Cyber risk is expanding in scale, scope, severity and source, landing near the top of most boards’ risk profiles. Catherine Evans, National Cyber Practice Leader, led a recent Women Get On Board session exploring the new realities of cyber risk for board members. Key learnings include:
1. The Internet of Things
The astronomical rise in connectivity will fundamentally change the nature of cyber risk. By 2020, there will be an estimated 50 billion connected devices. That means 50 billion ways in. Centralized system controls can no longer provide the same degree of assurance that they have traditionally delivered.
2. The Rise of Nation States as Threat Actors
2017 saw a rise in the sophistication of cyber attacks, stemming from military-grade techniques developed by nation states. Russia, North Korea and China are most commonly cited as applying the full force of government funded technology with extreme capability far beyond the wildest imagining of the teen hacker in the basement who used to haunt boards’ nightmares. New tools and responses will be required to meet this degree of threat.
3. Cybercrime Motives and Goals Are Evolving
Cybercrime typically had a simple driver: money. Key breaches focused on monetizing sensitive personal information such as credit card numbers, social insurance/security numbers and health data. No more. The market is now so flooded with easy access to stolen personal information such as credit card numbers that the price has dropped. While the market for illicit personal information is still there, it’s not as lucrative. The focus of cybercrime has broadened to include intellectual property theft and causing operational disruption to extort a ransom. Nation states are also focused on causing actual damage to physical infrastructure, for example, attacks on power grids in the Ukraine & the US.
4. With Evolving Goals Comes New Targets
As the motives for cybercrime change, so do the targets. Organizations with deep holdings of personal information have typically been the focus of cybercrime. Manufacturing – particularly in a pure business to business environment – has so far escaped the brunt of cybercrime, but this is changing. As the focus shifts towards IP theft, operational disruption, and physical plant damage, manufacturing companies need to move cybercrime higher on their risk management agenda.
5. The Regulatory Landscape is Changing
A raft of new compliance requirements are coming into play. In Canada, the Digital Privacy Act 2018 will come into force in November, 2018. It includes mandatory breach notification of both affected individuals and regulatory authorities. The notification requirements are subject to a variety of triggers including the sensitivity of the information involved and the risk of harm. The EU General Data Protection Regulation comes into effect this month and also include mandatory breach notification requirements as well as the right for EU residents to receive their information and have it permanently deleted from all sources.
In the US, the SEC has issued Guidance on breach disclosures. The Guidance stresses the importance of establishing proactive policies and procedures before there is a breach. The SEC focuses on the importance of board oversight and establishes expectations that the Board understands the company’s relevant policies and procedures. The SEC has also expanded the financial disclosure certification to include board certification that the company’s cyber-security and response plan are adequate for the risks.
6. Governance Needs to Develop With the Same Intensity As the Risk
In a recent Marsh study, most organizations appropriately identify cybercrime as a top 5 key risk. However, most advise that they can’t effectively measure or evaluate the risk. 34% have no way to measure cyber-risk and a further 46% have only qualitative measures that may be insufficiently robust. Most view governance as functional, not strategic, with 65.9% of respondents saying that cyber risk is a technical matter owned by IT, not an organizational risk owned by all key risk owners/managers. In reality, IT may control the mechanisms, but the broader organizational exposures are way beyond IT’s capacity. 45% of senior executives say they provide cyber-risk information to the Board, but only 18% of Directors say they receive such information. This disconnect is particularly sobering given the staggering rise in the scope of the risk, coupled with the SEC guidance (for US reporting issuers) that the Board certify the adequacy of the company’s cyber-security and response plan.
Women Get On Board is a leading member-based company that connects, promotes and empowers women to corporate boards. We do this through an engaged community of women and men in Canada committed to advancing gender diversity in the boardroom.