Cybersecurity: what does it mean for your board of directors?

The Internet is revolutionizing the way business is being done, giving people new ways to connect and driving economic growth. The benefits that accompany this increased reliance on cyberspace seem almost endless and, as is the case with most change, these new opportunities also bring new threats. 

Over recent months many global organizations have been victims of cyber attacks, resulting in investors, governments and regulators increasingly challenging board members to actively demonstrate diligence in this area.  

However, changing work practices and technological advances such as remote network access and mobile technology and the increasing move toward cloud computing have only increased the potential for criminal activity. 

Network intrusions conducted by organized cyber criminals are an obvious concern as they have the potential to result in large-scale theft, major incidents of fraud, and huge financial losses for the targeted organization. However, technology has made it possible for crimes of opportunity conducted from within to potentially have equally devastating results, as we saw with the leak of 130,000 employee records by a disgruntled employee of a major UK retailer last week.

Investors

Investors expect companies to manage the reputational risks they face, and regulators expect sensitive data to be protected and systems to be resilient to both accidents and deliberate attacks. With this in mind, an integrated approach to people, process, and technology when dealing with cyber risks has never been more important.

Fortunately, help is at hand, and in response to this growing concern over cybersecurity, governments around the world are providing guidance to help address this very real threat. A recent example is the Presidential Policy Directive enacted by President Obama regarding critical security infrastructure and resilience that resulted in the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity released, in February 2014. Organisations can use the new Framework to determine their current level of cybersecurity, set goals for cybersecurity and establish a plan for improving or maintaining their cybersecurity.

Regardless of the size of an organization, cybersecurity has become an important topic of discussion at board level. For boards, cybersecurity generates questions such as: 

• What are the implications of a cyber attack for the organization? 

• What should the organization do if such an attack was to occur? Is the organization prepared? 

• What types of losses could be incurred? What is the scale?

• How can the organization be more proactive, focused and preventative?

There are a number of potential consequences and implications that boards need to consider, including:

• Intellectual property losses, including patented and trademarked material, client lists and commercially sensitive data;

• Penalties, which may take the form of legal action or regulatory fines. These may include customer data privacy breaches and contractual compensation for delays;

• Reputational loss causing market value to decline; loss of goodwill and confidence by customers and suppliers; and

• Resources that need to be committed in responding to and remediating a cybersecurity incident, limiting reputational damage, and supporting regulatory authorities during an investigation.

To gain assurance that cyber risk is being managed board members need to be able to answer the right questions:

• Does my organization meet all of its obligations for information assurance? 

• Is data secure in my organization? 

• Do we understand the threats that the organization faces?

• Do we fully understand our current vulnerabilities? 

• Do any of our supply chain partners put us at risk? 

• Do we meet the information security requirements to bid for preferred contracts? 

• Are our competitors ahead of us? If so, does this give them an advantage?

• Does the management team know what to do if the organization is attacked? Can they answer questions such as:

• Can we identify cyber attacks in a timely manner?

• What should our response be? 

• How effective has our response been? 

• Are there any cyber attack patterns that can be identified that make our information and assets more vulnerable at certain times? 

• Who should we be sharing threat intelligence with and how? How do we establish an effective security operation centre?

Focusing on these questions at the board and executive management level helps raise awareness, and incorporating them into the enterprise risk strategy is critical. By doing so, leaders can quickly start to identify gaps in the current cybersecurity strategy and encourage an organization-wide approach to countering cybersecurity threats.

Organizations wishing to find out more about they can manage the risks associated with cybersecurity can contact the author at +1 (441) 294 2680.

Fred Oberholzer is a senior manager in KPMG’s Advisory team, responsible for KPMG in Bermuda’s Cybersecurity service offering.