Boards of directors have been working hard to fulfill their risk oversight responsibilities in a challenging environment. Regulations are changing rapidly in most industries, and vary significantly across countries.
Investors, analysts, and the public are demanding greater transparency into risk and risk management, as are creditors, counterparties, and other stakeholders. Many boards legitimately wonder not only what regulators want, but also which approaches to risk oversight actually work.
Deloitte set out to study a specific and very effective risk governance mechanism: board-level risk committees. This report revealed the prevalence of board-level risk committees (whether standalone committees focused solely on risk, or hybrid committees such as audit/risk) based on an analysis of 400 large public companies in eight countries.
In summary, these were some of the findings:
§ Board-level risk committees are well-established and widespread — present in 38% of the 400 companies analyzed. About a quarter (22%) have standalone board-level risk committees, while 16% oversee risk through hybrid board-level committees.
§ As might be expected, board-level risk committees are most prevalent in FSI companies (88%), but are also present in other industries (26%), often to a significant extent, depending on the country.
§ Local regulations affect risk oversight structures. Australia, Brazil, Mexico, Singapore, the UK, and the US have regulations that require risk committees at the board level for FSI companies (sometimes dependent on the type and size of the company).
§ Overall, 62% of all companies analyzed do not have a board-level risk committee. This largely reflects the lack of regulatory requirements for board-level risk committees in non-FSI companies in most countries.
Every week, a new data and security breach seems to be reported that appears to exceed previous breaches and hack in scale. This year we are also seeing different uses for Distributed Denial-of-Service beyond simple volumetric attacks, including what we call quantum attacks.
Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation.
These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.
This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.
If it were to be measured as a country, the facts are; cybercrime which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China.
Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.
The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state-sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data, and systems, and reputational harm.
Some with more complexity in the hack such as the Solar Winds supply chain breach, and others with less complexity, such as the recent global breach of Verkada of over 150,000 security camera data by hacktivists. Once again, the data breach was global in nature and exposed again the security policy and process vulnerabilities these hackers are using to gain access to corporate data via root access.
Industry research has shown that hackers are active in corporate systems for an average of 8 months before they may do something or make themselves known. Over 76% of cyber risk is due to insider risk, involving collusion between hackers and corporate insiders. It is no longer just a “technical” hack.
What is root access? A root administrator or gatekeeper is a superuser account on a computer or network and that has complete control over all aspects of the system or network. The root administrator can access all data, software, configure, delete and change software code in the systems or network.
One of the top risks identified in cybersecurity audits today is a regulatory governance risk. This requires a legal requirement to be audited with respect to IT security, making audit and compliance metrics highly relevant and important.
Some examples include:
Audit and compliance metrics
➢ “Are we ISO-27001-compliant?”
➢ “Do we have a vendor risk management program?”
➢ “Do we have any outstanding high-risk findings open from our last audit or assessment?”
➢ “What percentage of the NIST framework are we implementing?”
➢ The NIST framework has roughly 80 questions associated with it. If a board member asks if you’re doing the NIST framework, you might say, “Today we’re doing 60% of it.”
Operational effectiveness metrics
➢ How many intrusions were detected this year?”
➢ “How quickly are we detecting, investigating and remediating threats?”
➢ “How much have we spent this year?”
➢ “How many vulnerabilities were in our network and how quickly were they fixed?”
➢ “How many compromised systems did we have compared to last year?”
➢ “Has our risk profile changed?”
➢ “How did we compare to our peers across X time span?”
Knowing the best practices on how to present cybersecurity to the board is one thing but without substantive data, you won’t have a very compelling (or helpful) presentation.
The first thing you need to keep in mind regarding metrics is context. Board members likely don’t know what it means if you say that “500,000 intrusions hit the detection system.” You need to focus on being concise with your explanation and show them how the metric impacts the health of the company.
You’ll want to focus on showing metrics over time that the management, or lack of management, processes and policies of root admin passwords. In most cases, these processes are manual at best and there seems to be little appetite to implement additional security technologies that can dramatically reduce this risk.
IT organizations have become more fragmented in nature, especially where there are differing roles for Chief Digital-, Chief Information- and Chief Information Security Officers in organizations, each having responsibility for specific aspects of the overall technology stack of the corporation.
Unless there is a close collaboration between these roles, there will remain gaps in governance of access to data, systems and networks in corporations.
Take into consideration that a corporation is part of a business ecosystem of employees, contractors, 3rd party vendors and their contractors, resellers, partners and customers. All these parties require access to corporate data, systems and networks. The management of access and data security is no longer just contained to the closed “bubble” of a corporation and its employees alone.
The cyber strategy needs to incorporate this more complex supply chain risk and how to manage this across the business ecosystem. This is especially true for management of user access into these systems.
Very few companies have checks on when employees from vendors, 3rd party contractors and partners leave, and need to be off-boarded off the corporate systems. The more manual these processes, the higher the risk that their will be dormant user credentials that hackers can exploit.
Where there is little appetite to spend more money in key IT security systems, the typical practice is to have the risk logged in the corporate’s risk register and key executives, and in some cases the board, to accept and sign off on the risk.
Another approach is to do more “training” in awareness of cyber risk and write more policies, which again is only an internal approach to the corporation and employees alone. Training tends to happen when new employees are onboarded, and perhaps retrained after yearly pen-testing.
Employees tend to step through training, which includes reviewing the policies, and then forget about it as soon as they have received the credits for the training. The more extensive the policies are, the less effective they are in having people follow and implement them.
There still seems to be a lot of complacency at board level in managing the cyber risk, or in some cases, this is non-existent at board level. The main driver is the perspective of an “insurance” approach of cyber risk management.
As long as there is an “insurance” cyber risk mindset believing that a breach has not happened and we will “insure” the risk in case it happens, the corporate will remain at high risk when a breach happens. CISO and/or CIO’s are still missing at the board table, although this is changing. This leaves a gap in poor understanding of cyber governance for the company at board level.
Don’t just leave the Cyber risk management up to the audit committee.
When cyber events happen, how do boards manage the challenges, cost and potential reputational risk?
Key steps boards can take to improve cyber governance, strategy and response to a major cyber event:
● Appoint third-party Cyber advisers as non-executive directors of the board.
● Appoint the CIO and/or CISO as members of the board
● Cybersecurity technology and services investment plan and strategy – ensure there is sufficient budget
● Establish a cyber business response plan
● Have a clear plan in place protecting the well-being and safety of employees
● Employee cyber safety reporting – especially where employees may be threatened and at risk
● Cyber incident and risk reporting as part of the monthly board agenda
Cyber risk can no longer be viewed as an “insurance” type of risk. The stakes are too high. The risk is no longer just relevant to your corporate, it involves managing the cyber risk as it relates to your full supply chain and business ecosystem.
The bottom line is that every board should periodically assess the risk oversight and governance needs of the organization and take whatever steps it deems necessary to address those needs. A board-level risk committee, whether standalone or hybrid, is one effective means of attaining the necessary visibility into risks and risk management and of exercising risk oversight. It is also one that most boards should at least consider
Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity, check the box, and move on. Cybersecurity was little more than an afterthought, and mostly a box-checking exercise for compliance or to make sure the bases were covered in the wake of a newsworthy event. With little technical understanding at the board level, many were happy
to simply throw money at the problem and leave it to IT professionals to handle.
The Cyberspace Solarium Commission has an urgent message for the boardroom and C-suite executives: The status quo in cyberspace is unacceptable, which is spelled out in its groundbreaking 2020 Report which proposes a strategy of layered cyber deterrence to protect all U.S. businesses and governments from cybercrime and cyberwarfare.
Finally, We can all agree over the course of 2020, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cybersecurity landscape. Traditional threats such as generic Trojans, ransomware and spambots were transformed.
Every company should have a CISO or cybersecurity expert on their board because cybercrime is the greatest risk to business continuity that every company faces.
Cyber should be at the center of business strategy – not technical strategy only.
The idea that we are describing, is to put a senior cyber executive in the boardroom who will wave the red flag and challenge the severity of the risk and have the main and operational board pay attention to the severity of risks. No longer can you rely upon or expect the CEO to be carrying the competency of cyber risk to the business, but to have the inclusion of Cyber experts and make better decisions on business risk, absolutely.
The question is not whether you will be attacked. The case may be that you have already been attacked or witnessed a vulnerability breach without your prior knowledge. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.
James Brien Comey Jr, an American lawyer who was the 7th director of the Federal Bureau of Investigation (FBI) famously once said: “We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.“
This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:
MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.
Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).
Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.
Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.
With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.
Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.
He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.