“Cybersecurity risk is now a board-level concern, and how companies both prepare and react – or don’t – can have long-term implications on share value,” Jennifer Peet, corporate governance director for the Office of Oregon Treasurer and the Oregon Public Employees’ Retirement Fund told IA’s Kaitlyn Mitchell. “Cybersecurity has been a growing concern for several years as a result of a stream of news about data breaches–it keeps shareholders up at night,” she added. Peet is also a board member with Council of Institutional Investors (CII), a platform for investors to discuss engagement efforts to help bolster shareholder-oriented governance.
Peet’s not alone in her nightmares. Principles for Responsible Investing (PRI) and Acadian Asset Management recently engaged in a collaborative discussion that highlighted cybersecurity as a chief concern among institutions. In fact, the World Economic Forum’s Global Risks 2018 report 2018 cites cyber-attacks as a bigger risk for doing business than terrorist attacks, fiscal crises and climate change. Despite this, just one-third of publicly traded companies have an incident response plan in place, said Asha Mehta, lead portfolio manager & director of responsible investing at Acadian. And nearly 60% did not indicate that their board or board sub-committee was responsible for cyber security-related issues.
“Cybersecurity is a key investment and governance issue, yet investors are challenged at having active engagements with these companies,” said Mehta. “Most boards are not having the conversation regarding the financial spend of cybersecurity—there are earlier-stage discussions that need to occur first,” she added. “Cybersecurity efforts may be underway, but they are not necessarily happening at the board level,” Mehta said, attributing that claim to the study‘s global set of companies, and adding that the degree of preparedness in the U.S. is above the global average.
“New projects can’t be implemented without a cyber security strategy,” observed Melanie Steiner, chief risk officer of PVH Corp. “The biggest risk to cyber security is an internal one that is imposed by employees—every company has this threat, and the biggest threat is an email phishing campaign,” she said. “So many board members have never dealt with this.” Of late, corporate boards have become galvanized around developing a cyber security framework and benchmarks, Steiner said.
The nonprofit National Association of Corporate Directors (NACD) prescribes five key principles for healthy cyber security practices in its Cyber-Risk Oversight Directors Handbook, said Chuck Seets, assurance cybersecurity leader and principal at Ernst & Young LLP.
Below, find all five principles:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular ad adequate time on board meeting agendas.
- Directors should set the expectation that management will establish and enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
A way toward improvement
“One of those principles is to leverage existing independent advisors, such as external auditors, who can offer an independent, third-party opinion on the effectiveness of a company’s cyber risk management program,” noted Seets. “Roughly half of public companies have relegated cyber risk to the audit committee.”
Board directors sometimes think of a cyber security setback as the failure of a sophisticated piece of technology or software, but successful unauthorized cyber-attacks are usually the result of an execution failure of human processes and controls,” continued Seets. “Another potential weak link is the ability for a cyber security intrusion to swim up the supply chain and potentially create a breach for the corporate entity,” he added.
Acadian, an institutional manager with $100 billion in assets under management (AUM), hired the head of the firm’s cyber security, Adam Connell, from Raytheon, where he led a group responsible for cyber operations engineering, Mehta said. “There are clear investment consequences when it comes to cyber threats,” she continued. “Companies we invest in are in the news—the average cost of cyber risk for a U.S.-based company is $13 million,” she added.
The cost of cybercrime for the average U.S. company reached a record $12.7 million in 2014 versus $6.5 million in 2010, according to the Ponemon Institute. Costs averaged $8.1 million for German companies, $6.9 million in Japan, $6.4 million in France and $4 million in Australia. Globally, virtually every industry is affected by cybercrime, with the highest average annualized cost of $13 million experienced by energy & utilities and financial services companies in 2014.
Cyber security is not an IT problem alone, it’s also a business problem.
Some solutions at hand
KKR, a private equity company with $195 billion AUM, has invested in artificial intelligence and machine learning to combat cyber threats, said Jonathan Lim, a Principal within the private equity team at KKR. “The software we’ve invested in asks what a healthy file should look like, and tests new files against those patterns—threats to an organization have oftentimes not been seen before and this machine-run pattern recognition helps organizations protect against these new unknown threats,” he added. “On average, each company has more than 50 different security tools internally today, all of which send teams alerts and oftentimes do not have context of the entire environment of organizations—it’s a big challenge today for security teams to have a single point of view of their entire organization,” he continued. “While companies that used an all-encompassing tool saw a meaningful reduction in the time it took to triage security alerts, it is enormously complex to set up.” Lim believes that companies need to not only design a robust security architecture, but to carry out continuous testing which simulates attacks on the organization to ensure that the security systems have been properly setup, configured and maintained.
Board directors often think of a cyber security setback as the result of sophisticated machinery that was inadequate or failed somehow. But, in fact, it is usually due to a failure of human processes and controls, Seets noted. “Another weak link is the ability for a cyber security breach to swim up the supply chain and become a problem for the parent company,” he added.
“Cyber security is not an IT problem alone, it’s also a business problem,” said Jeff Witmyer, senior manager of cyber risk at Grant Thornton. Some major areas of concern for management currently within cyber security include insider threats and emerging technologies, added Witmyer. “Insider threats typically involve privileged personnel with the ability to login and access the network and systems—incidents involving an insider can be intentional or accidental,” he continued. “Emerging tech like the internet of things (IOT) means that more devices are being connected to networks and as a result the attack surface is becoming larger. With the introduction of more and more devices, the company’s internal IT department may not be aware of everything connected to the network, thus making them difficult to secure. Cyber security leadership should have a direct, unimpeded path up to the board to provide an independent perspective and to present key cyber risks to the business and how the cyber plan aligns with the company’s cyber risk appetite.” Controls and processes related to detection and response need to be at the forefront and balanced with those related to prevention, added Witmyer.
It’s generally assumed in the industry that all companies are going to experience a cyber breach at some point—with the only factor to be possibly controlled being the severity of the attack.