THE DIGITAL AGE
THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS NAVIGATING THE DIGITAL AGE: The Defi nitive Cybersecurity Guide for Directors and Offi cers
Published by
Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
Publisher: Tim Dempsey
Editor: Matt Rosenquist
Design and Composition: Graphic World, Inc.
Printing and Binding: Transcontinental Printing
Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers is published by: Caxton Business & Legal, Inc. 27 North Wacker Drive, Suite 601 Chicago, IL 60606 Phone: +1 312 361 0821 Email: [email protected]
First published: 2015 ISBN: 978-0-9964982-0-3
Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers © October 2015
Cover illustration by Tim Heraldo
Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.
DISCLAIMER
Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers (the Guide) contains summary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial publication (October 2015). Although the Guide may be revised and updated at some time in the future, the publishers and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to update such information. The publishers and authors make no representation as to the completeness or accuracy of any information contained in the Guide.
This guide is written as a general guide only. It should not be relied upon as a substitute for specifi c professional advice. Professional advice should always be sought before taking any action based on the information provided. Every effort has been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility to verify any information contained in the Guide before relying upon it.
SecurityRoundtable.org Introduction New York Stock Exchange – Tom Farley, President
No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk. With the ability to shatter a company’s reputation with their customers and draw criticism from shareholders, lawsuits from affected parties, and attention from the media, the threat of cyber risk is ubiquitous and insidious. No com- pany, region, or industry is immune, which makes the responsibility to oversee, manage, and mitigate cyber risk a top-down priority in every organization. The New York Stock Exchange has long advocated that exemplary governance and risk oversight is fundamental to the health of individual companies, as well as to the sound operation of our capital markets. In other words, we too take the threat very seriously. Today, managing cybersecurity risk has expanded far beyond the realm of IT; it has become a business continuity necessity to ensure shareholder value remains intact and that privacy and corporate intellectual property is protected. Accordingly, those responsibilities are weighing heavily on corporate executives and directors, making it vital for them to better understand and prepare for the evolving cybersecurity landscape. Cyber risk ultimately poses a threat to confi dence, a foundational aspect of U.S. corporate issuers and markets. We are taking a leadership role on many fronts, such as reducing market fragmentation and complexity, as well as increasing effi ciency through the highest levels of intelligence, analytics, and technology. Confi dence in the integrity and security of our assets is concurrent with our success—as it is for every other company operating in the public markets today. Moreover, because the public markets have become increasingly reliant on interdependent technology sys- tems, the threat looms even larger. As we witnessed dur- ing the 2008 fi nancial crisis, rarely does any failure happen in a vacuum; therefore, the threat of systemic disruption has taken on an even higher level of prominence and concern among regulators and policymakers worldwide. It is important that companies remain vigilant, taking steps to proactively and intelligently address cybersecurity
iii ■ INTRODUCTION
risk within their organizations. Beyond the technological solutions developed to defend and combat breaches, we can accomplish even more through better training, aware- ness, and insight on human behavior. Confi dence, after all, is not a measure of technological systems, but of the people who are entrusted to manage them. With insights from the preeminent authorities on cybersecurity today, this groundbreaking, practical guide to cyberse- curity has been developed to refl ect a body of knowledge that is unsurpassed on this topic. At the heart of effective risk manage- ment must be a thorough understanding of the risks as well as pragmatic solutions. Thank you for your continued partnership with the New York Stock Exchange, and we look forward to continuing to support your requirements in this dynamic landscape.
■ iv Foreword Visa Inc. – Charles W. Scharf, CEO
For years, cybersecurity was an issue that consumers, executive management, and boards of directors took for granted. They were able to do so because the technolo- gists did not. The technologists worked every day to protect their systems from attack, and they were quite effective for many years. We sit here today in a very dif- ferent position. The threats are bigger than ever before and growing in frequency and severity every day. Cybersecurity is now something everyone needs to think about, whether it’s in your personal or professional life. What worked in the past is not enough to protect us in the present and future. So what has changed? First of all, the technology platforms of today are big- ger targets than ever given the breadth and criticality of items they control. Second, the amount and value of the data that we all produce and store has grown exponen- tially. The data is a gold mine for criminals. Third, the interconnectedness of the world just makes it easier for more people—regardless of geography—to be able to steal or disrupt. And fourth, the perpetrators are more sophisticated, better organized, better funded, and harder to bring to justice than ever before. So the problem is different, and what we all do about it is different. This is not simply an IT issue. It is a business prob- lem of the highest level. Protecting our data and our systems is core to business today. And that means that having an outstanding cybersecurity program also can’t detract from our objectives around innovation, speed, and performance. Security has been a top priority at Visa for decades. It is foundational to delivering our brand promise. To be the best way to pay and be paid, we must be the most secure way to pay and be paid. We cannot ask people to use our products unless they believe that we are just that. Thus we must guard carefully both the security of our own network and company and the security of the broader payments ecosystem.
v ■ FOREWORD
There are several elements that we have accounts had been compromised—a pivotal found to be critical to ensuring an effective moment for our industry. security program at Visa. The losses experienced by our clients, combined with the impact on consumer con- Be open and honest about the effectiveness fi dence, galvanized our industry to take of your security program and regularly actions that, we believe, will have a mean- share an honest assessment of your security ingful and lasting effect on how the world posture with the executive team and board. manages sensitive consumer data—not just payments. We use a data-driven approach that scores We are taking action as an ecosystem, to our program across fi ve categories: risk collaborate and share information across intelligence, malware prevention, vulner- industries and with law enforcement and ability management, identity and access governments and to develop new technolo- management, and detection and response. gies that will allow us to prevent attacks and Scores move up and down not only as our respond to threats in the future. defenses improve or new vulnerabilities are discovered but also as threats change. Protect payments at physical retailers. The capabilities of the adversaries are Fraudsters have targeted the point-of- growing, and you need a dynamic sale environment at leading U.S. retailers, approach to measurement. capturing consumer account information and forcing the reissuance of millions Invest in security before investing of payment cards. As an industry we elsewhere. A well-controlled environment are rapidly introducing EMV (Europay, gives you the license to do other things. MasterCard, and Visa) chip payment Great and innovative products and technology in the United States. Chip- services will only help you win if you enabled payment cards and terminals have a well-protected business. work in concert to generate dynamic Don’t leave the details to others. Active, data with each transaction, rendering the hands-on engagement by the executive transaction data useless to fraudsters. team and the board is required. The risk Protect online payments. Consumer is existential. Nothing is more important. purchases online and with mobile devices Your involvement will produce better are growing at a signifi cant rate. In order results as well as make sure the whole to prevent cyberattacks and fraudulent organization understands just how use of consumer accounts online, Visa and important the issue is. the global payments industry adopted Never think you’ve done enough. The a new payment standard for online bad guys are smart and getting smarter. payments. The new standard replaces the They aren’t resting, and they have more 16-digit account number with a digital resources than ever. Assume they will token that is used to process online attack. payments without exposing consumer account information. Defending against cyberthreats is not some- Collaborate and share information. thing that we can solve for our company in a Sharing threat intelligence is a necessity vacuum. At Visa, we must protect not only rather than a “nice to have,” allowing our own network but the whole payments merchants, fi nancial institutions, and ecosystem. This came to life for us in late payment networks like Visa to rapidly 2013 when some of the largest U.S. retailers detect and respond to cyberattacks. and fi nancial institutions in the U.S. reported Public and private partnerships are data breaches. Tens of millions of consumer also critical to creating the most robust
■ vi FOREWORD
community of threat intelligence, so we also work closely with law enforcement and governments. At the heart of Visa’s security strategy is the concept of “cyber fusion,” which is centered on the principle of shared intelligence—a framework to collect, analyze, and leverage cyberthreat intelligence, internally and externally, to build a better defense for the whole ecosystem.
Championing security is one of Visa’s six strategic goals. This is an area where there are no grades—it is pass or fail, and pass is the only option. Cybersecurity needs to be part of the fabric of every company and every industry, integrated into every busi- ness process and every employee action. And it begins and ends at the top. It is job number one.
vii ■ TABLE OF CONTENTS
TABLE OF CONTENTS
iii INTRODUCTION New York Stock Exchange — Tom Farley, President
v FOREWORD Visa Inc. — Charles W. Scharf, CEO
Introductions — The cyberthreat in the digital age
3 1. PREVENTION: CAN IT BE DONE? Palo Alto Networks Inc. — Mark McLaughlin, CEO
9 2. THE THREE Ts OF THE CYBER ECONOMY The Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security and Jim Pfl aging, Principal
17 3. CYBER GOVERNANCE BEST PRACTICES Georgia Institute of Technology, Institute for Information Security & Privacy — Jody R. Westby, Esq., Adjunct Professor
27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS Institutional Shareholder Services Inc. — Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research
33 5. TOWARD CYBER RISKS MEASUREMENT World Economic Forum — Elena Kvochko, co-author of Towards the Quantifi cation of Cyber Threats report and Danil Kerimi, Director, Center for Global Industries
37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT Internet Security Alliance — Larry Clinton, CEO
43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH Former CIO of The United States Department of Energy — Robert F. Brese
I. Cyber risk and the board of directors
51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner
■ viii TABLE OF CONTENTS
57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES AND DISCLOSURES Fish & Richardson P.C. — Gus P. Coldebella, Principal and Caroline K. Simons, Associate
65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS Internet Security Alliance and National Association of Corporate Directors — Larry Clinton, CEO of ISA and Ken Daly, President and CEO of NACD
71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing Director
79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS Dell SecureWorks — Mike Cote, CEO
II. Cyber risk corporate structure
87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT QUESTIONS Palo Alto Networks Inc. — Davis Hake, Director of Cybersecurity Strategy
91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM Coalfi re — Larry Jones, CEO and Rick Dakin, CEO (2001-2015)
III. Cybersecurity legal and regulatory considerations
101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA Booz Allen Hamilton — Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate, Agatha O'Malley, Senior Associate, Jaqueline Cooney, Lead Associate and Waiching Wong, Associate
107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES Data Risk Solutions: BuckleySandler LLP & Treliant Risk Advisors LLC — Elizabeth McGinn, Partner; Rena Mears, Managing Director; Stephen Ruckman, Senior Associate; Tihomir Yankov, Associate; and Daniel Goldstein, Senior Director
ix ■ TABLE OF CONTENTS
115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS Baker & McKenzie — David Lashway, Partner; John Woods, Partner; Nadia Banno, Counsel, Dispute Resolution; and Brandon H. Graves, Associate
121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE K&L Gates LLP — Roberta D. Anderson, Partner
129 19. CONSUMER PROTECTION: WHAT IS IT? Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa Ventrone, Partner and Lindsay Nickle, Partner
137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE Fish & Richardson P.C. — Gus P. Coldebella, Principal
143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS Latham & Watkins LLP — Jennifer Archie, Partner
151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD Kaye Scholer LLP — Adam Golodner, Partner
157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT Pillsbury Winthrop Shaw Pittman LLP — Brian Finch, Partner
163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group
IV: Comprehensive approach to cybersecurity
171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT Booz Allen Hamilton — Bill Stewart, Executive Vice President; Sedar LaBarre, Vice President; Matt Doan, Senior Associate; and Denis Cosgrove, Senior Associate
177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES Booz Allen Hamilton — Bill Stewart, Executive Vice President; Jason Escaravage, Vice President; and Christian Paredes, Associate
■ x TABLE OF CONTENTS
V. Design best practices
187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT Intercontinental Exchange & New York Stock Exchange — Jerry Perullo, CISO
193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION Palo Alto Networks Inc.
VI. Cybersecurity beyond your network
207 29. SUPPLY CHAIN AS AN ATTACK CHAIN Booz Allen Hamilton — Bill Stewart, Executive Vice President; Tony Gaidhane, Senior Associate; and Laura Eise, Lead Associate
213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING Covington & Burling LLP — David N. Fagan, Partner; Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H. Canter, Associate; and Patrick Redmon, Summer Associate
219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER Delta Risk LLC — Thomas Fuhrman, President
229 32. THE INTERNET OF THINGS The Chertoff Group — Mark Weatherford, Principal
VII. Incident response
237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS U.S. Department of Justice — CCIPS Cybersecurity Unit
243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE Booz Allen Hamilton — Jason Escaravage, Vice President; Anthony Harris, Senior Associate; James Perry, Senior Associate; and Katie Stefanich, Lead Associate
249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
255 36. FORENSIC REMEDIATION Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist and Ryan Vela, Regional Director, Northeastern North America Cybersecurity Services
xi ■ TABLE OF CONTENTS
261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATION Rackspace Inc. — Brian Kelly, Chief Security Offi cer
267 38. CYBER INCIDENT RESPONSE BakerHostetler — Theodore J. Kobus, Partner and Co-Leader, Privacy and Data Protection; Craig A. Hoffman, Partner; and F. Paul Pittman, Associate
275 39. COMMUNICATING AFTER A CYBER INCIDENT Sard Verbinnen & Co — Scott Lindlaw, Principal
VIII. Cyber risk management investment decisions
283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE Axio Global, LLC — Scott Kannry, CEO and David White, Chief Knowledge Offi cer
289 41. INVESTMENT IN CYBER INSURANCE Lockton Companies Inc. — Ben Beeson, Senior Vice President, Cybersecurity Practice
IX. Cyber risk and workforce development
297 42. CYBER EDUCATION: A JOB NEVER FINISHED NYSE Governance Services — Adam Sodowick, President
301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES Wells Fargo & Company — Rich Baich, CISO
307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez, Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew Smallwood, Lead Associate
313 45. BUILDING A CYBER-SAVVY BOARD Korn Ferry — Jamey Cummings, Senior Client Partner; Joe Griesedieck, Vice Chairman and Co-Leader, Board and CEO Services; and Aileen Alexander, Senior Client Partner
319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE Egon Zehnder — Kal Bittianda, Selena Loh LaCroix, and Chris Patrick
325 CONTRIBUTOR PROFILES
■ xii Introductions — The cyberthreat in the digital age
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Prevention: Can it be done? Palo Alto Networks Inc. – Mark McLaughlin, CEO
Frequent headlines announcing the latest cyber breach of a major company, government agency, or organization are the norm today, begging the questions of why and will it ever end? The reason cybersecurity is ingrained in news cycles, and receives extraordinary investments and focus from businesses and governments around the world, is the growing realization that these breaches are putting our very digital lifestyle at risk. This is not hyperbole. More and more, we live in the digital age, in which things that used to be real and tangible are now machine-generated or only exist as bits and bytes. Consider your bank account and total absence of tangible money or legal tender that underlies it; you trust that the assets exist because you can “see” them when you log in to your account on the fi nan- cial institution’s website. Or the expectation you have that light, water, electricity, and other utility services will work on command, despite your having little to no idea of how the command actually results in the outcome. Or the com- fort in assuming that of the 100,000 planes traversing the globe on an average day, all will fl y past each other at safe distances and take off and land at proper intervals. Now, imagine that this trust, reliance, and comfort could not be taken for granted any longer and the total chaos that would ensue. This is the digital age; and with all the effi - ciencies and productivity that has come with it, more and more we trust that it will just “work.” This reliance on digital systems is why the tempo of concern due to cyberattacks is rising so rapidly. Business leaders, government leaders, education leaders, and mili- tary leaders know that there is a very fi ne line separating the smoothly functioning digital society built on trust and the chaotic breakdown in society resulting from the ero- sion of that trust. And it is eroding quickly. Why is that, and do we have any analogies? And, more importantly, can it be fi xed?
3 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
■ Machine vs. human attack, responses are highly manual in At the heart of the cybersecurity battle is a nature. Unfortunately, humans facing off math problem. It is relatively simple to against machines have little to no leverage, understand, but hard to correct. One of the and cyber expertise is increasingly hard to negative offshoots of the ever-decreasing come by in the battle for talent. Flipping the cost of computing power is the ability for cost curve on its head with automation and cyber criminals and adversaries to launch a next-generation, natively integrated secu- increasingly numerous and sophisticated rity platform is required if there is any hope attacks at lower and lower costs. Today, of reducing the “breach du jour” headlines. bad actors without the capability to develop (See Figure 2.) their own tools can use existing malware It is unlikely that the number of attacks and exploits that are often free or inex- will abate over time. On the contrary, there is pensive to obtain online. Similarly, every reason to expect that their number will advanced hackers, criminal organizations, continue to grow. In fact, we can also expect and nation-states are able to use these that the “attack surface” and potential tar- widely available tools to launch successful gets will also continue to grow as we con- intrusions and obscure their identity. These stantly increase the connections of various sophisticated adversaries are also develop- things to the Internet. ing and selectively using unique tools that An understandable but untenable could cause even greater harm. This all response to this daunting threat environ- adds up to tremendous leverage for the ment is to assume that prevention is impos- attackers. (See Figure 1.) sible, so we must simply detect and respond In the face of this increasing onslaught in to all intrusions. The fundamental problem the sheer number of attacks and levels of with this approach is that without signifi cant sophistication, the defender is generally prevention no combination of people, pro- relying on decades-old core security tech- cess, and technology can prioritize and nology, often cobbled together in multiple respond to every intrusion that could signifi - layers of point products; there is no true cantly impact a network and those who rely visibility of the situation, nor are the point on it. The math problem is simply insur- products designed to communicate with mountable. Quite simply, detection and each other. As a result, to the extent attacks response should be supplements to, instead are detected or lessons are learned from an of substitutes for, prevention.
FIGURE As computing power becomes less expensive,the cost for launching automated attacks decreases. This allows the number of attacks to increase at a given cost.
The attack math Number of successful attacks
Cost of launching a successsful attack
■ 4 PREVENTION: CAN IT BE DONE?
FIGURE Harnessing automation and integrated intelligence can continually raise the cost of making an attack successful, eventually decreasing the number of successful attacks.
The attack math Cost of launching a successsful attack
Number of successsful attacks
So, the strategy must be to signifi cantly U.S. Suddenly, the very way of life in the decrease the likelihood, and increase the Western world was deemed, appropriately cost, required for an attacker to perform a so, at risk. The comfort and confi dence of successful attack. To be more specifi c, we living in a well-protected and prosperous should not assume that attacks are going environment was shattered as citizens lost away or that all attacks can be stopped. trust in their ability to follow their daily rou- However, we should assume, and be very tines and way of life. It appeared as though diligent in ensuring, that the cost of a suc- there was an insurmountable technological cessful attack can be dramatically increased lead, and everywhere people turned there to the point where the incidence of a success- was anxiety and cascading bad news. ful attack will sharply decline. In the years immediately following When this point is reached, and it will not Sputnik, the main focus was on how to sur- come overnight, then we will be able to vive a post–nuclear-war world. Items like quantify and compartmentalize the risk to backyard bomb shelters and nonperishable something acceptable and understood. It’s at food items were in great demand, and that point that cyber risks will be real and schools were teaching duck-and-cover drills. persistent but that they will leave the head- In other words, people were assuming lines and fade into the background of every- attacks could not be prevented and were day life, commerce, communications, and preparing for remediation of their society interaction. This should be our goal. Not to post-attack. eliminate all risk, but to reduce it to some- However, this fatalistic view was tempo- thing that can be compartmentalized. There rary. America relied on diplomacy and tradi- is a historical analogy to this problem and an tional forms of deterrence while devoting approach to solve it. technological innovation and ingenuity to breakthroughs such as NASA’s Mercury ■ Sputnik analogy program. While it took a decade of resourc- The analogy, which is imperfect but helpful, es, collaboration, trial, and effort, eventually is the space race. In 1957 the Soviet Union the Mercury program and succeeding efforts launched Sputnik. The result was panic at changed the leverage in the equation. The the prospect that this technology provided space-based attack risk was not eliminated, the Soviets with an overwhelming advan- but it was compartmentalized to the point of tage to deliver a nuclear attack across the fading into the background as a possible but
5 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
not probable event. It was at this stage that it is an imperative that cost leverage is the panic and confusion receded from the gained in the cyber battle. This leverage can headlines and daily reporting. We will know be attained by managing the cyber risk to an we are in good shape in the cyber battle organization through the continual improve- when we have reached this point. So, how ment and coordination of several key ele- do we get there? ments: technology, process and people, and As with all things in life, ideas and phi- intelligence sharing. losophy matter. This is true because if you do not know what you are trying to get Technology done, it’s unlikely that you will get it done. It is very apparent that traditional or legacy In the space race analogy, the philosophy security technology is failing at an alarming shifted over time from one that primarily rate. There are three primary reasons for this: assumed an attack was imminent and unstoppable with the majority of planning The fi rst is that networks have been and resources geared toward life in the post- built up over a long period of time and attack world, to one of prevention where the often are very complicated in nature, majority of resources and planning were consisting of security technology that geared to reduce the probability and effec- has been developed and deployed in a tiveness of an attack. point product, siloed approach. In other Importantly, the risk of an attack was not words, a security “solution” in traditional eliminated, but the probability of occurrence network architecture of any size consists and success was reduced by vastly increas- of multiple point products from many ing the cost of a successful attack. It was different vendors all designed to do one previously noted that no analogy is perfect, specifi c task, having no ability to inform so the analogy of “cost” here for space-based or collaborate with other products. This attacks and cyberattacks is, of course, meas- means that the security posture of the ured in different ways. Most notably, network is only as “smart” overall as the cyberthreats are not the sole purview of least smart device or offering. Also, to the superpower nations, and the technological extent that any of the thousands of daily innovation most likely to reverse the cost of threats is successfully detected, protection successful attacks is most likely to come is highly manual in nature because there is from industry, not governments. However, no capability to automatically coordinate the principle is the same in that a prevention or communicate with other capabilities in philosophy is much more likely to result in the network, let alone with other networks prevention capabilities being developed, uti- not in your organization. That’s a real lized, and continually refi ned over time. problem because defenders are relying more and more on the least leverageable ■ Is prevention possible? resource they have—people—to fi ght The obvious question then is whether pre- machine-generated attacks. vention is possible. I think that most security Second, these multiple point solutions are professionals and practitioners would agree often based on decades-old technology, that total prevention is not possible. This is like stateful inspection, which was useful disheartening but also no different from any in the late 1990s but is totally incapable of other major risk factor that we have ever providing security capabilities for today’s dealt with over time. So, the real question is attack landscape. whether prevention is possible to the point And third, the concept of a “network” where the incidence of successful attacks is has morphed continues to do so at a reduced to something manageable from a rapid pace into something amorphous risk perspective. I believe that this is possible in nature: the advent of software as a over time. In order to achieve this outcome, service (SaaS) providers, cloud computing,
■ 6 PREVENTION: CAN IT BE DONE?
mobility, the Internet of Things, and other successful leaders understand the need to macrotechnology trends that have the assess organizational risk and to allocate impact of security professionals having resources and effort based on prioritized less and less control over data. competing needs. Given the current threat environment and the math behind success- In the face of these challenges, it is critical ful attacks, leaders need to understand both that a few things are true in the security the value and vulnerabilities residing on architecture of the future: their networks and prioritize prevention and response efforts accordingly. First is that advanced security systems Under executive leadership, it is also designed on defi nitive knowledge of very important that there is continued what and who is using the network be improvement in processes used to manage deployed. In other words, no guessing. the security of organizations. People must Second is that these capabilities be as be continually trained on how to identify natively integrated as possible into cyberattacks and on the appropriate steps to a platform such that any action by take in the event of an attack. Many of the any capability results in an automatic attacks that are being reported today start or reprogramming of the other capabilities. end with poor processes or human error. For Third is that this platform must also example, with so much personal informa- be part of a larger, global ecosystem tion being readily shared on social network- that enables a constant and near-real-time ing, it is simple for hackers to assemble very sharing of attack information that can be accurate profi les of individuals and their used to immediately apply protections positions in companies and launch socially preventing other organizations in the engineered attacks or campaigns. These ecosystem from falling victim to the same attacks can be hard to spot in the absence of or similar attacks. proper training for individuals, and diffi cult Last is that the security posture is to control in the absence of good processes consistent regardless of where data and procedures regardless of how good the resides or the deployment model of the technology is that is deployed to protect an “network.” For example, the advanced organization. integrated security and automated A common attack on organizations to outcomes must be the same whether the defraud large amounts of money via wire network is on premise, in the cloud, or has transfers counts on busy people being poor- data stored off the network in third-party ly trained and implementing spotty pro- applications. Any inconsistency in the cesses. In such an attack, the attacker uses security is a vulnerability point as a general publicly available personal information matter. And, as a matter of productivity, gleaned off social networking sites to iden- security should not be holding back high- tify an individual who has the authority to productivity deployment scenarios based issue a wire transfer in a company. Then the on the cloud, virtualization, SDN, NFV, attacker uses a phishing attack, a carefully and other models of the future. constructed improper email address that looks accurate on a cursory glance, seem- Process and people ingly from this person’s manager at the Technology alone is not going to solve the company telling the person to send a wire problem. It is incumbent upon an executive transfer right away to the following coordi- team to ensure their technical experts are nates. If the employee is not trained to look managing cybersecurity risk to the organi- for proper email address confi guration, or zation. Most of today’s top executives did the company does not have a good process not attain their position due to technological in place to validate wire transfer requests, and cybersecurity profi ciency. However, all like requiring two approvals, then this attack
7 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
often succeeds. It is important that technol- The network effect of defense is why ogy, process, and people are coordinated, there is such a focus and attention on threat and that training is done on a regular basis. intelligence information sharing. It is early days on this front, but all progress is good Intelligence sharing progress, and, importantly, organizations are Given the increasing number and sophistica- now using automated systems to share tion of cyberattacks, it is diffi cult to imagine threat intelligence. At the same time, analyti- that any one company or organization will cal capabilities are being rapidly developed have enough threat intelligence at any one to make use and sense of all the intelligence time to be able to defeat the vast majority of in ways that will result in advanced plat- attacks. However, it is not hard to imagine forms being able to reprogram prevention that if multiple organizations were sharing capabilities in rapid fashion such that con- what they are seeing from an attack perspec- nected networks will be constantly updating tive with each other in close to real time, that threat capabilities in an ever-increasing eco- the combined intelligence would limit suc- system. This provides immense leverage in cessful attacks to a small number of the the cybersecurity battle. attempted attacks. This is the outcome we should strive for, as getting to this point ■ Conclusion would mean that the attackers would need There is understandable concern and atten- to design and develop unique attacks every tion on the ever-increasing incidence of single time they want to attack an organiza- cyberattacks. However, if we take a longer tion, as opposed to today where they can use view of the threat and adopt a prevention- variants of an attack again and again against fi rst mindset, the combination of next- multiple targets. Having to design unique generation technology, improvements in attacks every time would signifi cantly drive processes and training, and real-time shar- up the cost of a successful attack and force ing of threat information with platforms attackers to aggregate resources in terms of that can automatically reconfi gure the secu- people and money, which would make them rity posture, can vastly reduce the number more prone to be visible to defenders, law of successful attacks and restore the digital enforcement, and governments. trust we all require for our global economy.
■ 8 SecurityRoundtable.org The three Ts of the cyber economy The Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security, and Jim Pfl aging, Principal
Thanks to rapid advances in technology and thinking, over the last decade we have seen entire industries and countries reinvented in large part because of the power of the Internet and related innovations. Naturally, these developments cre- ated new opportunities and risks, and none is greater than cybersecurity. Today, business leaders, academics, small business owners, and school kids know about hackers, phishing, identify theft, and even “bad actors.” In late 2014, the Sony Pictures Entertainment breach led to debates over data security, free speech, and corpo- rate management as well as the details of celebrity feuds and paychecks. The idea of cybersecurity is rising to the fore of our collective consciousness. Notable cybersecuri- ty breaches, including those at Target, Anthem BlueCross, and the U.S. Offi ce of Personnel Management, have dem- onstrated that no organization or individual is immune to cyberthreat. In short, the cybersecurity environment has changed dramatically over the past several years, and many of us have struggled to keep up. Many fi rms now fi nd themselves in an environment where one of their greatest business risks is cyber risk, a risk that has rapidly risen from an afterthought to primary focus. How do we create more opportunity and a safer world while protecting privacy in an interconnected world? This question is not just for policy makers in government and leaders of global Fortune 500 businesses. It affects the neighborhood small business, the academic community, investors and, of course, our children. Answering that question requires an understanding of the three Ts—technology, threat, and trust. Why? Because these are big interrelated ideas that have a signifi cant effect on business strategy, policy, and public opinion. For starters, you need to know about the three Ts, think about
9 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
them, and decide how you are going to technology and are thriving. Still, the advan- embrace the fi rst, deal with the second, and tage lies with the fi rms who not only shape the last. embraced the Internet but also built their entire business around it: Amazon, Google, ■ Technology and Uber. Finally, there is Apple, which Today we live in a golden age of innovation came of age with the Internet and morphed driven by technologies that dominate into a wildly successful global leader with headlines—cloud computing, mobility, big the introduction of the iPhone. data, social media, open source software, vir- There have been applications for these tualization, and, most recently, the Internet of technologies, with signifi cant impact, in a Things. These tectonic shifts allow individu- variety of industries. In transportation, Uber als, government, and companies to innovate is a great example of transforming a perva- and reinvent how they interact with each sive but sedentary sector into a newly reimag- other. These forces mandate that we redefi ne ined market. Uber used emerging technolo- what, how, and where we manage any busi- gies to disrupt seemingly distinct segments ness. We need to challenge core assumptions such as auto rental and even automotive about markets, company culture, and the art manufacturing. In the electrical sector, smart of the possible. The winners will be those meters, transformers, and switches have who leverage these innovations to reduce given utilities greater control over their distri- costs and deliver better, lower-priced prod- bution networks while their customers have ucts. Take Table 1 below, for example: gained greater control of their consumption. However, the golden age of innovation has a dark side. A new class of "bad guys" TABLETABLE Market capitalization has emerged and is taking advantage of (or private estimates, USD "holes" in these new technologies and our A goodin reputationmillions) online behavior to create new risks. This leads us to the second T—Threat. 3/31/2005 3/31/2015 ■ Threat Amazon $13,362 $207,275 Lifecycle It is almost cliché to talk about the pervasive- Apple $30,580 $752,160 ness and escalating impact of cybersecurity Google $64,180 $378,892 attacks. However, it is useful to provide a map that can help us better understand Uber N/A $41,000 where we may be heading to help us prepare and to develop more lasting defenses. AT&T $78,027 $175,108 Using a simple x-y graph, we can create an instructive map, in which x represents the Citigroup $244,346 $165,488 severity of the impact and y the "actor" or General perpetrator. Impact can be divided into the $388,007 $274,771 Electric following stages: embarrassment, theft, destruction to a target fi rm or asset, and wide- Kodak $6,067 $794 spread destruction. The actors also can be grouped into four escalating stages: individu- Sources: Capital IQ, Fortune als, hacktivists, cyber organized crime, and nation-states. See Figure 1. Given the impor- It is easy to see the relationship between tance of understanding threat, business lead- innovation and valuation. Some companies, ers should understand how the map applies such as Kodak, did not react fast enough to their business. To aid in this understand- and lost their market as a result. Others, ing, it is useful to cover a few examples that such as AT&T, have invested heavily in new illustrate various stages of these threats.
■ 10 THE THREE TS OF THE CYBER ECONOMY
FIGURE
Nation- ?? states Sony Saudi Aramco
Cyber JPMorganChase organized crime Target A C T O R
Hacktivist HBGary
Individual
Embarrass Steal Disrupt Destroy Widespread customer operations and business and disruption info destroy property future earnings and destruction
INTENT & IMPACT
In 2011, a high-profi le attack was under- work of criminals operating in Eastern taken by Anonymous, the prominent Europe, netted 40 million credit and debit “hacktivist” collective, in which it attacked card numbers and 70 million customer the security services fi rm HBGary Federal. records and was largely responsible for the The attack was precipitated by HBGary’s company’s 46 percent drop in profi t in Q4 of CEO, Aaron Barr, claiming in a Financial 2013 when compared to 2012.2 The attack Times article that his fi rm had uncovered also resulted in a serious decline in the com- the identities of Anonymous leaders and pany’s stock price and led the company’s planned on releasing these fi ndings at a board to fi re their CEO. The attack is esti- security conference in San Francisco the fol- mated to have netted its perpetrators lowing week.1 Anonymous responded by approximately $54 million in profi t from the hacking into HBGary’s networks, eventually sale of stolen card details on black market posting archives of company executives’ sites—quite the motivation for a criminal emails on fi le-sharing websites, releasing a enterprise. list of the company’s customers, and taking Another high-profi le attack, directed over the fi rm’s website. Although the attack against Sony Pictures Entertainment, is did affect HBGary fi nancially, Anonymous’ alleged to have been the work of hackers sup- primary motivation was to embarrass ported by the government of North Korea. Aaron Barr and HBGary. The attackers managed to secure not only a More recent attacks have been perpetrat- copy of The Interview, which had offended ed by better-organized criminal gangs and and motivated the North Korean state, but have had a greater impact. For instance, the also a vast trove of data from the corporate Target breach, believed to have been the network, including the personal and salary
11 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
details of tens of thousands of employees, ■ Trust internal email traffi c, and other highly sensi- One of the greatest casualties in the ever- tive information. The attack led the company increasing torrent of cyberthreats is trust— to delay the release of its big-budget fi lm, and specifi cally, the trust consumers have in it generated weeks of headlines. The attack business, the trust citizens and business also forced the company to take a variety of have in government, and the trust govern- computer systems offl ine. Although the long- ment has in business. This should be trou- term impact of the attack is unclear, it has had bling for all corporate executives and gov- a dramatic impact on the studio’s reputation, ernment leaders because trust is precious to stock price, and earnings. all relationships and is critical to effective What is next? In the future, we can expect workings of commerce and government. As a continued rise in the severity of cyberthreats. we know, it takes years to build, but it is easy Well-fi nanced criminal gangs and well- to lose. For instance, a single data breach can resourced nation-states appear to be increas- undo years of effort and cause immediate ingly capable and willing to engage in attacks and lasting reputation loss. that cause signifi cant damage. Measuring trust Boards and risk Recent consumer surveys suggest that con- After the initial shock of “how is this possi- sumers are tired of dealing with fraudulent ble,” every business leader has to consider charges and are raising their expectations for what it means for his or her business. Just a how their favorite brands and websites pro- few years ago, many viewed cybersecurity tect consumer data and personally identifi a- threats as a technical problem best left to the ble information. In May 2015, Pew Research company CIO or CISO. Increasingly, CEOs released a study in which 74 percent of and boards are coming to the realization Americans said it was “very important” to cybersecurity threats are a business risk that be “in control of who can get info about demands C-level and board scrutiny. you.” Edelman, one of the world’s largest Corporate boards have begun to look at public relations fi rms, does an annual study cybersecurity risk in much the same way called The Trust Barometer. The 2015 edition they would look at other risks to their busi- of this survey showed a huge jump in the ness, applying risk management frame- importance consumers place in privacy of works while evaluating the likelihood and their personal data. The study revealed that impact of cyber risk. Boards also have begun 80 percent of consumers, across dozens of to look at ways to transfer their risk, leading countries and industries, listed this as a top insurance companies to offer cybersecurity issue in evaluating brands they trust. Finally, insurance products. In their evaluation of HyTrust, an emerging technology company, cyber risk, companies are also taking a hard published a study on the impact of a cyber look at the second order effects of a cyberat- breach on customer loyalty and trust. Of the tack, notably the ability for a successful 2,000 consumers surveyed, 52 percent said a attack to undermine customers’ trust in the breach would cause them to take their busi- company. A successful attack often leads to ness elsewhere.3 What business can afford to the revelation of sensitive, personally identi- lose 50 percent of its customers? fi able information on customers, eroding What these numbers make clear is that con- consumer confi dence in the fi rm. Many of sumers are paying attention to cybersecurity the commonly understood risk management issues and that failure to address these con- frameworks and related insurance products cerns comes at a company’s own risk. Recent now being used recognize this and make it attacks have served as learning moments for clear that corporate boards must have a thor- many companies and consumers, allowing ough understanding of the third T, Trust. them to gain a fi rmer understanding of just
■ 12 THE THREE TS OF THE CYBER ECONOMY
how damaging such an attack can be. However, develop cyber risk mitigation products. Many with this knowledge comes increased expecta- of the insurance industry’s largest players, tions for how companies safeguard their data including Allstate, Travelers, Marsh, and and that of their consumers. Tennant, have moved to offer companies cyber insurance products, although the imma- Role of industry turity of the market has created complications Fortunately, industry is moving in this direc- for insurers and potential customers. Insurers tion, and many companies have begun to have had a hard time calculating their risk and consider cyber risk in their corporate plan- thus appropriate premiums for potential cus- ning. In 2014, the National Association of tomers, while customers have sometimes Corporate Directors issued a call to action, found their insurance quotes too expensive. which included fi ve steps that its members Fortunately, time and the accompanying set- should take to ensure their enterprises prop- tling of industry standards and actuarial data erly address cyber risk. These include the will help to mature and grow this market. following: Role of government Treating cyber risk as an enterprise risk Effective risk management—for govern- Understanding the legal implications of ments or private enterprises—starts with an cyber risks honest understanding of the situation and Discussion of cyber risk at board recognition that information sharing with meetings, giving cyber risk equal footing partners is essential. Information sharing, of with other risks course, starts with agreeing on common val- Requiring management to have a ues, and then trusting vetted, capable, and measureable cybersecurity plan reliable partners. Information sharing can be, The development of a plan at the board and must be, something that takes place at level on how to address cyber risks, and across all levels. The Constitution charg- including which risks should be avoided, es the federal government with the responsi- accepted, mitigated, or transferred via bility of providing for the defense of the insurance. nation while protecting the privacy and civil liberties of our citizens, a diffi cult balance Although this guidance is an excellent start, that requires trust in the government and we at The Chertoff Group believe that indus- processes by which we reach that balance. try has to go further and move toward a As we discuss the role of government in common cyber risk management framework information sharing and building trust, we that allows everyone to understand the have to acknowledge the impact the cyber risks to a business and how the com- Snowden revelations have had on public pany intends to address them. This model trust in government. Fundamentally, we would be a corollary to the General Accepted have to determine what we want the role of Accounting Principles (GAAP), the standard government to be and engage in legal accounting guidelines and framework that reforms that refl ect that role. Laws such as underlies the fi nancials and planning of the Computer Fraud and Abuse Act, enacted almost any business. The emergence of in 1986 and amended fi ve times since then, GAAP in the 1950s made it signifi cantly and the Electronic Controls Privacy Act easier for investors, regulators, and other (ECPA), which dates to 1986, have to be stakeholders to gain a clear understanding updated to refl ect the signifi cant changes in of a business and its fi nancials, allowing for technology and practice that have occurred comparisons across industries and sectors. since they were envisioned. In parallel, banks, insurers, and other pro- Beyond these efforts, we need to establish viders of risk mitigation are scrambling to or reinforce agreed-upon rules and programs
13 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
for government data collection on citizens Information Sharing and Analysis Centers and the legal frameworks that manage the (ISACs) was a Clinton Administration initia- transfer of that data between governments tive to build PPPs across critical infrastruc- for judicial and law enforcement purposes. ture sectors. These sector-by-sector ISACs Importantly, this initiative must provide for have proven to be models of trust. The mutual accountability for all participants. Financial Services ISAC has truly epito- These initiatives have to lay out clearly the mized these ideas and is considered by roles of all participants and, in our opinion, many to be the leading ISAC in sharing reinforce and strengthen the role for NSA in threat information. This model has been rep- helping this nation deal with the adversaries licated in other industries and led President that are using information technology to Obama to call for an expansion of the infor- harm us. mation sharing model to smaller groups of On the international front, in response to companies through Information Sharing and mounting concerns over data privacy, data Analysis Organizations (ISAOs). Another security and the rise of online surveillance, example is a U.S. government-industry ini- governments around the world have been tiative to combat botnets, in which the gov- seeking to pass new data protection rules. ernment is working with the Industry Botnet Several governments, including Germany, Group to identify botnets and minimize Indonesia, and Brazil, have considered their impacts on personal computers. enacting “data localization” laws that would require the storage, analysis, and processing ■ Technology, threat, and trust in the of citizen and corporate data to occur only boardroom within their borders. What do the three Ts of the cyber economy However, many of these proposals are mean for you? Here are just a few of the likely to impose economic harm and sow questions every leader has to consider: seeds of distrust. For example, several of the proposals under consideration would force Are we using technology for competitive companies to build servers in locations advantage? where the high price of local energy and the Are we secure? How do you know? Do we lack of trained engineers could translate into have a framework, a GAAP-equivalent higher costs and reduced effi ciencies. for cyber risk, that gives me the tools to Furthermore, requiring that data reside in a understand and measure risk? server based in Germany instead of one in Are we a good steward of the data we Ireland will do little to prevent spies from collect about our customers? accessing that data if they are determined and capable. Each of us needs answers to these questions. So, what should we do? It is critical that Your response will have a big impact on the policymakers and technology providers future of your organization. work together to develop solutions that keep A few years ago, there was a common online services available to all who rely on story in security circles about two types of them. We must develop principles that can companies: those who knew they had been serve as a framework for coordinated multi- hacked and those who had been hacked but lateral action between states and across the did not know it. Going forward, we will talk public and private sectors. We must be pre- about companies in terms of who cares pared to lead abroad and at home with effec- about cybersecurity: in some companies, it tive ideas. will be the entire executive suite; in others, Public private partnerships (PPPs) are it will just be the CISO or CIO. Your com- important pieces of the solution and are pany doesn’t want to fall into the latter cat- good models of trust that we should lever- egory. Use the three Ts to help your organi- age going forward. First, the formation of zation manage cyber risk and leverage the
■ 14 THE THREE TS OF THE CYBER ECONOMY
fantastic opportunities in this golden age of target-profit-falls-46-on-credit-card- innovation. breach-and-says-the-hits-could-keep- on-coming/. Works Cited 3. See “Consumers Increasingly Hold 1. See Joseph Menn, “Cyberactivists warned Companies Responsible for Loss of of arrest,” The Financial Times, February Confi dential Information, HyTrust Poll 5, 2011, Available at http://www.ft.com/ Shows,” HyTrust, October 1, 2014, Available cms/s/0/87dc140e-3099-11e0-9de3- at http://www.hytrust.com/company/ 00144feabdc0.html#axzz3cg7emYx4. news/press-releases/consumers- 2. See Maggie McGrath, “Target Profi t Falls increasingly-hold-companies-responsible- 46% On Credit Card Breach And The Hits loss-confi dential-info, Additional survey Could Keep On Coming,” Forbes, February data available at http://www.hytrust. 26, 2014, Available at http://www.forbes. com/sites/default/files/HyTrust_ com/sites/maggiemcgrath/2014/02/26/ consumer_poll_results_with_charts2.pdf.
SecurityRoundtable.org 15 ■
Cyber governance best practices Georgia Institute of Technology, Institute for Information Security & Privacy – Jody R. Westby, Esq., Adjunct Professor
■ The evolution of cybersecurity governance Corporate governance has evolved as a means of protect- ing investors through regulation, disclosure, and best practices. The United Nations Guidance on Good Practices in Corporate Governance Disclosure noted:
Where there is a local code on corporate governance, enterprises should follow a “comply or explain” rule whereby they disclose the extent to which they fol- lowed the local code’s recommendations and explain any deviations. Where there is no local code on corpo- rate governance, companies should follow recognized international good practices.1
The Business Roundtable (BRT), one of America’s most prominent business associations, has promoted the use of best practices as a governance tool since it published its fi rst Principles of Corporate Governance in 2002. In its 2012 update, BRT noted:
Business Roundtable continues to believe, as we noted in Principles of Corporate Governance (2005), that the United States has the best corporate governance, fi nancial reporting and securities markets systems in the world. These systems work because of the adop- tion of best practices by public companies within a framework of laws and regulations that establish minimum requirements while affording companies the ability to develop individualized practices that are appropriate for them. Even in the challenging times posed by the ongoing diffi cult economic environment, corporations have continued to work proactively to refi ne their governance practices, and develop new practices, as conditions change and “best practices” continue to evolve.2
17 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Increases in cybercrime and attacks on corpo- 17799 and then ISO/IEC 27001.8 ISO/IEC rate systems and data have propelled discus- 27001 is the most accepted cybersecurity sions regarding governance of cyber risks standard globally. and what exactly boards and senior execu- Today, the ISO/IEC 27000 series of infor- tives should be doing to properly manage mation security standards is comprised of this new risk environment and protect corpo- nearly 30 standards. ISO, of which the rate assets. The topic reached a crescendo in American National Standards Institute May 2014 when the Institutional Shareholder (ANSI) is the member body representing U.S. Service (ISS) called for seven of the ten Target interests for the development of international board members not to be re-elected on the standards, has additional information secu- grounds that the failure of the board’s audit rity standards outside of the 27000 series.9 and corporate responsibility committees “to ISO information security standards cover a ensure appropriate management of these range of topics, such as security controls, risk risks set the stage for the data breach, which management, the protection of personally has resulted in signifi cant losses to the com- identifi able information (PII) in clouds, and pany and its shareholders.”3 control systems. Additional security stand- Over the past decade, the concept of cyber- ards also have been developed for fi nancial security governance has evolved from infor- services, business continuity, network secu- mation technology (IT) governance and rity, supplier relationships, digital evidence, cybersecurity best practices. The Information and incident response.10 Systems Audit and Control Association The U.S. National Institute of Standards (ISACA) has been a frontrunner in IT govern- and Technology (NIST) has developed a ance best practices with the COBIT (Control comprehensive set of cybersecurity guid- Objectives for Information and Related ance and Federal Information Processing Technology)4 framework. ISACA founded the Standards (FIPS),11 including a Framework IT Governance Institute (ITGI) in 1998 to for Improving Critical Infrastructure advance the governance and management of Cybersecurity (Framework).12 The NIST enterprise IT. The ITGI defi nes IT governance: guidance and standards are world-class materials that are publicly available at no IT governance is the responsibility of the charge. NIST recognized existing standards board of directors and executive manage- and best practices by mapping the ment. It is an integral part of enterprise Framework to ISO/IEC 27001 and COBIT. governance and consists of the leadership Other respected cybersecurity standards and organisational structures and pro- have been developed for particular purpos- cesses that ensure that the organisation’s es, such as the protection of credit card data IT sustains and extends the organisation’s and electrical grids. The good news is that strategies and objectives.5 cybersecurity best practices and standards are harmonized and requirements can be Gartner has a similar defi nition.6 mapped. This is particularly important because as companies buy and sell operating ■ Cybersecurity program standards and best units or subsidiaries or merge, they may practices7 have IT systems and documentation based As IT systems became vulnerable through upon several standards or best practices. networking and Internet connectivity, secur- Thus, the harmonization of standards ena- ing these systems became an essential ele- bles companies to blend IT departments and ment of IT governance. The fi rst cybersecu- security programs and continue to measure rity standard was developed by the British maturity. Standards Institute in 1995 as BS 7799. Over Some companies may need to align with time, this comprehensive standard proved multiple standards. For example, electric its worth and ultimately evolved into ISO transmission and distribution companies
■ 18 CYBER GOVERNANCE BEST PRACTICES
will need to meet the North American important to understand the breadth and Electric Reliability Corporation Critical reach of the standard and to choose one that Infrastructure Protection (NERC-CIP) stand- meets the organization’s security and compli- ards, as well as the Payment Card Industry ance needs. Data Security Standard (PCI DSS) if they ISO/IEC 27001, which can be obtained take credit cards, and some other broad from ANSI at http://webstore.ansi.org, is a security program standard, such as ISO/IEC comprehensive standard and a good choice 27001 or NIST for their corporate operations. for any size of organization because it is Even with harmonization, it is important respected globally and is the one most that companies choose at least one standard to commonly mapped against other stand- align their cybersecurity program with so pro- ards. One should not make the mistake of gress and security maturity can be measured. believing that all standards contain a full In determining which standard to use as a set of requirements for an enterprise secu- corporate guidepost, organizations should rity program; they do not. Some standards, consider the comprehensiveness of the stand- such as NERC-CIP or PCI, set forth security ard. Although standards requirements may be requirements for a particular purpose but mapped, each standard does not contain the are not adequate for a full corporate secu- same or equivalent requirements. Thus, it is rity program.
Leading cybersecurity standards and best practices include: The International Organization for Standardization (ISO), the information security series, http://www.iso.org/iso/home/search.htm?qt=information+security&published=on& active_tab=standards&sort_by=rel (also available from ANSI at http://www.ansi.org) The American National Standards Institute (ANSI)—the U.S. member body to ISO. Copies of all ISO standards can be purchased from ANSI at http://webstore.ansi.org/ National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov/ publications/index.html Information Technology Infrastructure Library (ITIL), http://www.itlibrary.org/. International Society of Automation (ISA), https://www.isa.org/templates/two- column.aspx?pageid=131422 Information Systems Audit and Control Association (ISACA), the Control Objectives for Information and Related Technology (COBIT), http://www.isaca.org/cobit/pages/ default.aspx Payment Card Industry Security Standards Council (PCI SSC), https://www. pcisecuritystandards.org/ Information Security Forum (ISF) Standard of Good Practice for Information Security, https://www.securityforum.org/shop/p-71-173 Carnegie Mellon University’s Software Engineering Institute, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://www.cert.org/resilience/ products-services/octave/ Health Insurance Portability and Accountability Act (HIPAA) regulations for security programs, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/ index.html North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571.pdf
19 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Some information security standards, necessarily extends this duty to include the such as NERC-CIP, U.S. Nuclear Regulatory protection of the organization’s digital assets cybersecurity requirements, PCI standards (data, networks, and software). As a conse- for credit card data, and HIPAA security quence, the governance of cyber risks has requirements are mandatory. Portions of become increasingly important for boards of NIST guidance are mandatory for federal directors and senior management. This government contractors and U.S. govern- includes exercising good risk management, ment agencies and departments. The remain- validating the effectiveness of controls, and der of the standards listed are voluntary. ensuring compliance requirements are met. In addition to the leading cybersecurity An increase in shareholder derivative standards listed in the shaded box, additional suits against D&Os for failure to protect standards have been developed for certain against breaches also has heightened atten- industry sectors because they require height- tion on cybersecurity at the board and senior ened security protections. For example, ISO/ management level. Target was hit with share- IEC 27015 was developed as additional secu- holder derivative suits for failure to protect rity requirements for fi nancial organizations; the company and its data from a breach,13 as ISO/IEC 27799 was developed for informa- was Wyndham Hotels on similar grounds.14 tion security in health systems using ISO/IEC In addition, cybersecurity has become an 27002 (the controls portion of ISO/IEC 27001); important compliance issue that carries the 27011 was developed for telecommunications risk of headlines concerning enforcement systems using ISO/IEC 27002; and ISO/IEC actions, investigations, and breaches of per- 27019 was developed for industrial control sonally identifi able information. Several state system security for the energy utility industry. and federal laws impose privacy and securi- The value of using a standard as a guide- ty requirements on targeted industry sec- post for the development, maintenance, and tors and types of data. For example, the maturity of a security program is that it sets Gramm-Leach-Bliley Act (GLBA), the Health forth best practices for cybersecurity and is Insurance Portability and Accountability Act updated as required to meet changing (HIPAA), the Health Information Technology threats, technological innovation, and com- for Economic and Clinical Health Act pliance requirements. Standards also enable (HITECH Act), and state breach laws impose boards and senior executives to understand specifi c requirements pertaining to the secu- how comprehensive their organization’s rity and privacy of data and networks. security program is and provide an objective So, what does cyber governance mean? basis for audits and cybersecurity assess- What actions should board members be tak- ments. Evaluating a cybersecurity program ing? Who should be involved—the entire against a leading standard enables an organ- board or just certain committees? Cyber gov- ization to measure progress, assess the effec- ernance means more than D&Os periodically tiveness of controls, identify gaps and defi - asking interesting questions or receiving ciencies, and measure program maturity. reports regarding the company’s cybersecu- rity program. There is now an international ■ Cyber governance standards and best practices standard, ISO/IEC 27014, on the governance Cyber governance standards and best prac- of information security, which sets out roles tices have evolved over the past 20 years as and responsibilities for executive manage- companies have increased connectivity to the ment and boards of directors and is applica- Internet and networks and as cyberattacks ble to all types and sizes of organizations. have continued to rise. Directors and offi cers The standard notes: (D&Os) have a fi duciary duty to protect the organization’s assets and the value of the cor- [G]overnance of information security poration. The increased dependence on IT provides a powerful link between an systems and data in corporate operations organization’s governing body, executive
■ 20 CYBER GOVERNANCE BEST PRACTICES
management and those responsible for and compliance obligations, reputational implementing and operating an informa- risks, business interruption, and fi nancial tion security management system. It pro- losses; allocate the resources needed for the vides the mandate essential for driving risk-based approach. information security initiatives through- 3. “Set the direction of investment decisions”: 15 out the organization. establish an information security investment strategy that meets business The objectives of the standard are to align and security requirements; integrate security program and business objectives security considerations into existing and strategies, deliver value to stakeholders business and investment processes. and the board, and ensure information risks 4. “Ensure conformance with internal and 16 are adequately managed. external requirements”: ensure policies The difference between IT governance and procedures incorporate legal, and information security governance is that regulatory, and contractual obligations; the latter is focused on the confi dentiality, routinely audit such compliance. integrity, and availability of information, 5. “Foster a security-positive environment”: whereas governance of IT is focused on the accommodate human behavior and resources required to acquire, process, store, the needs of users; promote a positive 17 and disseminate information. ISO/IEC information security environment through 27014 sets forth six principles as foundation training and tone from the top. for information security governance: 6. “Review performance in relation to business outcomes”: ensure the security 1. “Establish organization-wide information program supports business requirements, security”: information security activities review impact of security on business as should encompass the entire organization well as controls.18 and consider the business, information security, physical and logical security, and ISO/IEC 27014 sets forth separate roles and other relevant issues. responsibilities for the board and executive 2. “Adopt a risk-based approach”: management within fi ve processes: Evaluate, governance decisions should be based on Direct, Monitor, Communicate, and Assure. the risk thresholds of a company, taking These are set forth in abbreviated form in the into account competitiveness issues, legal following table.19
Board of directors Executive management Evaluate Ensure business initiatives take information Ensure information security supports security into consideration business objectives Review reports on information security Submit new security projects with performance, initiate prioritized actions signifi cant impact for board review Direct Establish risk thresholds of organization Ensure security and business objectives are aligned Approve security strategy and overarching Develop security strategy and overarching policy policy Allocate adequate resources for security Establish a positive culture of cybersecurity program Continued
21 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Board of directors Executive management Monitor Assess effectiveness of security program Determine appropriate metrics for security program Ensure compliance and legal obligations Provide input to board on security are met performance results, impacts on organization Evaluate changes to operations, legal Keep board apprised of new developments frameworks, and impact on information affecting information security security Communicate Report to investors/shareholders on Inform board of security issues that require whether information security is adequate their attention for business Provide results of external audits or reviews Ensure board’s actions and decisions and identifi ed actions to executive team regarding security are acted upon Recognize compliance obligations, business needs, and expectations for information security Assure Order independent reviews/audits of Support reviews/audits commissioned by security program board
■ Beyond ISO/IEC 27014: Other best practices is IT-focused, however, and does not men- and guidance tion the roles and responsibilities of chief At present, the only guidance NIST has information security offi cers (CISOs). The developed that addresses information secu- separation of the role of the chief informa- rity governance is its 2006 Special Publication tion security offi cer from the chief informa- 800-100, Information Security Handbook: A tion offi cer (CIO) (in other words, not having Guide for Managers. This publication, how- the CISO report to the CIO), is a best practice ever, is written for a federal audience and is that the Board Briefi ng ignores. It assigns all more technical than other materials directed responsibilities to the CIO, IT Strategy toward boards and senior executives. Committee, IT Steering Committee, IT ISACA’s IT Governance Institute updated Architecture Review Board, and Technology its Board Briefi ng on IT Governance in 2014,20 Council. Nevertheless, it is a valuable which sets forth an approach similar to ISO/ resource for boards and executive teams IEC 27014, but is based on ISACA’s COBIT seeking to implement good cyber govern- best practices. The Board Briefi ng includes ance practices. questions board members should ask and Finally, Carnegie Mellon University’s also checklists, tool kits, roles and responsi- Software Engineering Institute developed the bilities, and other helpful materials. The Governing for Enterprise Security Implementation Board Briefi ng focuses on fi ve activity areas: Guide in 2007 as a guide for boards and execu- Strategic Alignment, Value Delivery, Risk tives on governing enterprise security pro- Management, Resource Management, and grams.21 It is still quite instructive and includes Performance Measurement. The publication a model organizational structure for cyber
■ 22 CYBER GOVERNANCE BEST PRACTICES
governance; composition of a cross- members to become inundated in technical organizational privacy/security committee; data and issues and lose sight of the major sample mission, goals, and objectives for a risks that must be managed. In part, CIOs board Risk Committee; and an explanation of and CISOs need to develop better executive the critical activities in an enterprise security and board communication skills when program, including who should lead and be reporting on cybersecurity program activi- involved in them, and the outputs (artifacts) ties and incidents. Outside experts can also to be developed. It indicates where the board help separate which cybersecurity govern- has a role for governance oversight and sets ance issues should be directed to the execu- forth roles and responsibilities for the critical tive management team and which are for players, as well as shared responsibilities, for board consideration. the following: Once the critical vulnerabilities that require board and executive attention have chief security offi cer/chief information been identifi ed, the next step is to deter- security offi cer mine the information fl ows that are needed chief privacy offi cer to keep the board and senior management chief information offi cer informed and enable informed decision- chief fi nancial offi cer making. These two steps—identifi cation of general counsel cyber-related vulnerabilities and associ- business line executives ated information flows—should be fol- human resources lowed by an analysis of the board’s and public relations senior management’s roles in incident business managers response and business continuity/disaster procurement recovery. operational personnel The Target breach revealed how disas- asset owners trous it can be when a company’s executive certifi cation authority. team and board are not prepared to manage a major cybersecurity incident. The breach ■ Additional considerations in cybersecurity was clever but not terribly diffi cult to recov- governance er from; as ISS pointed out so clearly, it was Board structure plays a signifi cant role in Target’s executive team and board who cybersecurity governance. A Risk Committee failed to protect the company’s data and is the best choice for governance of cybersecu- ensure a robust incident response plan was rity because IT risks must be managed as in place that involved their participation. enterprise risks and integrated into enterprise Cybersecurity governance is an area risk management and planning. Many compa- where an independent adviser can provide nies place all oversight for cybersecurity in the valuable guidance to a board and executive board Audit Committee, which can substan- team by reviewing available reports and tially increase the workload of that committee. assessing the current state of the security Placing cyber governance with the Audit program, identifying key vulnerabilities Committee also creates segregation of duties and associated information fl ows that issues at the board level because the Audit should be directed to the board, advising on Committee is auditing the security program, the threat environment, and establishing determining remediation measures, and then the proper organizational structures for auditing this work the following year. effective cybersecurity governance. These One of the most important aspects of activities should be undertaken in a collab- cybersecurity governance is the identifi ca- orative fashion with IT and security leaders tion of vulnerabilities that could have a and in the spirit of helping them gain visi- material impact on corporate operations bility and support for security program and/or bottom line. It is easy for board initiatives.
23 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
■ Dutiful dozen 12. Evaluate the adequacy of cyber There are some actions that boards can take insurance against loss valuations and to ensure they are managing cyber risks ensure adequate risk strategies are in and meeting their fi duciary duty. Following place for cyber risks. is a list of a dozen actions that are within best practices, which can be used as a start- Many organizations also are struggling ing point and checklist for governance with how to integrate cybersecurity into activities: their enterprise risk management process. Most business operations today are A dozen best practices for cyber governance dependent upon IT systems and the confi - 1. Establish a governance structure with dentiality, availability, and integrity of their a board Risk Committee and a cross- data. Following are another dozen guiding organizational internal team. points on integrating cyber risks into enter- 2. Identify the key cyber vulnerabilities prise risk management.: associated with the organization’s operations. A dozen best practices for integrating cybersecurity into 3. Identify the security program activities enterprise risk management over which boards and executives 1. Understand the business’s strategies, should exercise oversight, and identify objectives, and needs for IT and data. the key information fl ows and reports 2. Inventory assets (data, applications, that will inform board and executives on hardware), assign ownership, the management of cyber vulnerabilities classifi cation, and risk categorization. and security program activities. 3. Map legal requirements to data for all 4. Identify legal compliance and fi nancial jurisdictions. exposures from IT systems and data. 4. Evaluate the security of vendors, business 5. Set the tone from top that privacy and partners, and supply chain linkages. security are high priorities for the 5. Align the cybersecurity program with organization, and approve top-level best practices and standards. policies on acceptable use of technology 6. Ensure controls are determined and and compliance with privacy and metrics identifi ed. security policies and procedures. 7. Conduct a risk assessment to establish a 6. Review the roles and the responsibilities baseline for cyber risk management. of lead privacy and security personnel, 8. Develop cyber risk strategies (block the and ensure there is segregation of duties risk, cyber insurance, other compensating between IT and security functions. controls, all of these). 7. Ensure that privacy and security 9. Design system architecture to responsibilities are shared, enterprise accommodate business goals and issues that apply to all personnel. objectives, meet security and legal 9. Review and approve annual budgets for requirements, and detect or prevent security programs. unauthorized usage. 10. Review annual risk assessments, the 10. Use technical tools and services to maturity of the security program, and provide integrated data on threats and support continual improvement. attacks. 11. Retain a trusted adviser to independently 11. Make cyber training and security inform the board on changes in the compliance part of annual performance threat environment, provide assistance reviews for all personnel. on governance issues, and advise on 12. Stay abreast of innovation and changes response issues in the event of a major in the threat environment as well as cyber incident. changing operational requirements.
■ 24 CYBER GOVERNANCE BEST PRACTICES
■ Conclusion management of enterprise IT is available Best practices and standards now require at http://www.isaca.org/cobit/pages/ boards and senior management to exercise default.aspx. governance over cybersecurity programs and 5. Board Briefi ng on IT Governance, IT associated risks. Laws such as Gramm-Leach- Governance Institute, 2nd ed., 2014 at Bliley, the Health Insurance Portability and 10, http://www.isaca.org/restricted/ Accountability Act, and the Federal Documents/26904_Board_Briefing_ Information Security Management Act all fi nal.pdf. require executive oversight of security pro- 6. Gartner, IT Glossary, “IT Governance,” grams. Each organization’s operations, system http://www.gartner.com/it-glossary/ architecture, policies and procedures, and it-governance. culture vary, thus, cyber risk management has 7. The term “cybersecurity best practice” to be tailored to the organization. Boards may be used interchangeably with should know what standards/best practices “standard” in the cybersecurity context, their organization is using to implement their as the standards embody best practices. security program and determine an approach The term “standard” is commonly used for their own governance activities. Checklists to refer to mandatory requirements. and the use of ISO/IEC 27014, the ISACA With respect to cybersecurity programs, Board Briefi ng on IT Governance, and the however, there is no bright line between Carnegie Mellon University’s Governing for best practices and standards. Some Enterprise Security Implementation Guide are all standards, such as NERC-CIP and useful resources that will help ensure boards HIPAA, are mandatory for certain are meeting their fi duciary duty and protect- organizations, while other standards, ing the assets of the organization. such as ISO/IEC, are voluntary. Other standards, such as the Federal References Information Processing Standards (FIPS) 1. Guidance on Good Practices in Corporate and NIST guidance (the 800 Special Governance Disclosure, United Nations Publication series) are voluntary for Conference on Trade and Development some entities and mandatory for others. (UNCTAD), New York & Geneva, 2006, 8. Wikipedia, “BS 7799,” https://en. http://unctad.org/en/docs/iteteb20063_ wikipedia.org/wiki/BS_7799. en.pdf. 9. International Organization for 2. Principles of Corporate Governance 2012, Standardization, Information Security, Harvard Law School Forum on Corporate http://www.iso.org/iso/home/search. Governance and Financial Regulation, htm?qt=information+security&publis Aug. 17, 2012, http://corpgov.law. hed=on&active_tab=standards&sort_ harvard.edu/2012/08/17/principles-of- by=rel. corporate-governance-2012/. 10. Id. 4. Elizabeth A. Harris, “Advisory Group 11. National Institute of Standards and Opposes Re-election of Most of Target’s Technology, Computer Security Division, Board,” The New York Times, May 28, Computer Security Resource Center, 2014, http://www.nytimes.com/ http://csrc.nist.gov/publications/ 2014/05/29/business/advisory-group- PubsSPs.html. opposes-re-election-of-most-of-targets- 12. Framework for Improving Critical board.html?_r=0 (quoting ISS report). Infrastructure Cybersecurity, National 4. COBIT is an acronym for Control Institute of Standards and Technology, Objectives for Information and Related Version 1.0, Feb. 12, 2014, http://www. Technology. Information on the COBIT nist.gov/cyberframework/upload/ 5 framework for the governance and cybersecurity-framework-021214.pdf.
25 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
13. See, e.g., Kevin LaCroix, “Target Directors 16. Id. at 4.2. “Objectives.” and Offi cers Hit with Derivative Suits 17. Id. at 4.4. “Relationship.” Based on Data Breach,” Feb. 3, 2014, 18. Id. at 5.2. “Principles.” http://www.dandodiary.com/2014/02/ 19. Id. at 5.3. “Processes.” The full articles/cyber-liability/target-directors- requirements of the standard should be and-officers-hit-with-derivative-suits- reviewed prior to use by an organization; based-on-data-breach/. ISO 27014 is available at http://www.iso. 14. See, e.g., Jon Talotta, Michelle Kisloff, & org/iso/home/search.htm?qt=27014& Christopher Pickens, “Data Breaches Hit sort=rel&type=simple&published=on. the Board Room: How to Address Claims 20. Board Briefi ng on IT Governance, IT Against Directors & Offi cers,” Hogan & Governance Institute, 2nd ed., 2014, Lovells, Chronicle of Data Protection, Jan. http://www.isaca.org/restricted/ 23, 2015, http://www.hldataprotection. Documents/26904_Board_Briefing_ com/2015/01/articles/cybersecurity- fi nal.pdf. data-breaches/data-breaches-hit-the- 21. Jody R. Westby & Julia H. Allen, Governing board-room/. for Enterprise Implementation Guide, 15. ISO/IEC 27014 (2013), Governance Carnegie Mellon University, Software of Information Security, “Summary,” Engineering Institute, 2007, http:// http://www.iso.org/iso/home/search. globalcyberrisk.com/wp-content/ htm?qt=27014&sort=rel&type=simple& uploads/2012/08/Governing-for- published=on. Enterprise-Sec-Impl-Guide.pdf.
■ 26 SecurityRoundtable.org Investors’ perspectives on cyber risks: Implications for boards Institutional Shareholder Services Inc. – Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research
Although pundits proclaimed 2014 as the “Year of the Data Breach” and a signifi cant “no” vote at Target’s annual meeting put directors on notice that sharehold- ers want to know about potential risks, few 2015 corpo- rate disclosure documents provide evidence that boards increased transparency with respect to cyber oversight. Despite prodding from top regulators and investors’ calls for greater transparency, companies continue to fall short on disclosure in their key governance disclosure documents of cybersecurity risks and their board’s over- sight of them. Equally concerning is the limited infor- mation regarding cyber risk oversight provided by boards at a handful of fi rms that were the targets of 2014’s most widely publicized breaches. Boards would benefi t from an understanding of investors’ perspec- tives and adoption of best practices in disclosure on cyber risks.
■ Target’s breach led to boardroom backlash Target’s high-profi le data breach made headlines world- wide. Despite this, neither Target’s 2014 proxy state- ment nor the company’s initial annual meeting-related engagement materials discussed in a meaningful way the massive data theft or the board’s responses to it. As part of its research process leading up to the annual meeting, Institutional Shareholder Services (ISS) engaged with members of the Target board to learn more about the directors’ oversight of cyber risks before and after the breach. In the end, ISS opined in its 2014 annual meeting report on Target that the members of the board’s Audit and Corporate Responsibility committees had “failed to provide suffi cient oversight of the risks facing the company that potentially led to the data
27 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
breach.” Accordingly, ISS recommended lack of sharp, downward stock movements votes against the members of those two in the wake of disclosures of hacks or other board oversight panels. ISS acknowledged data breaches (or quick rebounds from such the board’s actions in the wake of the price drops when they occur) with share- breach but found that the committees holders’ apathy over cybersecurity prob- “failed to appropriately implement a risk lems. In a recent Harvard Business Review assessment structure that could have better article (Why Data Breaches Don’t Hurt Stock prepared the company for a data breach.” Prices, March 31, 2015), cybersecurity strate- After investors’ concerns emerged before gist Elena Kvochko and New York Times the meeting, the company engaged in a solic- Chief Technology Offi cer Rajiv Pant dismiss itation effort to defend the board’s response this easy explanation. They argue that muted to the breach. When the votes were tallied, stock price reactions to data breaches refl ect none of the members of Target’s audit and the absence of timely information and qual- governance panels received support from ity tools to price cyber risk: “Shareholders more than 81 percent of the votes cast. Target still don’t have good metrics, tools, and lead director James A. Johnson received the approaches to measure the impact of cyber lowest support—62.9 percent of the votes attacks on businesses and translate that into cast. According to ISS’ Voting Analytics data- a dollar value . . . The long and mid-term base of institutional investors’ voting records, effects of lost intellectual property, disclo- governance professionals at funds connected sure of sensitive data, and loss of customer to nearly half of Target’s top 10 largest inves- confi dence may result in loss of market tors cast votes against one or more of the share, but these effects are diffi cult to quan- company’s directors. tify.” Faced with this information vacuum, In the direct wake of the 2014 data Kvochko and Pant note that “shareholders breach issues and the dearth of proxy- only react to breach news when it has direct related disclosure on those matters, SEC impact on business operations, such as Commissioner Luis A. Aguilar fi red a shot litigation charges (for example, in the case of across the bow of boards that lack disclo- Target) or results in immediate changes to a sure. In a June 10, 2014, speech (“Boards of company’s expected profi tability.” Directors, Corporate Governance and Cyber Indeed, stock prices may not tell the Risks: Sharpening the Focus”) delivered at whole story. Contrary to the conventional a New York Stock Exchange (NYSE)–hosted wisdom, recent survey data show investors cybersecurity conference, Aguilar said, understand the long-term risks stemming “[B]oard oversight of cyber-risk manage- from hacks and they may actually shy ment is critical to ensuring that companies away from investing in companies with are taking adequate steps to prevent, and multiple breaches. A recent survey— prepare for, the harms that can result from conducted by FTI Consulting on behalf of such attacks. There is no substitution for consulting giant KPMG LLP—of more than proper preparation, deliberation, and 130 global institutional investors with an engagement on cybersecurity issues.” estimated $3 trillion under management Noting the wide damage crater caused by found that cyber events may affect inves- cyber events, Aguilar noted that the board- tors’ confi dence in the board and demand room plan should include “whether, and for the affected companies’ shares. how, the cyber-attack will need to be dis- Investors opined that less than half of closed internally and externally (both to boards of the companies that they currently customers and to investors).” invest in have adequate skills to manage rising cyberthreats. They also believe that ■ Shareholders care about breaches 43 percent of board members have “unac- Are shareholders apathetic about data ceptable skills and knowledge to manage breaches? Some media reports equate the innovation and risk in the digital world.”
■ 28 INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
More ominously for boards, four of fi ve ■ ISS policy respondents indicate a disclosure investor respondents (79 percent) suggest- framework ed that they may blacklist stocks of hacked What level of detail do investors expect to fi rms. As for a remedy, 86 percent of the see about these issues in disclosures regard- surveyed investors told KPMG and FTI ing cyberthreats? In 2014, as part of ISS’ that they want to see increases in the time 2015 policy-formulation process, we asked boards spend on addressing cyber risk. institutional investors to weigh the factors they assess in reviewing boardroom over- ■ Investors raise the bar for disclosure sight of risk, including cyberthreats. A Insights on the gap between investors’ majority of the shareholder respondents expectations and boardroom practices were indicated that the following are all either gleaned from PwC’s juxtaposition of two “very” or “somewhat” important to their surveys that it conducted in the summer of voting decisions on individual directors 2014, one of 863 directors in PwC’s 2014 elections: Annual Corporate Directors Survey, and the other of institutional investors with more role of the company’s relevant risk than $11 trillion in aggregate assets under oversight committee(s) management in PwC’s 2014 Investor Survey. the board’s risk oversight policies and procedures Nearly three quarters (74 percent) of directors’ oversight actions prior to and investors told PwC that they believe subsequent to the incident(s) it is important for directors to discuss changes in senior management. their company’s crisis response plan in the event of a major security breach. Notably, shareholders do not appear to be Only about half of directors (52 percent) looking for scapegoats. Disclosures about reported having such discussions. boardroom oversight action subsequent to Roughly three out of four (74 percent) an incident drew more demand than fi r- investors urged boards to boost cyber ings. An eye-popping 85 percent of the risk disclosures in response to the SEC’s respondents cited such crisis management guidance, but only 38 percent of directors and “lessons learned” disclosures as “very reported discussing the topic. important.” In contrast, only 46 percent of Similarly, 68 percent of investors believe it is the shareholders indicated that changes in important for directors to discuss engaging senior management are “very important” to an outside cybersecurity expert, but only them when it came time to vote on director 42 percent of directors had done so. oversight. Fifty-fi ve percent of investors said it was important for boards to consider ■ 2015 disclosures provide few insights designating a chief information security Despite prodding by the SEC and numerous offi cer, if their companies did not indications from investors, many boards have one in place. Only half as many continue to lack disclosure of cyberthreats directors (26 percent) reported that such in their fl agship documents—the proxy a personnel move had been discussed in statement and the 10-K. Only a handful of the boardroom. the companies that drew widespread cover- Finally, 45 percent of investors believe age of their data breaches during 2014 men- it is important for directors to discuss tion the events in their proxy statements, the National Institute of Standards and many cite materiality concerns to avoid and Technology (NIST)/ Department discussing the data breaches in detail in of Homeland Security cybersecurity their 10-Ks. framework, but only 21 percent of directors In sharp contrast to the absence of infor- reported their boards had done so. mation in Target’s 2014 proxy statement,
29 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
however, another big box retailer provided and management process to the full investors with a window into the board’s Board.” role in cyber risk oversight in its 2015 proxy materials. Home Depot addressed its Next, the Home Depot disclosure provides 2014 data breach, which affected up to some color on the board’s risk oversight 56 million customers who shopped at the policies and procedures: company’s stores between April 2014 and September 2014, with a concise (roughly For a number of years, IT and data secu- 1000-word) explanation of the steps taken rity risks have been included in the risks by the board before and after the company’s reviewed on a quarterly basis by the ERC breach. and the Audit Committee and in the The proxy statement disclosures include a annual report to the Board on risk assess- brief summary of the depth and duration of ment and management. In the last few the breach, an explanation of the board’s years, the Audit Committee and/or the delegation of oversight responsibility to the full Board have also regularly received audit committee, and an outline of remedial detailed reports on IT and data security steps that the board took in response to the matters from senior members of our IT event. and internal audit departments. These Notably, Home Depot’s disclosures gen- reports were given at every quarterly erally align with all the pillars identifi ed by Audit Committee meeting in fi scal 2014, investors in their responses to the ISS policy including an additional half-day Audit survey: Committee session devoted exclusively to First, Home Depot’s board details the these matters that was held prior to the delegation of risk oversight to the audit com- discovery of the Data Breach. The topics mittee and describes the directors’ relation- covered by these reports included risk ship with the company’s internal audit and management strategies, consumer data compliance team: security, the Company’s ongoing risk mit- igation activities, and cyber security strat- The Audit Committee . . . has primary egy and governance structure. . . . responsibility for overseeing risks related To further support our IT and data to information technology and data pri- security efforts, in 2013 the Company vacy and security. . . . The Audit enhanced and expanded the Incident Committee stays apprised of signifi cant Response Team (“IRT”) formed several actual and potential risks faced by the years earlier. The IRT is charged with Company in part through review of quar- developing action plans for and respond- terly reports from our Enterprise Risk ing rapidly to data security situations. . . . Council (the “ERC”). The quarterly ERC The IRT provided daily updates to the reports not only identify the risks faced Company’s senior leadership team, who by the Company, but also identify wheth- in turn periodically apprised the Lead er primary oversight of each risk resides Director, the Audit Committee and the with a particular Board committee or the full Board, as necessary. full Board . . . The chair of the ERC, who is also our Vice President of Internal The Home Depot board also highlights its Audit and Corporate Compliance, reports cyber-risk oversight actions prior to the the ERC’s risk analyses to senior manage- incident: ment regularly and attends each Audit Committee meeting. The chair of the ERC Under the Board’s and the Audit also provides a detailed annual report Committee’s leadership and oversight, regarding the Company’s risk assessment the Company had taken signifi cant steps
■ 30 INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
to address evolving privacy and cyber Privacy Governance Committee, security risks before we became aware of to provide further enterprise-wide the Data Breach: oversight and governance over data security. This committee reports Prior to the Data Breach and in part quarterly to the Audit Committee. in reaction to breaches experienced We are in the process of further by other companies, we augmented augmenting our IT security team, our existing security activities by including by adding an offi cer level launching a multi-work stream effort Chief Information Security Offi cer and to review and further harden our hiring additional associates focused on IT and data security processes and IT and data security. systems. This effort included working We are reviewing and enhancing all extensively with third-party experts of our training relating to privacy and and security fi rms and has been data security, and we intend to provide subsequently modifi ed and enhanced additional annual data security based on our learnings from the Data training for all of our associates before Breach experience. the end of Fiscal 2015. In January 2014, as part of the efforts Our Board, the Audit Committee, and described above, we began a major a special committee of the Board have payment security project to provide received regular updates regarding the enhanced encryption of payment card Data Breach. In addition to the IT data at the point of sale in all of our U.S. and data security initiatives described stores. . . . Upon discovery of the Data above, the Board, supported by Breach, we accelerated completion the work of its Audit and Finance of the project to September 2014, Committees, has reviewed and offering signifi cant new protection for authorized the expenditures associated customers. The new security protection with a series of capital intensive takes raw payment card information projects designed to further harden and scrambles it to make it unreadable our IT security environment against to unauthorized users. . . . evolving data security threats. We are rolling out EMV “chip-and-PIN” technology in our U.S. stores, which ■ Boards would benefi t from engagement adds extra layers of payment card and disclosure protection for customers who use EMV Although the good news is that cybersecu- chip-and-PIN enabled cards. . . . rity has seemingly come to the forefront for many directors, the bad news is that share- Finally, the Home Depot board discusses the holders are not yet getting the transparency boardroom oversight actions taken subse- they need to assess the quality of boardroom quent to the incident including changes in oversight. The signifi cant “no” vote against senior management: the Target board at its 2014 annual meeting, coupled with survey data, show that share- Following discovery of the Data Breach, holders are far from apathetic when it comes in addition to continuing the efforts to assessing cyber risk oversight. described above, the Company and the Board took a number of additional ■ Target’s lessons learned actions: In the wake of its challenging 2014 annual meeting, Target hosted calls or held meet- We formed an internal executive ings with shareholders representing approx- committee, the Data Security and imately 41% of shares voted. The majority of
31 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
these conversations were led by Director responsibilities among the committees, most Anne Mulcahy. In light of this feedback and notably by elevating the risk oversight role with the assistance of a third-party strategy of the corporate risk & responsibility com- and risk management and regulatory com- mittee (formerly known as the corporate pliance consultant, the board “embarked on responsibility committee). a comprehensive review” of risk oversight Examples such as Home Depot and the at the management, board, and committee Target board’s 2015 disclosures provide levels. As a result of this comprehensive more transparency on risk oversight and are review, in January 2015, the Target board a good framework for other boards to follow. “clarifi ed and enhanced” its practices to pro- Boards would be wise to raise their games vide more transparency about how risk by disclosing more details of their board oversight is exercised at the board and com- oversight efforts and engaging with inves- mittee levels. As part of this revamp, the tors when cyber incidents occur, or they may board reallocated and clarifi ed risk oversight run the risk of a loss of investor confi dence.
■ 32 SecurityRoundtable.org Toward cyber risks measurement Elena Kvochko, Author, Towards the Quantifi cation of Cyber Threats report; and Danil Kerimi, Director, Center for Global Industries, World Economic Forum
As most companies in the U.S. already use some form of cloud-based solutions, the digital footprint of enterprises is growing, and so are the risks. Technological solutions have always focused on convenience, transparency, and an ever-increasing ability to share information and col- laborate, while built-in security hasn’t been a priority until recently. Now enterprises are shifting away from this model. Growing privacy and security concerns affect customer perception. According to Deloitte, 80% of cus- tomers are aware of recent cyber breaches, and 50% of them are ready to switch brands if they feel their informa- tion may be compromised. Experian reported that now cyber breaches are as devastating for the reputation of organizations as environmental disasters and poor cus- tomer service. Most executives recognize that cyber risks are no longer on the horizon but are an imminent cost of doing business. Companies are actively looking for effective mitigation actions. Recent surveys show that cybersecurity is already part of the agenda of 80% of corporate boards (up from around 30% 4 years ago). Companies are adjusting their enterprise risk management frameworks and including cyber risks and accompanying controls as part of the nec- essary risk management actions. Traditional controls intro- duced for in-house infrastructure no longer work, as more and more operations are performed in the cloud. Just as in any healthy ecosystem, these environments present great opportunities for stakeholders to interact with each other and with the content, but they also carry inherent risks. Risk mitigation approaches and technologies lag behind the sophistication of the threat. In fact, our ear- lier research with the World Economic Forum and McKinsey showed that 90% of executives feel they only
33 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
have “nascent” and “developing” capabili- fi nancial services industry and describes the ties to combat cyberthreats. In this situa- risk appetite and potential losses for a port- tion when cyber breaches have become an folio that an institution will incur over a inevitable reality of doing business, execu- defi ned period of time and is expressed in a tives ask themselves, “What does it mean probability to insure the loss. for my business, how probable is it that a In the cyber value-at-risk, we introduced devastating breach will happen to us, and three major pillars, according to which com- how much could it cost us?” Still, very few panies can model their risk exposure: exist- organizations have developed ways to ing vulnerabilities, value of the assets, and assess their cyber risk exposure and to profi le of an attacker. A complete cyber value- quantify them. at-risk allows us to answer the question: In this chapter, we discuss the cyber “Given a successful cyberattack, a company value-at-risk framework introduced by the will lose not more than X amount of money Partnering for Cyber Resilience initiative of over period of time with 95% accuracy.” The the World Economic Forum and released at application of these models will depend on the Annual Summit in Davos in 2015. More particular industries, companies, and avail- than 50 organizations, including Wipro, able data and should be built for an organi- Deloitte (project advisor), and Aon, have zation. We discussed specifi c indicators that contributed to this effort. The framework can potentially be used to populate the laid the foundations for modeling cyber model. Mathematically, these components risks and encouraged organizations to take can be brought together and used to build a a quantitative approach toward assessing stochastic model. For example, vulnerabili- their cyber risks exposure, which could ties can be measured in the number of exist- also help make appropriate investment ing unpatched vulnerabilities, not up-to- decisions. date software, number of successful compro- We were delighted to see many spin-off mises, or results of internal and external projects and initiatives that were initiated as audits. They can be benchmarked against part of this work and hope they will contrib- the maturity of existing controls and security ute to better risk management tools. Our of networks, applications, data, etc. The research showed that the aggregate impact maturity of defending systems has to be of cybercrime on the global economy can benchmarked against the threat environ- amount to $3 trillion in terms of slow down ment, hence the profi le of an attacker com- in digitization and growth and result in the ponent becomes important. In this model, it slower adoption of innovation. Multiple would be important to look into their moti- other studies showed signifi cant negative vations (e.g., fi nancial gain, destruction of impact of cyber breaches. CSIS established assets, espionage), the tools they are using, that the annual cost of economic espionage and the innovative approaches. Because reaches $445 billion. Target's breach cost the cyber breaches are criminal activity, nontech- company more than $140 million, a large nical factors, such as behavioral motivations, portion of which went to cover litigation are to be considered. The component of the costs. Interestingly, however, Aon research value of assets of many organizations is dif- shows that more than 80% of breaches cost fi cult to establish. This includes tangible the companies less than $1 million. assets, such as fi nancial fl ows, infrastructure, and products, and intangible assets, primarily ■ Value-at-risk data assets (customer and employee data, How can companies defi ne their risk expo- business strategies, intellectual property), sure and the level of investments, as well as brand, reputation, and trust of stakeholders. priority areas for these investments? To Although cost of business interruption can answer this question, we turned to the value- be qualifi ed easier, the impact on intangible at-risk concept. The concept goes back to the assets is still subject to approximation. The
■ 34 TOWARD CYBER RISKS MEASUREMENT
impact of losing these assets can be unno- breach probability distribution”); hacker ticed in the short term but may hurt long- model (mapping out motivations of adver- term profi tability and market leadership of saries in relation to the organization); attack an organization. model (attack types and characteristics); The cyber value-at-risk model has a num- asset and loss model (potential loss given a ber of limitations, including availability of successful attack); security model (describ- data, diffi culties in calculating probabilities, ing organizations’ security posture), and and applicability across various industries, company model (modeling organizations’ but it presents a fi rst step and incentives for attractiveness as a target). Cyberpoint’s organizations to move toward quantitative Cy-var models looks at “time-dependent risk management. By publishing the model, valuation of assets” while taking into we aimed to encourage more industry stake- account an organization’s security posture holders to develop comprehensive quantita- and includes variables such as the values of tive approaches to cyber risks measurement intellectual property assets, IT security con- and management. For further examples and trols in place to protect those assets and information, please refer to Wipro’s use of other related risks, infrastructure risks, a cyber value-at-risk for its clients, Deloitte’s time horizon, and a probability of an attack. continuous development cyber value-at- At the same time, all stakeholders came to risk, Rod Becktom’s cybervar model, and agreement that quantifying risks is a chal- CXOWare’s Cyber Risk application model. lenging task. In a workshop organized togeth- The Institute of Risk Management (IRM) er with Deloitte, the World Economic Forum announced that it will release a cyber risk Partnering for Cyber Resilience members quantifi cation framework to help companies defi ned the attributes of an ideal model of assess their cyber risks exposure. The call to cyber risks quantifi cation: applicability across action from the Partnering for Cyber various industries; ease of interpretation by Resilience effort was that to develop a uni- experts and executives alike; association with fi ed framework that can be used by indus- real data and measurable security events; tries to reduce uncertainty around cyber risks scalability across organizations or even implications on businesses in the absence of across the industry; at the same, not relying dominant models and frameworks. Aon has on data that are currently absent within most defi ned important ways in which quantifi ca- organizations. tion of cyberthreats can lead to better busi- Although the cyber value-at-risk frame- ness decisions. First, as the conversation has work doesn’t specify how to calculate the shifted from technology and information fi nal number, it presents core components security departments to boardrooms, the and gives examples of how these compo- question of costs and risks becomes ever nents can be quantifi ed. This complete more prevalent. It helps show the scale and model, however, could be characterized by the impact that cyberthreats can have on general applicability across various indus- fi nancial targets and overall competitiveness tries. For it to be effective, it has to be vali- of organizations; helps defi ne and narrow dated by the industry stakeholders. Cyber down the investments required to mitigate value-at-risk aimed to bring together “tech- those threats; makes it easy to paint compel- nical, behavioral and economic factors from ling pictures, build scenarios, and make busi- both internal (enterprise) and external (sys- ness cases; and helps make a determination temic) perspectives.” As a next step, it would whether any parts of the risk can be trans- be important to understand dependencies ferred. Deloitte has put together a compre- between various components in the frame- hensive model for modular approach to work and ways to incorporate these models cyber risk measurement introducing the into existing enterprise risk frameworks. It is following components: probability model important to remember that organizations (“attractiveness and resilience determine should be wary of new emerging risks and
35 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
consider cyber risks in addition to broader their attackers and threats. The most signifi - technology or operational risks. cant challenge so far is the absence of input Overall, the goal was to help raise aware- variables, quality of existing datasets and, ness of cyber risks as a standing and regular following these, no standardized measures cost of doing business and help fi nd a way to assess cyber risk exposures. Building such to measure and mitigate those risks. This a model would require efforts in data classi- can be done through standardization of fi cation, encourage a strong organization various risk factors and indicators into a leadership, process improvement and col- normal distribution. laboration, as well improve decision making The components that we looked at in this across various business areas. For example, chapter help bring together various risk fac- the car industry, mortgage industry, or most tors via “measures of risk likelihood and insurances have agreed on a standardized impact.” To achieve a more granular level of metrics and data collection; the same should sophistication, quantifi cation and standardi- happen for cyber risks measurement. zation metrics must mature. Some of the Understanding dependencies between these main cited obstacles are availability of data variables and what they mean for various to build models, lack of standardized met- industries should be a subject for cross- rics and tools, lack of visibility within enter- industry collaboration so that input varia- prise, and inability to collect data and bles are unifi ed. The main benefi ts of this dubbed models internally. The variables and approach are seen in the ability to support components of the model can be brought decision-making processes, quantify the together into a stochastic model, which will damage at a more granular level, and defi ne show the maximum loss given a certain appropriate investments. This would help probability over a given period of time. It stimulate the development of risk transfer was discussed that close to real-time sharing markets and emergence of secondary risk of data between organizations could address transfer products to mitigate and distribute some of the main challenges of datasets' the risks. For organizations, the focus will availability and provide enough data to shift from an attacker to assets and how to build models. secure them in such a distributed digital Although a silver bullet to achieve cyber ecosystem, where everything is vulnerable. resilience doesn’t exist, organizations con- As more robust quantitative cyber risks sider comprehensive frameworks for quanti- models emerge and the industries are mov- fying and mitigating risk factors, including ing toward a standardized recognizable cyber risks. Following this model, compa- model, the confi dence of digital ecosystems nies will assess their assets and existing stakeholders and their ability to make effec- controls, quantify vulnerabilities, and know tive decisions will also rise.
Based on Towards the Quantifi cation of Cyber Threats report.
■ 36 SecurityRoundtable.org The evolving cyberthreat and an architecture for addressing it Internet Security Alliance – Larry Clinton, CEO
According to the Pentagon’s 2015 Annual Report, “The military’s computer networks can be compromised by low to meddling skilled attacks. Military systems do not have a suffi ciently robust security posture to repel sus- tained attacks. The development of advanced cyber tech- niques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a posi- tion to degrade DOD missions when and if they choose.” If the cyber systems of the world’s most sophisticated and best funded armed forces can be compromised by “low to meddling skilled attacks,” how safe can we expect discount retailers, movie studios, or any other corporate or public systems to be? That is not even the bad news.
■ Things are getting much worse: Three reasons 1. The system is getting weaker. The bad news is that the cyber systems that have become the underpinning of virtually all of aspects of life in the digital age are becoming increasing less secure. There are multiple reasons for this distressing trend. First, the sys- tem is getting technologically weaker. Virtually no one writes code or develops “apps” from scratch. We are still relying on many of the core protocols designed in the 1970s and 80s. These protocols were designed to be “open,” not secure. Now the attacking community is going back through these core elements of the Internet and discovering still new vulnerabilities. So as new func- tionalities come online, their own vulnerabilities are sim- ply added to the existing and expanding vulnerabilities they are built upon. The reality is that the fabric of the Internet is riddled with holes, and as we continue to stretch that fabric, it is becoming increasingly less secure. Additionally, vulnerabilities in many open source codes, widely in use for years, are becoming increasingly apparent and being exploited by modern “zero-day”
37 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
attacks, and the patching system we have new access points to large amounts of data relied on to remediate the system can’t keep resulting from the explosion in the number of pace. Huge vulnerabilities such as mobile devices vastly increases the challeng- Heartbleed and Shellshock have existed es to securing cyberspace. within open source code for years only to However, the rise in use of mobile devices be revealed recently when scrutinized by pales in comparison to the coming Internet fresh eyes. of Things (IoT). The IoT, embedded comput- Within hours of the Heartbleed vulnerabil- ing devices with Internet connections, ity becoming public in 2014, there was a surge embraces a wide range of devices, including of attackers stepping up to exploit it. The home security systems, cars, smart TVs, and attackers exploiting the vulnerability were security cameras. Like the bring-your-own- much faster than the vendors could patch it. device (BYOD) phenomenon, the coming of This is a growing trend. In 2014 it took the IoT further undermines the overall secu- 204 days, 22 days, and 52 days to patch the top rity of the system by dramatically increasing three zero-day vulnerabilities. In 2013 it took the vectors, making every new employee’s only four days for patches to arrive. Even internet-connected device, upon upgrade, a more disturbing is that the top fi ve zero-day potential threat vector. attacks in 2014 were actively used for a com- bined 295 days before patches were available. 2. The bad guys are getting better. Moreover, because almost no one builds Just after the turn of the century, the NSA from scratch anymore, the rate of adoption coined a new term, the “APT,” which stood for open source programming as a core com- for the advanced persistent threat. The APT ponent of new software greatly exceeds the referred to ultrasophisticated cyberattack vetting process for many applications. As methods being practiced by advanced the code gets altered into new apps, the risks nation-state actors. These attacks were char- continue to multiply. In 2015 Symantec esti- acterized by their targeted nature, often mates there are now more than a million focused on specifi c people instead of malicious apps in existence. In fast-moving, networks, their continued and evolving early stage industry, developers have a nature, and their clever social engineering strong incentive to offer new functionality tactics. These were not “hackers” and “script and features, but data protection and priva- kiddies.” These were pros for whom cyberat- cy policies tend to be a lesser priority. tacks were their day job. The risks created by the core of the system They were also characterized by their becoming intrinsically weaker is being fur- ability to compromise virtually any target ther magnifi ed by the explosion of access they selected. APTs routinely compromised points to the system, many with little or no all anti-virus intrusion detection and best security built into their development. Some practices. They made perimeter defense analysts are already asserting that there are obsolete. more mobile devices than there are people Now these same attack methods, once on the earth. If that is not yet literally true, it practiced only by sophisticated nation-states, will shortly be. are widely in use by common criminals. It is now common for individuals to have Whereas a few years ago these attacks were multiple mobile devices and use them inter- confi ned to nations and the Defense Industrial changeably for work and leisure often with- Complex, they now permeate virtually all out substantial security settings. Although economic sectors. this certainly poses a risk of data being stolen The APT now stands for the average persis- directly from smartphones, the greater con- tent threat. cern is that mobile devices are increasingly The increasing professionalism and conduits to the cloud, which holds increasing sophistication of the attack community is amounts of valuable data. The number of fueled by the enormous profi ts cyberattacks
■ 38 THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
are generating—routinely estimated in the corporate growth, innovation, and profi ta- hundreds of billions of dollars and growing. bility also undermine cybersecurity. It is now apparent that attackers are not Technologies such as VOIP or cloud com- going to rely on reusing the same old meth- puting bring tremendous cost effi ciencies but ods. Instead, like any smart, successful, and dramatically complicate security. Effi cient, growing enterprise, they are investing in even necessary, business practices such as the R&D and personnel acquisition. They are use of long supply chains and BYOD are also seeking to grow their business, including economically attractive but extremely prob- fi nding new vulnerabilities in older infra- lematic from a security perspective. structures and thus widening the surface Corporate boards are faced with the available for attack. conundrum of needing to use technology to grow and maintain their enterprises without 3. The economics of cybersecurity favor the attackers. risking the corporate crown jewels or hard- Cyberattacks are relatively cheap and easy to won public faith in the bargain. In addition, access. Virtually anyone can do an Internet the fears and potential losses from cyber search and fi nd vendors to purchase attack events tend to be speculative and future ori- methods for a comparatively small invest- ented, whereas most corporate leaders (as ment. The attacker’s business plans are well as the citizen investors who have their expansive with extremely generous profi t 401(k)s tied up in the stock market) tend to margins. Multiple reports suggest hundreds make their decisions with an eye toward the of billions of dollars in criminal cyber reve- next quarter or two. nue each year. They can use virtually identi- cal attack methods against multiple targets. The national security equation The vast interconnection of the system Finally, from the national security perspec- allows attackers to exploit weaker links who tive, Internet economics are also complicated. have permitted access to more attractive This economic puzzle is important to solve targets, and their “market” is accessible to because multiple independent studies indi- them worldwide. cate that the number one problem with Meanwhile, cyber defense tends to be securing critical infrastructure from cyberat- almost inherently a generation behind the tack is economic. As the 2014 National attackers, as anticipating the method and Infrastructure Protection Plan makes clear, point of attack is extremely diffi cult. From a the public and private sectors have aligned, business investment perspective it is hard but not identical, perspective on cybersecu- to show return on investment (ROI) to rity based on their differing, and legally attacks that are prevented, making ade- mandated, roles and obligations. quate funding a challenge. Moreover, law The private sector is legally required to enforcement is almost nonexistent—we invest to maximize shareholder value. successfully prosecute less than 2% of cyber Although shareholder value is enhanced to criminals, so there is little to discourage the some degree by security investment, gener- attackers from being bold. Furthermore, as ally security is considered a cost center in we have already illustrated, notwithstand- the corporate world. As with most corporate ing consumers tend to prefer utility and investments, security is a mater of cost ben- function over security, which provides a efi t for the private sector. What this trans- disincentive for investors to enhance devic- lates to is that the private sector may legiti- es with added security, which often slows mately judge that there is a level of security or limits utility. that goes beyond their commercial interest This little-understood imbalance of the and hence their legally mandated obligation economic incentives is exacerbated by the to their shareholders. An example is the fact that many of the technologies and busi- common case of pilfering in many retail ness practices that have recently driven stores, wherein the owner may be aware
39 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
that 5% of his inventory is “walking out the the Department of Homeland Security back door” every month. The reason he (DHS) be given authority to set minimum doesn’t hire more guards or put up more standards for cybersecurity over the private cameras or other security measures is that sector. Subsequently two bills were offered the cost benefi t presumably suggests it will in the Senate, one by the Chairman of the cost him 6% to do so, and hence the better Senate Commerce Committee, Senator Jay business decision is to tolerate this level of Rockefeller (D-WV) with Senator Olympia insecurity. Snow (R-ME) and separately by Senate Government doesn’t have that luxury. Homeland Security Chairman Joe Lieberman The government is charged with providing (D-CN) and Senator Susan Collins (R-ME). for the common defense. Surely, they have Both bills largely followed the Obama para- economic considerations with respect to digm of DHS setting regulatory mandates security; however, they are also mandated to for the private sector with substantial penal- a higher level of security largely irrespective ties available for noncompliance. of cost to provide for national security, con- Despite strong backing from the Senate sumer protection, privacy, and other non- Majority Leader Harry Reid and much of the economic considerations. military establishment, the bills could not In the Internet space, government and get out of committee. Even though Reid industry are using the same networks. This exercised his parliamentary power to control means the two users of the systems have dif- the Senate agenda, there was not enough fering security requirements—both legiti- support to even get the bills to the fl oor for mate and backed by lawful authority. consideration, let alone vote on it. Moreover, requiring greater cybersecurity There was certainly industry opposition to spending, beyond commercial interest as these bills, but what killed them was the suggested by some, could run afoul of other bipartisan realization that the traditional reg- government interests such as promoting ulatory model was an ill fi t for cybersecurity. innovation, competitiveness, and job growth Government agencies’ ability to craft regula- in a world economy (presumably not follow- tions that could keep up with cyberthreats ing U.S.-based requirements). was highly questionable. Early efforts to Finally, the presumption that requiring apply traditional regulation to cyberspace, increased security spending by commercial such as HIPAA in the health-care industry, entities up to the government risk tolerance had not generated success. Indeed health is in the corporate self-interest is complicat- care is widely considered one of the least ed by the data that have emerged after cyber secure of all critical infrastructures. highly publicized cyber breaches. One year However, with cyber systems becoming after the Target breach, which would pre- increasingly ubiquitous and insecure threat- sumably damage the company’s image prof- ening economic development and national itability and reputation, Target’s stock price security, there was obvious need for an was up 22%, suggesting such predictions affi rmative and effective approach. The non- were incorrect. Similarly, 6 months after the regulatory, collaborative model selected high-profi le cyberattacks on Sony (the sec- largely followed the “social contract” para- ond high-profi le cyberattack for Sony in a digm previously promoted by industry gov- few years), Sony’s stock price was up 26%. ernment analysts.
■ Some good news: Enlightened policy working The social contract approach in partnership In 2013 President Obama reversed course Traditional regulatory efforts fail 180 degrees. In an executive order on In 2012 President Obama offered a legisla- cybersecurity the president abandoned the tive proposal to Congress suggesting that government-centric regulatory approach
■ 40 THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
embodied in his previous legislative pro- telephone service at affordable rates, govern- posals and the Senate bills. Instead, he sug- ment would guarantee the investment pri- gested a public private partnership—a vate industry would make in building and social contract—that would address the providing the service. This agreement technical as well as economic issues that are ensured enough funds to build, maintain, precluding the development of a cyber sys- and upgrade the system plus make a reason- tem that can become sustainably secure. In able rate of return on the investment. Thus this new partnership, industry and govern- were born the privately owned public utili- ment would work together to identify a ties and the rate of return regulation system. framework of standards and practices wor- The result was that the U.S. quickly built thy of industry based on cyber risk assess- out the electric and communications systems ments conducted by the companies. The for the expanding nation, which were gener- president ordered that the framework be ally considered the best in the world. Some voluntary, prioritized, and cost effective. If have argued this decision was foundational there were an economic gap between what to the U.S.'s rapid expansion and develop- ought to be done and what would be ment, which turned it from a relatively accomplished through normal market minor power in the early part of the twenti- mechanisms, a set of market incentives eth century to the world’s dominant super- would be developed to promote voluntary power less than a generation later. adoption of the framework. Although Although the Obama social contract industry that operates under regulatory approach to cybersecurity has different systems would remain subject to regulatory terms than that of previous infrastructure authority, no new regulatory authority for development, the paradigm is similar. cybersecurity would be part of the system. Similar modifi cations of the incentive model Instead, a partnership system based on vol- are also in use in other areas of the economy, untary use of consensus standards and such as environment, agriculture, and trans- practices and reinforced through market portation, but this is the fi rst application in incentives would be built. the cybersecurity fi eld. The cyber social contract model has sub- Although it is in its formative stages, at stantial precedent in the history of infra- this point early indications for the social con- structure development in the United States. tract approach are positive. The cybersecuri- In the early twentieth century the innovative ty framework development process conduct- technologies were telephony and electricity ed by the National Institute of Standards and transport. Initially the private companies Technology (NIST) has been completed and that provided these technologies, because of received virtually unanimous praise. In an natural economies, served primarily high- exceedingly rare development, the Obama density and affl uent markets. Policy makers approach to cybersecurity closely tracks with of the era quickly realized that there was a that outlined by the House Republican Task broader social good that would be served by Force on Cyber Security. Bipartisan bills having universal service of these services using liability incentives, instead of govern- but also realized that building out that infra- ment mandates, are moving through structure would be costly and uneconomic Congress, and additional incentive programs either for industry or government. are under development. Instead of government taking over the process or mandating that industry make ■ Conclusion uneconomic investment, the policy makers The cybersecurity problem is extremely designed a modern social contract with serious and becoming more so. An inher- industry. If industry would build out the ently insecure system is becoming weaker. networks and provide universal electric and The attack community is becoming more
41 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
sophisticated and enjoys massive economic seems to have developed a consensus strat- incentives over the defender community. egy to better leverage public and private Traditional government methods to fi ght resources to combat cyberthreats without criminal activity have not matured to excessively compromising other critical address the threat and may be inappropri- social needs. Although there are some ini- ate to meet the dynamic nature of this tial signs of progress, the road to creating a uniquely twenty-fi rst century problem. sustainably secure cyber system will be Fortunately, at least the U.S. government long and diffi cult.
■ 42 SecurityRoundtable.org Effective cyber risk management: An integrated approach Former CIO of the U.S. Department of Energy – Robert F. Brese
In its 2015 Data Breach Report, Verizon found that in 60% of the nearly 80,000 security incidents reviewed, including more than 2,000 confi rmed data breaches, cyber attackers were able to compromise an organization within minutes. Alarmingly, only about one third of the compromises were discovered within days of their occurrence. This is not good news for C-suites and boardrooms. Data breach- es, compromises in which data loss is unknown, denial of service attacks, destructive malware, and other types of cybersecurity incidents can lead to lost revenue, reputa- tion damage, and even lawsuits, as well as short- and long-term liabilities affecting a company’s future. Although “getting hacked” may seem, or even be, inevita- ble, the good news is that by taking an integrated approach to risk management, cybersecurity risk can be effectively managed. But who is responsible for this integrated approach, and what does it include? Although often the case, man- aging cybersecurity risk should not be left solely to the chief information offi cer (CIO) and chief information security offi cer (CISO). Even though these professionals are capable, only an integrated information (i.e., data), information technology, and business approach will ena- ble a company to effectively manage cybersecurity risk as a component of an organization’s overarching enterprise risk program. There is also a movement for board-level involvement and reporting, resulting in a risk to board members’ tenure if they are not considered to be suffi - ciently engaged in the oversight of cybersecurity risk management and incident response. As an example, in 2014, Institutional Shareholders Services (ISS) recom- mended that shareholders of Target stock vote against all seven of the directors that were on the board at the time of the highly publicized 2013 breach. Although somewhat shocking, it should be inherently obvious that effective
43 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
cybersecurity risk management is key to collaboration. They also predict that the digi- meeting the fi duciary responsibilities of cor- tal industrial economy, and the Internet of porate offi cers and the board. Things (IoT), will result in even greater diffi - To ensure success, managing cybersecu- culty. However, attempting to scale cyberse- rity risk must be an ongoing and iterative curity risk management in isolation from an process, not a one-time, infrequent, or check- organization’s enterprise risk program only the-box activity. This area of risk manage- exposes the organization to greater risk by ment must grow with the company and creating a gap in risk oversight. change with ever-evolving cyber threats. Nearly every company has established Data holdings and information technology processes to manage enterprise risk. Larger (IT) systems, and the Internet-connected companies often have a chief risk offi cer environment in which they operate, change (CRO) or equivalent individual who is inde- at a pace that is more rapid than many of the pendent of the business units and is given other variables affecting enterprise risk. Not the authority and responsibility to manage only must the right stakeholders be engaged the enterprise risk processes. Incorporating at the right levels within an organization, cybersecurity into the mix of corporately but also the right automated tools and managed risks should be a priority. Some processes must be in place to support risk may argue that cybersecurity is too different decision making and monitoring. from the other risks a company faces, such as market risk, credit risk, currency risk, or ■ Perfect security is a myth physical security risk, to be managed in a As in physical security, there is no such thing similar manner. However, although cyberse- as perfect IT (cyber) security. All the fi re- curity may seem more “technical,” the walls, encryption, passwords, and patches desired outcome of the treatment is the available cannot create a zone of absolute same, that is to eliminate, mitigate, transfer, safety that enables a company to operate or accept risk affecting the company’s future. unimpeded and free of concern regarding One thing is certain: not all cybersecurity the cybersecurity threat. However, perfect risk can be eliminated through controls or security is not required, or even desired. The transferred through insurance, so residual effects of too little security are fairly obvious. risk must accepted. Making good decisions However, too much security unnecessarily requires an integrated, formal approach. constricts the business’ ability to operate by reducing the effectiveness and effi ciency of a ■ The cybersecurity risk management process customer’s access to the company’s products There are several key steps that should be and services and unnecessarily constraining taken to effectively integrate cybersecurity internal and business-to-business (B2B) risk management into the company’s enter- interactions. Effective risk management prise risk management process. This chapter fi nds the balance between the needs of the doesn’t attempt to explain the details of any business to operate and the needs and cost of particular process but instead focuses on com- security. In fi nding this balance, the company mon attributes that should be used, including will be able to compete successfully in its risk framing and assessment, controls assess- market while protecting the critical informa- ment, risk decision-making, residual risk sign- tion and assets on which its success relies. off, risk monitoring, and accountability. Figure 1 provides a visual of the process. For addi- ■ Enterprise risk management tional details on approaches to cybersecurity Gartner, Inc., the world’s leading IT research risk management, the National Institute of and advisory company, has found that cyber- Standards and Technology (NIST) Computer security risk management programs have Security Resource Center (CSRC), interna- experienced trouble in scaling with corporate tional standards organizations, and other initiatives in mobility, cloud, big data, and industry sources may be consulted.
■ 44 EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
FIGURE
The cybersecurity risk management process
Accountability
Risk Risk Controls Residual Risk Framing & Decision Assessment Risk Sign-off Monitoring Assessment Making
Risk Framing and Assessment: The ini- a company has to avoid, mitigate, share, tial activities in risk management include transfer, or accept risk. This means that cor- risk framing and assessment and controls porate structure, training and awareness assessment. CIOs and CISOs have been programs, physical security, and other assessing the risk to IT systems for many options should be considered in addition to years and are well informed on the range of traditional IT controls. Cyber insurance may cybersecurity threats and vulnerabilities also be considered. Again, the CIO and that affect corporate risk. However, the con- CISO cannot do this alone, and there should sequences (i.e., business impact) may or be active engagement across all the various may not be well understood, depending on business lines, business support, and IT how close the relationship between IT and organizations that can contribute to identi- the line of business leaders has been in the fying potential controls and the impact they past. The engagement between IT and the may have on cybersecurity risk. line of business owners is crucial and must Risk Decision Making: A crucial element result in clarity about the type and amount of risk response is the decision-making pro- of risk the business is willing to accept with cess. Decisions are made regarding what will respect to the be done and what will not be done in response to each risk. A balance must be confi dentiality (preventing unauthorized struck between protecting systems and disclosure); information and the need to effectively run the business that relies on them. Other fac- integrity (preventing unauthorized modifi ca- tors that should be considered include the tion or destruction); and amount of risk reduction related to imple- mentation and maintenance costs and the availability (ensuring data and systems are impacts on employee training and certifi ca- operational when needed) tion requirements. An acceptable course of action is identi- of the information and systems on which fi ed and agreed to by the business, and then the business relies. Once IT understands the controls are implemented and initially eval- business owner’s risk threshold, the CIO uated for effectiveness. If the controls per- and CISO can begin planning, implement- form acceptably, then the sign-off and moni- ing, and assessing the appropriate security toring processes can begin. If not, then a controls. new course of action must be developed, Controls Assessment: Preparing an which may require further controls assess- appropriate response to risk requires the ment to respond to the risk or even addi- assessment of potential controls. Controls tional framing and assessment to adjust the include all of the tools, tactics, and processes risk tolerance.
45 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Residual Risk Sign-Off: The sign-off of treatment plan and/or the accepted level of residual risk closes the decision-making pro- residual risk may require revision. If so, the cess. This should be the role of the business previous process steps should be revisited. because it is the operational customer of the The frequency of review should be in rela- risk management process. Additionally, this tion to the likelihood and severity of the risk. should be a formal, documented activity. Because most companies have a large num- The decisions on how each risk will be ber of systems, each with their own risk treated and/or accepted must be articulated register, an automated system is typically in a manner such that the signatory and used to aid monitoring and review. reviewers (i.e., regulators, etc.) can clearly Accountability: Last and most important, understand the risk treatment plan and the we have to consider accountability. residual risk being accepted. Once the resid- Accountability is not about who to blame ual risk is formally accepted, the system is when something goes wrong. As stated earli- typically placed into operation. The formal er, the likelihood of something going wrong is recognition of the residual risk also helps high. Accountability ensures a formal risk build a culture of risk awareness in the busi- management process is followed and that ness units. effective decision-making is occurring. One Risk Monitoring: Monitoring risk is an person should be accountable for the risk ongoing process. Each monitoring activity is management process; however, numerous designed with a purpose, type, and frequen- individuals will be cy of monitoring. Typically, a risk register responsible or has been developed during the risk framing accountable for A responsibility assign- ment matrix (RAM), also and assessment phase and leveraged the various steps, known as RACI matrix/ throughout all steps of the risk management and many more 'reisi:/ or ARCI matrix process. The register also serves as a refer- will be consulted or linear responsibility ence for auditors. The register should con- and informed chart (LRC), describes tain the risks that matter most and be rou- along the way. the participation by var- tinely updated and reviewed with the busi- One option to ious roles in completing ness over time. If the likelihood or severity ensure roles and tasks or deliverables for of consequences changes, or if other physical responsibilities are a project or business or IT environmental factors change, the clearly articulated process.
TABLE
Process Step CIO CISO LOB CRO CEO Board Risk Framing and AR C CCC Assessment
Controls Assessment AR C I II
Risk Decision-Making CR A CII
Residual Risk Sign-Off CR A I II
Risk Monitoring AR C C II
Accountability RC C ACC
■ 46 EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
is by using a RACI matrix (see insert) to iden- conduct user acceptance testing or experi- tify which person or organization is responsi- ence surveys as well. ble, accountable, consulted, or informed. Table 1 provides an example but should be adjusted ■ Evaluating maturity of an organization’s to align to the enterprise risk management cybersecurity risk management program and governance processes of the company. Cybersecurity risk management programs aren’t born effective and are not immedi- ■ Information supporting cybersecurity risk ately prepared to scale with the business. management Equally important as making effective risk No risk management is a precise science, management decisions and accepting resid- including cybersecurity risk management. ual risk is the continuous evaluation of the Throughout the risk management process, process itself. Numerous IT, cybersecurity, the information required for success has to be and business consultants, as well as trade “good enough” to recognize and understand associations have published guidance, risks to the level necessary to support effec- checklists, and suggested questions for tive decision-making. Although complex board members. Although there are many mathematical models may work to manage ways for the C-suite and board to stay some risks the company faces, forcibly creat- engaged, a company’s cybersecurity risk ing objectivity when little or none exists can management program must continuously actually result in poor or ineffective decisions mature to ensure future success. To under- by creating a focus on the numbers rather stand a program’s growing maturity, ques- than on the meaning of the risk analysis. So, tions should be focused on evaluating using big bucket approach categories such as improvements in how well risk is under- low, moderate, and high or unlikely, likely, stood and treated, the effectiveness of busi- and very likely may be adequate. ness leader and general employee participa- tion, how responsive the risk management ■ Stakeholder engagement process is to change, and the capability to A key success factor of ensuring that fi duci- effectively respond to an incident. ary responsibilities are fulfi lled in a compa- How consistent is the understanding of ny’s cybersecurity risk management pro- the company’s tolerance for cybersecurity gram is the right level of stakeholder engage- risk across the C-suite and senior managers? ment. Leaving the program to the CRO or How deep in the organization does this the CIO alone should not be considered due understanding go? diligence. Framing and assessing risk How well do line of business owners requires a clear understanding of corporate understand the cybersecurity risks associat- risk tolerance. The line of business lead ed with their business? Are sound and effec- should have the responsibility to sign off on tive risk management and acceptance deci- the residual risk, but to make good risk deci- sions being made in a timely manner to meet sions, the perspectives of other individuals business needs? and organizations in the company must be How clearly are roles and responsibilities consulted and taken into consideration. understood, and how well do role owners Depending on the system(s) for which risk is adhere to and fulfi ll their responsibilities? being evaluated, some potential stakehold- Do employees report cybersecurity issues ers include the CIO, CISO, chief fi nancial and are they incorporated into the risk mon- offi cer (CFO), legal counsel, and other line of itoring process? business owners and external partners with When threats, vulnerabilities, or other con- supporting or dependent relationships. If ditions change, does the risk management there is signifi cant potential to affect the cus- process respond and, when necessary, make tomer experience, there may be a need to sustainable changes to the risk treatment plan?
47 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
How effective is the cyber incident decision-making as well as lead to coopera- response plan? Is it regularly exercised and tive approaches to mitigating risk. are lessons learned from exercises and prior Cybersecurity risks also exist in the supply incidents leveraged to improve the plan? chain, and communicating cybersecurity requirements and vetting suppliers for cer- ■ Effective communications tain critical components or services can effec- Long-term effectiveness in cybersecurity risk tively reduce risk. Had Target, Home Depot, management requires all employees to fulfi ll and certain other high-profi le cyberattack their responsibilities of the security of the victims built stronger cybersecurity relation- organization for which they work. Creating ships with external partners, their risk of a company culture of cybersecurity risk becoming a victim may have been reduced. awareness is critical and is fostered through effective communications. Leadership must ■ Conclusion understand how risk is being measured C-suites and boards should not fear cyberse- across the enterprise, articulate what level is curity. By integrating cybersecurity risk man- acceptable, and balance the cost they are will- agement into the enterprise risk management ing incur for this level of security. Employees process and by effectively engaging IT and must understand the basics of the various business executives, cybersecurity risk can be cybersecurity threats and vulnerabilities and understood and managed. Building a risk- the importance of their daily decisions and aware culture is important to ensuring the actions as they go about their business. quality of the ongoing risk monitoring pro- Regular training and awareness activities are cess. When cyberthreats and vulnerabilities essential and can be similar to the “see some- are regularly evaluated, employees are thing, say something” campaigns related to empowered to report issues and business physical security. Additionally, employees executives are aware of potential impacts to must be empowered and rewarded for iden- their operations, the company’s cybersecuri- tifying cybersecurity issues. ty defenses become more agile and respon- Communications are also important to sive and the overall risk remains under con- build strong relationships, not only through trol. Finally, continuous evaluation of the risk customer assurances but also with external management process, including its effective- partners and suppliers. Communicating ness and responsiveness to change and to cybersecurity requirements and expecta- incidents, is necessary to ensure effectiveness tions to business partners can improve risk is sustained.
■ 48 SecurityRoundtable.org Cyber risk and the board of directors
Electronic version of this guide and additional content available at: SecurityRoundtable.org
The risks to boards of directors and board member obligations Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner
As cyberattacks and data breaches continue to accelerate in number and frequency, boards of directors are focusing increasingly on the oversight and management of corpo- rate cybersecurity risks. Directors are not the only ones. An array of federal and state enforcement agencies and regulators, most notably the Department of Justice (DOJ), Department of Homeland Security (DHS), Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and state Attorneys General, among others, identify board involvement in enterprise-wide cybersecurity risk management as a cru- cial factor in companies’ ability to appropriately establish priorities, facilitate adequate resource allocation, and effectively respond to cyberthreats and incidents. As SEC Commissioner Luis A. Aguilar recently noted, “Boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”1 Indeed, even apart from the regulators, aggressive plain- tiffs’ lawyers, and activist shareholders are similarly demanding that boards be held accountable for cyberse- curity. Shareholder derivative actions and activist investor campaigns to oust directors are becoming the norm in high-profi le security breaches. Directors have clearly gotten the message. A survey by the NYSE Governance Services (in partnership with a leading cybersecurity fi rm) found that cybersecurity is discussed at 80% of all board meetings. However, the same survey revealed that only 34% of boards are confi dent about their respective companies’ ability to defend them- selves against a cyberattack. More troubling, a June 2015 study by the National Association of Corporate Directors found that only 11% of respondents believed their boards possessed a high level of understanding of the risks associ- ated with cybersecurity.2 This is a diffi cult position to be in: aware of the magnitude of the risks at hand but struggling
51 ■ CYBER RISK AND THE BOARD OF DIRECTORS
to understand and fi nd solutions to address action or inaction. To maximize their per- and mitigate them. sonal protection, directors must ensure that, In this chapter, we explore the legal obli- if the unthinkable happens and their corpo- gations of boards of directors, the risks that ration falls victim to a cybersecurity disaster, boards face in the current cybersecurity they have already taken the steps necessary landscape, and strategies that boards may to preserve this critical defense to personal consider in mitigating that risk to strengthen liability. the corporation and their standing as dutiful In the realm of cybersecurity, the board of directors. directors has “risk oversight” responsibility: the board does not itself manage cybersecurity I. Obligations of Board Members risks; instead, the board oversees the corpo- rate systems that ensure that management is The term “cybersecurity” generally refers to doing so effectively. Generally, directors will the technical, physical, administrative, and be protected by the business judgment rule organizational safeguards that a corporation and will not be liable for a failure of oversight implements to protect, among other things, unless there is a “sustained or systemic fail- “personal information,”3 trade secrets and ure of the board to exercise oversight—such other intellectual property, the network and as an utter failure to attempt to assure a rea- associated assets, or as applicable, “critical sonable information and reporting system infrastructure.”4 This defi nition alone should exists.” This is known as the Caremark test,5 leave no doubt that a board of directors’ role and there are two recognized ways to fall in protecting the corporation’s “crown jew- short: fi rst, the directors intentionally and els” is essential to maximizing the interests of entirely fail to put any reporting and control the corporation’s shareholders. system in place; or second, if there is a report- Generally, directors owe their corporation ing and control system, the directors refuse to fi duciary duties of good faith, care, and loy- monitor it or fail to act on warnings they alty, as well as a duty to avoid corporate receive from the system. waste.3 The specifi c contours of these duties The risk that directors will face personal are controlled by the laws of the state in liability is especially high where the board which the company is incorporated, but the has not engaged in any oversight of their basic principles apply broadly across most corporations’ cybersecurity risk. This is a jurisdictions (with Delaware corporations rare case, but other risks are more prevalent. law often leading the way). More specifi cal- For example, a director may fail to exercise ly, directors are obligated to discharge their due care if he or she makes a decision to duties in good faith, with the care an ordi- discontinue funding an IT security project narily prudent person would exercise in the without getting any briefi ng about current conduct of his or her own business under cyberthreats the corporation is facing, or similar circumstances, and in a manner that worse, after being advised that termination the director reasonably believes to be in the of the project may expose the company to best interests of the corporation. To encour- serious threats. If an entirely uninformed or age individuals to serve as directors and to reckless decision to de-fund renders the cor- free corporate decision making from judicial poration vulnerable to known or anticipated second-guessing, courts apply the “business risks that lead to a breach, the members of judgment rule.” In short, courts presume the board of directors could be individually that directors have acted in good faith and liable for breaching their Caremark duties. with reasonable care after obtaining all mate- rial information, unless proved otherwise; a II. The Personal Liability Risk to Directors powerful presumption that is diffi cult for plaintiffs to overcome, and has led to dis- Boards of directors face increasing litigation missal of many legal challenges to board risk in connection with their responsibilities
■ 52 THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
for cybersecurity oversight, particularly in by failing to act in the face of a reasonably the form of shareholder derivative litigation, known cybersecurity threat. Recent cases where shareholders sue for breaches of have included allegations that directors: directors’ fi duciary duties to the corporation. The rise in shareholder derivative suits coin- failed to implement and monitor an cides with a 2013 Supreme Court decision effective cybersecurity program; limiting the viability of class actions that fail failed to protect company assets and to allege a nonspeculative theory of con- business by recklessly disregarding sumer injury resulting from identity theft.6 cyberattack risks and ignoring red fl ags; Because of a lack of success in consumer failed to implement and maintain class actions, plaintiffs’ lawyers have been internal controls to protect customers’ pivoting to shareholder derivative litigation or employees’ personal or fi nancial as another opportunity to profi t from mas- information; sive data breaches. failed to take reasonable steps to timely In the last fi ve years, plaintiffs’ lawyers notify individuals that the company’s have initiated shareholder derivative litiga- information security system had been tion against the directors of four corpora- breached; tions that suffered prominent data breaches: caused or allowed the company to Target Corporation, Wyndham Worldwide disseminate materially false and Corporation, TJX Companies, Inc., and misleading statements to shareholders (in Heartland Payment Systems, Inc. Target, some instances, in company fi lings). Heartland, and TJX each were the victims of signifi cant cyberattacks that resulted in the Board members may not be protected from theft of approximately 110, 130, and 45 million liability by the exculpation clauses in their credit cards, respectively. The Wyndham corporate charters. Although virtually all matter, on the other hand, involved the theft corporate charters exculpate board mem- of only approximately 600,000 customer bers from personal liability to the fullest records; however, unlike the other three extent of the law, Delaware law, for exam- companies, it was Wyndham’s third data ple, prohibits exculpation for breaches of breach in approximately 24 months that got the duty of loyalty, or breaches of the duty the company and its directors in hot water. of good faith involving “intentional mis- The signs point to Home Depot, Inc., being conduct” or “knowing violations of law.” next in line. A Home Depot shareholder As a result, because the Delaware Supreme recently brought suit in Delaware seeking to Court has characterized a Caremark viola- inspect certain corporate books and records. tion as a breach of the duty of loyalty,7 A “books and records demand” is a common exculpation of directors for Caremark predicate for a shareholder derivative action, breaches may be prohibited. In addition, and this particular shareholder has already with the myriad of federal and state laws indicated that the purpose of her request is that touch on privacy and security, directors to determine whether Home Depot’s man- may also lose their immunity based on agement breached fi duciary duties by failing “knowing violations of law.” Given the to adequately secure payment information nature of shareholder allegations in deriva- on its data systems, allegedly leading to the tive litigation, these are important consid- exposure of up to 56 million customers’ pay- erations, and importantly, vary depending ment card information. on the state of incorporation. Although there is some variation in the Directors should also be mindful of stand- derivative claims brought to date, most have ard securities fraud claims that can be focused on two allegations: that the directors brought against companies in the wake of a breached their fi duciary duties by making a data breach. Securities laws generally pro- decision that was ill-advised or negligent, or hibit public companies from making material
53 ■ CYBER RISK AND THE BOARD OF DIRECTORS
statements of fact that are false or mislead- III. Protecting Boards of Directors ing. As companies are being asked more and more questions about data collection and From a litigation perspective, boards of protection practices, directors (and offi cers) directors can best protect themselves from should be careful about statements that are shareholder derivative claims accusing them made regarding the company’s cybersecurity of breaching their fi duciary duties by dili- posture and should focus on tailoring cyber- gently overseeing the company’s cybersecu- security-related risk disclosures in SEC fi l- rity program and thereby laying the founda- ings to address the specifi c threats that the tion for invoking the business judgment company faces. rule. Business judgment rule protection is Cybersecurity disclosures are of keen strengthened by ensuring that board mem- interest to the SEC, among others. Very bers receive periodic briefi ngs on cybersecu- recently, the SEC warned companies to use rity risk and have access to cyber experts care in making disclosures about data secu- whose expertise and experience the board rity and breaches and has launched inquiries members can rely on in making decisions to examine companies’ practices in these about what to do (or not to do) to address areas. The SEC also has begun to demand cybersecurity risks. Most importantly, direc- that directors (and boards) take a more tors cannot recklessly ignore the information active role in cybersecurity risk oversight. they receive, but must ensure that manage- Litigation is not the only risk that direc- ment is acting reasonably in response to tors face. Activist shareholders—who are reported information the board receives also customers/clients of corporations— about risks and vulnerabilities. and proxy advisors are challenging the re- Operationally, a board can exercise its election of directors when they perceive that oversight in a number of ways, including by the board did not do enough to protect the (a) devoting board meeting time to presenta- corporation from a cyberattack. The most tions from management responsible for prominent example took place in connection cybersecurity and discussions on the subject, with Target’s data breach. In May 2014, just to help the board become better acquainted weeks after Target released its CEO, with the company’s cybersecurity posture Institutional Shareholder Services (ISS), a and risk landscape; (b) directing manage- leading proxy advisory fi rm, urged Target ment to implement a cybersecurity plan that shareholders to seek ouster of seven of incentivizes management to comply and Target’s ten directors for “not doing enough holds it accountable for violations or non- to ensure Target’s systems were fortifi ed compliance; (c) monitoring the effectiveness against security threats” and for “failure to of such plan through internal and/or exter- provide suffi cient risk oversight” over nal controls; and (d) allocating adequate cybersecurity. resources to address and remediate identi- Thoughtful, well-planned director fi ed risks. Boards should invest effort in involvement in cybersecurity oversight, as these actions, on a repeated and consistent explained below, is a critical part of a com- basis, and make sure that these actions are prehensive program, including indemnifi ca- clearly documented in board and committee tion and insurance, to protect directors packets, minutes, and reports. against personal liability for breaches. (a) Awareness. Boards should consider Moreover, it can also assist in creating a com- appointing a chief information security pelling narrative that is important in brand offi cer (CISO), or similar offi cer, and and reputation management (as well as liti- meet regularly with that individual gation defense) that the corporation acted and other experts to understand the responsibly and reasonably (or even more company’s risk landscape, threat so) in the face of cybersecurity threats. actors, and strategies to address
■ 54 THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
that risk. Appointing a CISO has an details of any cybersecurity risk additional benefi t. Reports suggest that management plan should differ from companies that have a dedicated CISO company to company, the CISO and detected more security incidents and management should prepare a plan reported lower average fi nancial losses that includes proactive cybersecurity per incident.8 assessments of the company’s network Boards should also task a committee and systems, builds employee or subcommittee with responsibility awareness of cybersecurity risk and for cybersecurity oversight, and devote requires periodic training, manages time to getting updates and reports engagements with third parties that on cybersecurity from the CISO on are granted access to the company’s a periodic basis. As with audit network and information, builds an committees and accountants, boards incident response plan, and conducts can improve oversight by recruiting simulations or “tabletop” exercises to a board member with aptitude for practice and refi ne that plan. The board the technical issues that cybersecurity should further consider incentivizing presents, and placing that individual on the CISO and management for company the committee/subcommittee tasked compliance with cybersecurity policies with responsibility for cybersecurity and procedures (e.g., bonus allocations oversight. Cybersecurity presentations, for meeting certain benchmarks) and however, need not be overly technical. create mechanisms for holding them Management should use established responsible for noncompliance. analytical risk frameworks, such as the (c) Monitor compliance. With an National Institute for Standards and enterprise-wide cybersecurity risk Technology “Framework for Improving management plan fi rmly in place, Critical Infrastructure Cybersecurity,” boards of directors should direct (usually referred to as the “NIST that management create internal and Cybersecurity Framework”) to assess external controls to ensure compliance and measure the corporation’s current and adherence to that plan. Similar cybersecurity posture. These kinds to internal fi nancial controls, boards of frameworks are critical tools that should direct management to test and have an important role in bridging certify compliance with cybersecurity the communication and expertise gaps policies and procedures. For example, between directors and information assuming that management establishes security professionals and can also a policy that software patches be help translate cybersecurity program installed within 30 days of release, maturity into metrics and relative management would conduct a patch relationship models that directors are audit, confi rm that all patches have accustomed to using to make informed been implemented, and have the decisions about risk. It is principally CISO certify the results. Alternatively, through their use that directors can boards can also retain independent become sufficiently informed to cybersecurity fi rms that could be exercise good business judgment. engaged by the board to conduct an (b) Plan implementation and audit, or validate compliance with enforcement. Boards should require that cybersecurity policies and procedures, management implement an enterprise- just as they would validate fi nancial wide cybersecurity risk management results in a fi nancial audit. plan and align management’s incentives (d) Adequate resource allocation. With to meet those goals. Although the information in hand about what the
55 ■ CYBER RISK AND THE BOARD OF DIRECTORS
company’s cybersecurity risks are, other government-issued identifi cation; and an analysis of its current posture, (c) fi nancial or credit/debit account boards should allocate adequate number plus any security code necessary resources to address those risks so that to access the account; or (d) health or management is appropriately armed medical information. and funded to protect the company. 4. Critical infrastructure refers to systems, assets, or services that are so critical As criminals continue to escalate the cyber- that a cyberattack could cause serious war, boards of directors will increasingly fi nd harm to our way of life. Presidential themselves on the frontlines of regulatory, Policy Directive 21 (PPD-21) identifi es class plaintiff, and shareholder scrutiny. the following 16 critical infrastructure Directors are well-advised to proactively ful- sectors: chemicals, commercial facilities, fi ll their risk oversight functions by driving communications, critical manufacturing, senior management toward a well-developed dams, defense industrial base, emergency and resilient cybersecurity program. In so services, energy, fi nancial services, food doing, board members will not only better and agriculture, government facilities, protect themselves against claims that they healthcare and public health, information failed to discharge their fi duciary duties, but technology, nuclear, transportation, waste, will strengthen their respective organizations’ and wastewater. See Critical Infrastructure ability to detect, respond, and recover from Sectors, Department of Homeland cybersecurity crises. Security, available at http://www.dhs. gov/critical-infrastructure-sector. Endnotes 5. For Delaware corporations, directors’ 1. SEC Commissioner Luis A. Aguilar, compliance with their oversight function Remarks at the N.Y. Stock Exchange, is analyzed under the test set out in In re Boards of Directors, Corporate Governance Caremark Int’l, Inc. Derivative Litig., 698 A.2d and Cyber-Risks: Sharpening the Focus 959 (Del. Ch. 1996). (June 10, 2014). 6. See Clapper v. Amnesty Int’l USA, 133 S. Ct. 2. Press Release, Nat’l Assoc. of Corp. 1138 (2013). Consistent with Clapper, most Dir., Only 11% of Corporate Directors data breach consumer class actions have Say Boards Have High Level of Cyber- been dismissed for lack of “standing”: Risk Understanding (June 22, 2015) the requirement that a plaintiff has https://www.nacdonline.org/AboutUs/ suffered a cognizable injury as a result PressRelease.cfm?ItemNumber=15879. of the defendant’s conduct. That has 3. Personal information is defi ned under a proven challenging for plaintiffs because variety of federal and state laws, as well consumers are generally indemnifi ed as industry guidelines, but is generally by banks against fraudulent charges on understood to refer to data that may be stolen credit cards, and many courts have used to identify a person. For example, rejected generalized claims of injury in the state breach notifi cation laws in the U.S. form of emotional distress or exposure to defi ne personal information, in general, heighted risk of ID theft or fraud. as including fi rst name (or fi rst initial) 7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). and last name, in combination with 8. Ponemon Inst., 2015 Cost of Data Breach any of the following: (a) social security Study: Global Analysis (May 2015), http:// number; (b) driver’s license number or www-03.ibm.com/security/data-breach/.
■ 56 SecurityRoundtable.org Where cybersecurity meets corporate securities: The SEC’s push to regulate public companies’ cyber defenses and disclosures Fish & Richardson P.C. – Gus P. Coldebella, Principal and Caroline K. Simons, Associate
The risks associated with cyberattacks are a large and growing concern for American companies, no matter the size or the industry. If a company is publicly traded, how- ever, there’s a signifi cant additional impetus for execu- tives’ cyber focus: the ever-increasing attention the U.S. Securities and Exchange Commission (SEC) pays to cybersecurity issues. The SEC, as one of the newest gov- ernment players in the cybersecurity space, is fl exing its regulatory muscles—including by mandating and scruti- nizing cybersecurity risk disclosures, prodding compa- nies to disclose additional information, and launching investigations after a breach comes to light. This chapter explores the SEC’s expanding role as cyber regulator and the growing nexus between cyberse- curity and corporate securities. It gives companies a primer on the background and sources of the SEC’s cyber authority, discusses tricky disclosure and securities regu- lation-related issues, and provides a potential framework for companies to think about whether, how, and when they should publicly disclose cybersecurity risks, and— when the inevitable happens—cyberattacks.
■ The SEC’s authority to regulate cybersecurity Generally, a company’s duty to disclose material infor- mation under U.S. securities laws arises only when a statute or SEC rule requires it, and currently, no existing laws or rules explicitly refer to disclosure of cyber risks or incidents. Even so, the SEC has made it clear that it will use authorities already on the books to promote cybersecurity in public companies. During the SEC’s March 2014 “Cybersecurity Roundtable,” Chairman Mary Jo White said that, although the SEC’s “formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data pro- tection, and disclosure of material information, it is
57 ■ CYBER RISK AND THE BOARD OF DIRECTORS
incumbent on every government agency to ■ Contours of the SEC’s staff guidance be informed on the full range of cybersecu- Taking its cues from Regulation S-K, the rity risks and actively engage to combat Guidance details the key places where cyber- those risks in our respective spheres of security disclosures may appear in a com- responsibility.” In other words—formal pany’s 10-Ks and 10-Qs. The main focuses jurisdiction notwithstanding—the SEC are as follows: will use every tool it has to combat cyber risks. Risk factors. The company’s risk factors To divine the SEC’s position on cyberse- are the central place for cyber disclosure. curity, companies and experienced counsel If cybersecurity is among the most may look to a patchwork of non-binding staff signifi cant factors making investment guidance, SEC offi cials’ speeches, and espe- in the company risky, the risk factor cially staff comment letters on companies’ disclosure should take into account public fi lings. Given that cyber disclosures “all available relevant information” from can have an effect on corporate reputations past attacks, the probability of future and stock price, give would-be attackers attacks occurring, the magnitude of information about vulnerabilities, and trig- the risks—including third-party risk, ger shareholder and other litigation and and the risk of undetected attacks— government investigations, companies and the costs of those risks coming anguish over exactly when, what, and how to pass, including the potential costs much to disclose. To answer these questions, and consequences resulting from it is crucial to understand the background misappropriation of IP assets, corruption and contours of existing requirements and of data, or operational disruption. The the SEC’s expectations. risk factor should also describe relevant insurance coverage. ■ History and background of the SEC’s MD&A. If the costs or other consequences cybersecurity oversight of a cyberattack represent a material In May 2011, Senator Jay Rockefeller sent a trend, demand, or uncertainty “that is letter to then-SEC Chairman Mary Schapiro reasonably likely to have a material effect urging the SEC to “develop and publish on the registrant’s results of operations, interpretive guidance clarifying existing liquidity, or fi nancial condition or would disclosure requirements pertaining to infor- cause reported fi nancial information mation security risk.” Rockefeller, frustrated not to be necessarily indicative of future with Congress’s inability to pass cybersecu- operating results or fi nancial condition,” rity legislation, identifi ed the SEC’s control the company should address cybersecurity over corporate public disclosure as a vehicle risks and cyber incidents in its to promote security in the absence of legisla- Management’s Discussion and Analysis tion. Five months after the Rockefeller letter, of Financial Condition and Results of in October 2011, the Division of Corporation Operations (MD&A). Finance (the “Division”) issued CF Disclosure Description of business. If one or more Guidance: Topic No. 2 (the “Guidance”). Even cyber incidents materially affected the though it’s not an SEC rule itself, the company’s products, services, customer Guidance announced the Division’s view or supplier relationships, or competitive that—”although no existing disclosure conditions, the Guidance suggests requirement explicitly refers to cybersecurity disclosure in the “Description of Business” risks and cyber incidents”—existing SEC section. rules, such as Regulation S-K, “may impose” Legal proceedings. If any litigation arose as obligations to disclose cybersecurity and cyber a result of a cyber incident, the Guidance events in a company’s periodic reporting. suggests disclosure if material.
■ 58 WHERE CYBERSECURITY MEETS CORPORATE SECURITIES