Technology Risk E-Book
Audit | Tax | Advisory | Risk | Performance
Cybersecurityin the Boardroom
A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies
n Six Critical Questions to Assess Cybersecurity Readiness
n Ten Principles of Corporate Governance for Management and the Board
n Five Steps to Establish and Maintain a Cybersecurity Road Map
n Plus: Seven Crowe Insights to Share on LinkedIn
Cybersecurity in the Boardroom
2www.crowehorwath.com
Boards of directors have extremely limited capacity for
taking on new areas of oversight. Given that constraint,
it is noteworthy that cybersecurity has escalated to
a board-level concern and could become one of the
decade’s major corporate governance trends.
Company executives and top management used
to be responsible for meeting the ongoing strategic
challenges in their industries. For example, being an
oil executive was sufficient experience for running an
oil company, being a retail executive was sufficient for
running a retail firm, and so on.
The demands on management have changed with the
times. The digital age has brought about a convergence
such that no matter the industry, executives now
struggle with a set of common concerns related to
technology strategy and information security. Across
widespread, globalized supply chains, organizations
are diversifying beyond property, plant, and equipment
to acquire assets consisting of information, algorithms,
and talent. This digital convergence opens profitable
opportunities and markets but brings with it additional
risks and exposures.
CEOs and other high-level executives need a starting
point for understanding and responding to growing
board-level concerns about cybersecurity. To help
with this objective, Crowe Horwath LLP examines
why the subject has escalated to the board level and
how executives should guide their board members in
thinking about cybersecurity issues.
IntroductionCybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends.
Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
Cybersecurity in the Boardroom
3www.crowehorwath.com
Cybersecurity Readiness: Is Your Organization Prepared?
According to The Institute of Internal Auditors Research Foundation (IIARF), the
critical questions to consider when assessing the cybersecurity readiness of a
board of directors are1:
n Does the organization use a security framework?
n What are the top five risks the organization has related to cybersecurity?
n How are employees made aware of their roles related to cybersecurity?
n Are external and internal threats considered when planning cybersecurity
program activities?
n How is security governance managed in the organization?
n In the event of a serious breach, does management have a robust
response protocol?
Cybersecurity Escalates to the Board Level
Cybersecurity in the Boardroom
5www.crowehorwath.com
Executives have become acutely aware of their
personal stakes in facilitating adequate cybersecurity
by preventing incidents and responding to data
breaches in an appropriate manner. Their jobs are on
the line. Yet the decades of industry experience that
make someone a great leader in his or her industry
might not foster the knowledge or relationships
needed to respond to a major cybersecurity threat.
In addition to the financial damage that ensues,
a data breach causes significant exposure to
reputational risk. An apt illustration is the recent
Sony Entertainment Inc. hack in which executives’
reputations appeared to be among the attack’s
principal targets.2 In such a case, with management
having to deal with matters of national security, the
board’s input and participation become essential.
The list of companies beset by data breaches in recent
years includes some of the marketplace’s highest-
profile brands across a broad spectrum of industries,
including The Home Depot Inc.3 and Target Corp.4 in
retail; Domino’s Pizza5 and P.F. Chang’s China Bistro
Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking;
and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in
the technology sector. Even being a relatively low-profile
organization provides no assurance of safety, as seen by
breaches at the Montana Department of Public Health
and Human Services,11 Community Health Systems
Inc.,12 and Goodwill Industries International Inc.13
In fact, data breaches have become extremely
common, with an estimated 43 percent of companies
experiencing one in the past year.14 In 2014, just
counting those confirmed by media sources or subject
to notification through state governmental agencies,
there were a record-high 783 data breaches in the
U.S.,15 which, due to patchwork reporting regulation and
systemic underreporting, understates the problem.
Yet not all data breaches are motivated by criminal
gain or malicious intent. For most, some sort of glitch
or human error is the cause.16 In fact, employee
negligence plays a role in more than 80 percent
of breaches, whether as the sole cause or acting
as a contributing factor to a cyberattack.17 Human
errors take the forms of misconfiguration, a lack
of patching, and “social engineering” in which an
Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
Cybersecurity in the Boardroom
6www.crowehorwath.com
attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out-of-date credentials.
A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18
In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies:
n Technical remediation involving internal IT and external consultants
n Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug
n Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes
n Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries
As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats.
Data breaches cost an average of $145 per record lost.
Assessing Responsibilities for Cybersecurity
Cybersecurity in the Boardroom
8www.crowehorwath.com
Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans.
Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.
Despite cybersecurity’s immense challenge, the
general principles of corporate governance remain
intact. In dividing the responsibility, management has
full charge for executing the specific steps required to
mitigate risk while the board of directors acts largely in
an oversight and advisory role.
Principal responsibilities for management:
1. Perform a cybersecurity assessment. The
Crowe approach, which combines input from
the leading industry frameworks with Crowe
professionals’ extensive experience, provides
a highly practical, comprehensive approach to
assessing cybersecurity risks, exposures, and
vulnerabilities. Cybersecurity assessments include
the following steps:
n Identify critical data.
n Map data stores and flows.
n Perform a controls risk analysis.
n Rate the maturity of security controls.
n Build short- and long-term remediation plans.
2. Perform an ecosystem assessment. Verify
that vendors and outsourcing providers also have
adequate cybersecurity controls.
3. Facilitate global review. Evaluate data
protection laws and breach disclosure
requirements in each country or state in which
the organization does business.
4. Follow frameworks. Meet the appropriate
requirements of the NIST cybersecurity framework,
ISO 27001 standards, and industry-specific
frameworks and/or standards – for example, PCI
for retailers, SEC for public companies and financial
regulators. Efforts taken to meet the requirements
of multiple security frameworks and/or standards
can be rationalized using the Unified Compliance
Framework, a tool that includes a regulations
database for centralized compliance.
5. Form a mitigation plan. Establish an internal risk
management framework supported with adequate
staffing and a budget for achieving compliance.
Cybersecurity in the Boardroom
9www.crowehorwath.com
Principal responsibilities for the board
of directors19:
1. Revise the agenda. Cybersecurity once was
viewed as an IT issue, but given cyberattacks’
present frequency and intensity, the topic now
is considered an enterprisewide, operational risk
management issue to be monitored closely by
the board.
2. Facilitate legal review. Depending on the region
and industry, cybersecurity will have varying legal
implications pertaining to board responsibilities,
and these implications should be reviewed by
counsel and monitored for changes.
3. Enhance expertise. The challenge’s technical
nature requires boards to have access to
cybersecurity expertise, through either the election of
specialists in the field or use of external consultants.
4. Set expectations. In addition to or in conjunction
with existing goals and responsibilities, management
should be monitored, measured, and compensated
based on its ability to establish and enforce an
enterprisewide risk management framework that
can lower the risk of cybersecurity breaches.
5. Maintain frameworks. The adoption of a
cybersecurity framework is not a one-time affair;
rather, security frameworks are meant to evolve
based on threat levels, risk appetites, industry
profiles, and available capabilities in terms of
technical, financial, and organizational resources.
The board needs to set the parameters of
frameworks’ evolution.
Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
The Board of Directors: Achieving Cybersecurity Excellence
Cybersecurity in the Boardroom
11www.crowehorwath.com
Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right.
In meeting these responsibilities, a board of directors
should take steps to provide effective oversight of
cybersecurity risk mitigation along with sound advice
to executive management.
Learn from recent breaches and breach
attempts. Every cybersecurity-related incident,
whether or not it causes damage, offers a valuable
opportunity to evaluate what went wrong and right.
n If the organization has been affected by a
breach, ask, “How did we react? What did we
tell our customers?”
n If not affected, ask, “What prevented the
breach? What would have happened if we had
been breached?”
Stress test the incident response plan. Similar to
a disaster recovery plan, the specifics of an incident
response plan have to be carefully planned and tested.
n Board members should understand their
personal roles in the response plan and have
access to resources to fulfill their responsibilities
as outlined in the plan.
n Board members should be aware of the expected
reactions to a breach from regulators, law
enforcement, customers, and other stakeholders.
n Following an attack on the company or broader
industry, the board should convene to review the
company’s response.
Cybersecurity in the Boardroom
12www.crowehorwath.com
Perform an independent cybersecurity
assessment. For a cybersecurity assessment,
as with any other type of evaluation, the board of
directors should not rely entirely on information
from management to assess its own performance.
Accordingly, it is essential to receive an independent
evaluation of how the organization is meeting the
requirements of the various cybersecurity frameworks.
An effective, independent cybersecurity assessment
will evaluate:
n Qualifications and capabilities of the
cybersecurity team
n The state of the organization’s IT
and cybergovernance
n Reporting relationships among the CEO, CIO,
chief information security officer, chief audit
executive, and other relevant executives
n Preventive controls and security
awareness training
n Other organizations in the industry or
organizations of similar size in other industries
Establish and maintain a cybersecurity
road map. Much like a technology road map, a
cybersecurity road map provides a consensus-driven
framework for achieving realistic short- and long-
term objectives. A cybersecurity road map not only
defines the extent to which an organization intends
to protect itself against data breaches but moderates
risk tolerances in different areas to employ the optimal
alignment of people, processes, and technology.
A cybersecurity road map should include the
following elements:
n Annual health checks. Establish the capability
to review the performance of the cybersecurity
response team through interviews and
independent data reviews.
n Year-by-year milestones. Set expectations for
annual improvements in incident rate, incident
response time, employee training hours, and levels
of compliance with cybersecurity frameworks.
43% of companies experienced a data breach in the past year.
Cybersecurity in the Boardroom
13www.crowehorwath.com
Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks.
n Risk tolerances. For each type of risk faced
by an organization, identify the risk tolerance –
which risks to avoid, which to accept, which to
mitigate through an operational response, and
which to transfer through insurance.
n Cybersecurity insurance. Insurance’s cost is
expected to vary greatly in coming years. Price
increases will be affected by the threat level
and virulence of attack vectors, with decreases
driven by the extent to which technology
solutions succeed at improving cybersecurity’s
efficacy. Given the attention and investment in
the cybersecurity sector, as well as interest in
the category by the insurance industry, it’s quite
possible or even likely that an organization that
currently self-insures against cybersecurity risks
will find cybersecurity insurance a much more
attractive proposition in the years to come. The
board of directors should have a sense of the right
price for coverage at the organization and, based
on a set of planning assumptions, incorporate
those expectations into the road map.
n Long-term remediation plans. The
cybersecurity road map and the broader
technology road map can converge to rework
business processes with the aim of reducing
exposure to cybersecurity threats. Given that
the human element in the form of employee
negligence plays a contributing role in the
majority of data breaches, it follows that an
approach that supplements human labor with
artificial intelligence potentially would reduce the
overall risk of operations from a cybersecurity
standpoint. These and other long-term
considerations should be incorporated into the
cybersecurity road map for annual review.
Looking Ahead
Cybersecurity in the Boardroom
15www.crowehorwath.com
In the next several years, boards of directors have
the opportunity to play an important role in the global
economy by guiding organizations through the present
phase of challenging cybersecurity threats. Even as
technology enables powerful new business models
that still are being explored, IT infrastructures remain
relatively immature from a cybersecurity perspective.
Until the security model catches up with the business
model, organizations will be exposed to malicious and
criminal actions.
Through their cross-industry exposure, high-level
perspective, and influence, board members can guide
management toward proper cybersecurity planning
and mitigation, quickening the process of adaptation
to the present threat environment.
Given the participation of well-funded adversaries,
it’s unlikely the cybersecurity threat ever will go away.
But it’s certainly within the grasp of any organization
to stop making simple mistakes, improve overall
awareness, and establish a solid course toward a safer
computing environment that’s ready to do business in
the 21st century.
Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly.
Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
Cybersecurity in the Boardroom
16www.crowehorwath.com
1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15.2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/a799e8a0-809c-11e4-8882-03cf08410beb_story.html3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch.com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen-including-names-emails-and-phones5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos-pizza-ransom-hack-data6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=08 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple-developer-site-hacked
10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles.chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares-ebay-users-u-s-company11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www.informationweek.com/healthcare/security-and-privacy/montana-health-department-hacked/d/d-id/127887212 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-idUSKBN0GI16N2014081813 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/1610619715 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/1610619718 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm
Sources
www.crowehorwath.com
Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms
in the United States. Under its core purpose of “Building Value with Values®,” Crowe uses its deep industry
expertise to provide audit services to public and private entities while also helping clients reach their goals
with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with
more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places
to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of
the largest global accounting networks in the world, consisting of more than 150 independent accounting and
advisory services firms in more than 100 countries around the world.
Crowe Horwath LLP, The Unique Alternative®
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376
Contact Information
For more information, contact Raj Chaudhary at
312.899.7008 or [email protected].
Top Related