No one knows the true cost of cybercrime. Annual loss estimates for U.S. corporations range from $70-140 billion in a recent report from the Center for Strategic and International Studies (CSIS) to $400 billion quoted by U.S. House of Representatives Intelligence Committee leaders who introduced the Rogers-Ruppersberger Cybersecurity Bill.
The CSIS report put global costs at up to $500 billion, while U.S. NSA Director General Keith Alexander calls cyber theftof intellectual property "the greatest transfer of wealth in human history."
Context: How Adobe hack could fuel next wave of cyberattacks
Numbers like these, and news stories about airline reservation system outages or industry-specific hacking to steal solar panel designs >, blur the line between risk and theft. They also put directors and senior executives on notice-doing business in a digital world carries new and very different types of risks.
Awareness is a vital first step of strong corporate governance. Safeguarding a company's digital assets, however, also requires timely action. Unfortunately, recent findings indicate C-level executives aren't taking serious action on cyber security, despite greater awareness.
Irfan Saif is a principal at Deloitte & Touche security and privacy practice.(Photo: Deloitte & Touche)
Furthermore, as the threat and usage landscapes evolve, cyber risk isn't just about security; companies also risk not being positioned for the opportunities and disruptions that arise through digital technology. Understanding the implications of cyber enou! gh to monitor and challenge management on its plans requires more detailed analysis than boards will get from periodically inquiring into the organization's security status.
Managing cyber risks and opportunities starts with recognizing and understanding the importance of digital assets. Directors can lead by creating a board cyber chair to oversee management activities on cyber; and ensuring that the appropriate senior management is focused on cyber.
Boards already spend significant time on financial operations, risk and compliance issues. While financial risk is important, cyberrisk also poses a real threat to company performance and survival. Across sectors, most companies today are technology-driven, and therefore vulnerable.
The Board has a responsibility to ensure that management protects the value of the company's digital assets - including data, information, applications, and networks that exist within the company walls, extended out through suppliers, vendors and other partners, and residing in employees' mobile devices - for the shareholders of the organization.
A global survey by Carnegie Mellon's CyLab indicates that boards are beginning to respond: 48 percent have a risk committee - separate from the audit committee - to oversee activities around enterprise risks versus 8 percent in 2008. And, 81 percent of those risk committees oversee both privacy and security.
In a 2013 survey of boards, "Cyber Security/IT" and "Reputation" were the top-ranked non-financial risk management concerns for public companies.
Yet the fact that many boards lack specific means to provide oversight for cyber is telling. The Carnegie Mellon CyLab survey revealed that, among issues actively addressed by the board, the lowest priority were IT operations (29 percent), computer and information security (33 percent), and vendor management (13 percent), just as they were in 2008.
Given what we know about the technology-dependent, partner-dependent nature of business today, the c! ontinued ! lack of attention to IT, cyber security, and vendors reflects that many boards and officers are not making the connection between cyber risk and enterprise risk.
Risks too great to ignore
The potential impacts of failing to manage cyber risks include theft of "crown jewel" intellectual property (IP) and trade secrets; damage to reputation and financial liability from customer data compromise; lost revenues and damage to reputation from denial of service (DoS) attacks; regulatory and legal ramifications from mishandling personal data; other business continuity impacts as a result of attack, virus, weather, or accident; and obsolescence, lack of competitiveness, or inability to support new product and service models from inadequate planning for digital disruption.
A security manager, alone - even a risk officer - is no match for the increasing frequency and scale of cyber events without additional support. Risks that extend across the business into every function, region and partner warrant board-level leadership. As such, the cyber chair's responsibilities might include: heading a cyber subcommittee, understanding the overall cyber risk landscape and holistic protections (from policies to technology to cyber insurance), and probing on the organization's cyber posture.
The cyberchair might also monitor management's data protection practices, risk and incident management practices, and guide management in capturing cyber activities such that they could be disclosed to bodies such as the Securities and Exchange Commission.
Boards should also consider the appropriate C-level staffing and reporting structure. For example, managing privacy compliance and internal controls requires different expertise than managing the technical aspects of security and belong with separate corporate officers.
Cyber risk will increase; board attention must as well. John Seely Brown, former chief scientist at Xerox who serves on multiple boards, frames the need for stronger governance and execu! tive atte! ntion like this: "We can't under estimate the technical sophistication and increasing intensity of cyber-attacks on our enterprises. This is a new game. We need a new plan both inside and outside of the corporation."
As regulatory agencies ramp up pressure, boards may not have a choice but to focus more on cyber. For example, SEC clarified guidance in 2011 requiring public companies to disclose the risk of cyber incidents that materially affect products, services, relationships, or competitive conditions, or make investment in the company speculative.
In February 2013, President Obama's executive orderlaid out a plan to strengthen the national posture on cyber security, public and private, through information-sharing and standards. Then in August 2013, the Administration proposed incentives, including grants, insurance, and rate-recovery, to encourage owners of "critical infrastructure" - utility and transportation networks - to adopt practices laid out in the Cybersecurity Framework expected in early 2014.
We encourage public companies to initiate board-level exploration of how best to achieve a level of proactive cyber-governance and -management commensurate with the pervasiveness of cyber assets in business today. The appropriate scope, or even existence, of a digital risk/cyber chair is an open question, one that may well vary by industry and among companies within an industry.
Some may find that increased education and attention from the risk committee is sufficient. Others may require a committee or subcommittee dedicated to cyber oversight. In the near-term, boards might consider upgrading the risk committee to include individuals with cyber expertise and evaluating whether the management structure is aligned with protecting cyber assets.
IT and security expertise will be increasingly important in directors, but boards shouldn't overlook external resources-including macro-level intelligence briefings, cybersecurity experts, and even key partners and customers-to prov! ide guida! nce.
In calling for increased attention to cyber risk at senior levels, we hope to open a debate. What do you think? Is a cyber chair crucial for helping management navigate the operational realities of cyber today and tomorrow? What is the proper level of board oversight in an increasingly digital world?
About the authors: Eric Openshaw is a director with Deloitte Services LP and also a vice chairman and the US Technology, Media & Telecommunications leader for Deloitte LLP and Irfan Saif is a principal and the US Technology, Media & Telecommunications Security & Privacy practice leader, Deloitte & Touche LLP.
No comments:
Post a Comment