize due to many factors including the fact that cyber risks are difficult to measure. And though financial institutions are at the forefront of risk data aggregation, it still remains a challenge. Two keys to integrating cyber risk with the other risk domains are: Example Cyber Risk and Performance Indicators Lagging (KPIs) Status of security controls Current policy deviations (e.g., ports and protocols, access controls, devices, passwords, etc) Vulnerability scanning results Risk assessment results Root Cause Analysis results Project schedule variances Disaster Recovery test results Malware event rate Mean-Time-to-Discovery of malicious attacks Indicators of compromise Leading (KRIs) New classes of threats Data on current attacks on vendors, trading partners, and other industry players Analysis of statesponsored hacker capabilities Evidence of ongoing surveillance of the enterprise network Analysis of social network data associated with known hackers or hacker personas. Developing cyber-related metrics that can be included in the risk aggregation data model. Looking forward, the ability to automate the collection of these metrics will be increasingly important. Incorporating cyber security into scenario-driven stress testing and other self-assessments, which due to regulatory mandates and other influences are increasingly becoming part of risk management frameworks. Together these factors can provide a basis for quantifying the business impact of cyber risks. Sources of the cyber security risk message include the following four categories of information: Top risk exposures and how they relate to the Statement of Risk Appetite (possibly in graphical, quantitative, or dashboard formats). Potential future exposures (probably in narrative form) based on strategic threat intelligence analysis. Key Risk Indicators (KRIs) metrics that provide an early warning of increasing risk exposures. Well designed KRIs are leading indicators of risk. Predictive threat intelligence analysis is the most likely source of KRIs. They could also be derived from analysis of other risks that may intersect with cyber security and privacy. For example, the cyber security risk posture of outsourcing providers, other partner companies and vendors, and acquisition targets can present future risks as these entities get connected to the enterprise network. Risk Management Key Performance Indicators (KPIs). KPIs are usually lagging indicators of whatever process they measure. The KPI idea can be applied to cyber security risk management by developing cyber-related status metrics that are appropriate at the board level. See inset box. Page 4

7 Cyber security risk also needs to be communicated horizontally across business units and functions, as well as within the cyber security domain itself. This will enable process links that are important because true integration demands that risk information be embedded into the workflow that drives the operation. Foster a Culture of Cyber Security A culture of cyber security advances a risk management mindset throughout the organization, from front office to back office, and across the business units and all functional areas from human resources to marketing. However, a board cannot normally create a culture, at least not quickly. Comprised as it is of the authentic viewpoints, values, behaviors, and legacy of the people in the organization, culture has to be nurtured. What does a culture of cyber security look like? Observables include the degree of awareness and attention paid to cyber security in the day-to-day work routine: Everyone working in the organization (employees, consultants, contract workers, third-party vendors) should be aware that cyber security presents risks and should also know what specific behaviors are called for. All employees (including the executives) should have a high sensitivity to phishing and other social engineering methods because the unwitting can quite easily become an inside agent for a serious threat actor. Similarly, all employees should be aware of the security risks associated with their private online activities, such as indiscreet use of social media, use of public clouds for proprietary information, and mixing company data with private data on mobile devices. Most organizations address these concerns in security policies and acceptable use policies, and enforce them through technical and management controls, but the vigilance of users is fundamental. Cyber security and privacy should be priorities in all parts of the business, for all of the organization s people, and in all its processes. Regular cyber threat and risk awareness training should be delivered to all employees, and management should ensure that it the training is effective through spot-check inspections. Incident response procedures should be exercised regularly and employees should know what to report and how to report it. Third parties working for the organization or providing products and services should be required to agree to conform to the organization s security- and privacy-related policies and procedures. All leaders, including (and especially) those whose primary roles are not in cyber security should visibly take ownership of cyber security. Paying attention to cyber security in the daily workflow should be a "front of mind" issue for everyone in the organization, including the leaders. There is clearly great business value in having a strong cyber security culture, one in which cyber security is taught and practiced and enters into decision-making. The board can foster this culture by keeping the issue visible and expecting the active involvement of senior executives to drive cyber security as a priority. Key Take-Aways Cyber security and privacy are of critical importance to all financial services institutions. Despite highly visible cyber security incidents, such as widespread denial of service attacks and data breaches affecting nonpublic personal information, the potential outcome of inadequate attention to cyber security is often not truly appreciated until it is experienced. Four key activities should be priorities for boards of directors: Page 5

8 Providing for cyber security training specifically for board members Incorporating cyber security into the Statement of Risk Appetite Integrating cyber security with enterprise risk management Establishing a culture of cyber security throughout the organization. Delta Risk can help If your organization is challenged with establishing a board-level approach to cyber security, Delta Risk may be able to help. With our independent and objective focus on cyber strategy, policy, and operations, we can help you think through the ideas presented in this Viewpoint as they apply to your organization, understand and prioritize your cyber security challenges, and devise and implement tailored approaches to address them. Page 6

9 Contact Information To discuss these ideas please contact us at Delta Risk offices: San Antonio, Texas 106 St. Mary's Street, Suite 428 San Antonio, TX Washington, DC 4600 N Fairfax Dr., Suite 906 Arlington, VA