CyberBreach Situation Report – April
By MacDonnell Ulsch, CEO & Chief Analyst
Executive Risk Councils Vital to Managing Cyber Risk
Cyber-attack impact is variable—and virtually assured. Fail to adequately safeguard information and the pain is quickly felt: regulatory scrutiny, fines, civil and even criminal litigation, loss of market value, loss of customer base, loss of market dominance, loss of reputation, and on and on. The list is long, and can be costly.
What to do about it. Here is one recommendation: build an Executive Risk Council. If one already exists, make sure it is optimized for peak risk management performance. An Executive Risk Council is not a silver bullet for cyber-defense, but it does have significant value.
It brings together affected parties. For too long, security has been perceived as either an issue of guards, gates, and guns, or as an IT issue. While it is both, it is also more than that. Look at the impact of a breach, and it becomes obvious who should be involved in an Executive Risk Council. Although companies and situations vary, here is an outline of who should be included.
Legal Officer. The breach footprint is large. A breach, first and foremost, becomes a legal issue. The legal challenge involves regulatory considerations, breach of contracts, civil litigation and even criminal prosecutions. So it is vital to include a legal representative. For smaller companies, especially those without in-house counsel, consider working with an external legal resource, one with knowledge of information management and risk.
Risk Officer. Some companies have a chief risk officer, but many don’t. In the absence of a senior-level risk officer, the chief financial officer often serves in the role of the chief risk officer. Every breach results in a cost to the company—that’s a post-breach consideration. It is also important to have the CFO on the Council because that officer can be influential in making budget available for preventative measures.
Security. This is obvious, but not entirely so. Companies often get this wrong. Information security must contain three very specific characteristics: (1) physical security, (2) technical or logical security, and (3) administrative security. The regulators make reference to these aspects of security, and each should have equal measure. In many companies, there is a wide gulf between physical security and technical and administrative security. This is a weakness that increases the likelihood of breach success, particularly when an intrusion involves physical penetration of the target company.
IT. Information Technology infrastructure is vital to the Council because most every activity the company engages in involves a computer, a tablet, a smart phone, the network, the Internet, servers, etc. IT touches everything.
Information and Records Management. While many organizations are transitioning to paperless records, many are not. Most environments currently are a mix of paper and electronic records. This magnifies the risk. Include the chief information officer (CIO) or records management executive in the Council.
BCP/DR. Business Continuity Planning and Disaster Recovery are critical to the Council. The absence of this representation on the Council may result in increased risk impact. BCP/DR should include issues such as workplace violence, terrorist attack, natural disasters, utility outages and other factors.
Marketing and Sales. Often not included in risk councils, it is important to remember that marketing and sales are intimately related to the company’s reputation. In the event of a breach, it is necessary to address this issue with customers.
Human Resources. Get the entire employee base onboard with the security message. HR is often the organization that has the greatest reach to all employees, from onboarding to exit interviews. HR needs to be part of the solution to risk impact management and prevention, as well.
Privacy. Make sure that a professional with the responsibility of monitoring information use and maintaining information privacy is in the Council. Also, remember that privacy includes not only personal information, but intellectual property and trade secrets.
Internal Audit. A representative from internal audit will add substantial value, making certain that the internal audit plan embraces the full dimension of the scope and dimension of the risk. Also, it has direct linkage to the audit committee of the board of directors.
Corporate Communications. Developing a media response plan before a breach is fundamental and should be part of every company’s corporate governance initiative. If perception is reality, then perception should not be left for others to define, lest that become the reality.
Alliance Management. Strategic alliance and joint venture partner relationships are at risk in the event of an inadequately managed breach. Having an alliance management executive participate in the Council allows for proper messaging (working with corporate communications) to the various companies who may have skin (and risk) in the breach.
Compliance. A compliance representative is critical, particularly if the breach involves PII or PHI. Depending on the size of the company, compliance may be part of the legal office. If not, someone from compliance will be able to convey to the Council the regulatory requirements associated with managing data and what to do in the event of a breach.
Executive Sponsor. The more senior the title, the better, at least in most cases. For smaller organizations, it may be the CEO. But whether it is the Director of Internal Audit, General Counsel, or CFO, the executive sponsor has direct access to the board and to the executive management team. An Executive Sponsor can be invaluable for budgetary approvals. Because of exposure to the content in the Council, the Executive Sponsor, as well as each participating member, will have a strong understanding of the need to prevent breaches and reduce the impact of one should it occur.
The goal of the Council is to reduce to the lowest degree possible the impact of a breach. The Council needs to understand the fundamentals of cyber-threats, and how to defend against legal, financial, regulatory, and reputation risk.
This includes recognizing risk impact. It forces the team to confront potential loss associated with a cyber-breach. Impact potential includes loss of market share, sales, company value, market positioning and dominance, customer and alliance concerns, investor confidence, and even insurability.
Again, the Council is no silver bullet against information compromise, but it is a good starting point for building the appropriate level of awareness and sense of urgency where it counts.
All companies targeted by cyber-attacks face one great commonality: compromise of reputation—reputation risk. Position the Council to “think post-breach” and “act pre-breach.” An effective Executive Risk Council can help reduce the impact of a potentially devastating cyber-attack, and maintain that ever important bond of trust, which defines reputation.