Cyber Risk Management and the Board of Directors
Cyber security scenario evolution
An evolving cyber security scenario is forcing corporations to manage cyber risk in a more comprehensive and holistic way. This evolution is amid an increasing use, and reliance on, new digital technologies (e.g. blockchain), architectures (e.g. cloud) and third parties, together with the challenge of effectively and efficiently detecting and responding to complex and sophisticated cyber-attacks.
New regulations are focusing on cyber risk management and the Board of Directors’ ability to make the right decision to mitigate cyber risk. Recently the European Banking Authority (EBA) issue their “Guidelines on IT & Security Risk Management” to highlight how financial institutions should manage ICT risks, strengthening the governance and defining the appropriate controls to mitigate the business impact on company information of the identified risks.
The United States congress issued S.592 “Cyber security Disclosure Act of 2019” early in 2019, requiring cyber security transparency for publicly traded companies, focusing on cyber security experience or expertise within a governing body. As part of the bill, companies must disclose their cyber security status to the governing body in their annual report.
Partial risk management
Traditionally, cyber risk management has been the responsibility of the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO), without involvement of the wider business. As cyber security governance is not clearly defined, often there’s no separation of roles and responsibilities between cyber security and IT.
The CISO usually approaches cyber security risk by analysing the threat scenarios and assessing the security controls to mitigate threats. The target security posture is set by a value defined in the security framework used (e.g. a goal to get to level 3 from level 2 of the NIST Cyber security framework).
In an example like this, the reduction of risk is typically not evaluated, and the Board of Directors do not know what the financial, reputational and compliance impact could be versus the company risk appetite the Board has defined. So, what the Board usually receives from the CIO/CISO is a partial, non-business view of the current cyber security status of the company, without any business risk justification for the cyber security investments defined in a multi-year program.
What are the key factors to consider for effective cyber risk management?
- Interconnection - The interconnection between the CISO, top management and the Board is essential.
- Governance - The cyber governance should include all the business stakeholders: Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Compliance Officer, Chief Operating Officer, Chief People Officer, Chief Information Officer, and the Chief Information Security Officer. External providers should also be taken into consideration.
- Defining risk - The Board of Directors is responsible for defining the company risk appetite and should ask for a multi-year cyber security program derived from the evaluation of the cyber risk for each of their essential business information assets.
- Mitigating risk - The cyber program should mitigate the cyber risk below the company risk appetite, and the related investments are justified by the reduction of risk.
- Evaluating impact - Business information owners are responsible for evaluating the business impacts (financial, reputational, compliance) in case of information confidentiality, integrity or availability loss.
- Defining responsibilities - A cyber security function should be clearly defined with a separation of roles and responsibilities between the CISO department (responsible for governance, design/engineering, operations) and IT (responsible for solution implementation). The responsibility of the CISO is to define the countermeasures (technical, organisation, process) needed to mitigate cyber risks (the impact and/or likelihood of threat). Similarly, IT responsibility is to implement the technical countermeasures.
- Board representation – To have an active role in cyber risk management and possibly challenge the CISO if needed, the Board should appoint someone with cyber expertise. A periodic Cyber Steering Committee should help the Board and the Top Management to have a clear view of the current cyber risk, the status of the program to mitigate it and any issue encountered to deliver the program.
A&M Cyber Security Services
A&M helps Board of Directors and Top Management to understand, evaluate and effectively manage cyber risks, in order to justify cyber security investments by the reduction of the related business risk below the company risk appetite.
- Cyber Security Analysis
- Quick Cyber Maturity Assessment
- Cyber Risk evaluation and Program Definition
- Cyber Organisation and Skill Assessment
- Cyber Program Execution
- Shadow management or interim roles (i.e. CISO) to implement and govern the cyber strategy and the related program, and the target cyber organisation
- Cyber Steering Committee
- Advising CxOs about Cyber Risk status on a regular basis
- Helping CIO/CISO to present the relevant cyber data to the business
- Cyber Incident Response & Investigation
- Cyber Crisis Management
- Cyber Incident Root-cause investigation
- Cyber Incident Recovery
- Interim Management Roles
If you have any questions about A&M’s Cyber Security Services, please get in touch.
