Across the country, board members at different organizations are raising concerns about cybersecurity risks they face. Regulators are outlining new requirements to address these emerging risks. New frameworks are being used to ensure a comprehensive roadmap for cyber risk management is employed inside businesses. Most organizations look to their Chief Information Officer (CIO) to understand and drive changes required to manage these trends, but most agree that this is an enterprise risk management issue at its core. The CIO must collaborate with risk management, internal audit, the management team and the board of directors to effectively manage these risks.
Board Member Perspective
The role of the board, as the primary governance body of an organization, is to ensure management:
• Defines the cyber program ownership and governance structure
• Develops a risk management approach and policies
• Assesses cyber risks and current ability to mitigate them
• Identifies and communicates risk appetite
• Links compliance requirements to control framework
• Implements general training and awareness programs
• Analyzes and recommends need for cyber insurance
(Source: CEB—The Board’s Role in Cybersecurity Oversight 2015)
Board members should regularly discuss with management the following questions:
• What are the company’s most critical data assets?
• Where do they reside? Are they located on one or multiple systems?
• How are they accessed? Who has permission to access them?
• How often are systems tested to ensure data is adequately protected?
(Source: NACD Cyber-Risk Oversight Handbook 2017)
It’s important for board members to understand that cybersecurity is an enterprise-wide risk management issue, not just an IT issue. The board should understand the legal implications of cyber risks as they relate to their company’s specific circumstances; have access to cybersecurity expertise; and, ensure that management has established an enterprise-wide cyber risk management framework with adequate staffing and budget to advance the organization’s cyber risk management program. This topic should be a regular agenda item at board meetings.
"It is the CIO’s role to educate the organization and its board of directors on cybersecurity management practices"
The purpose of cybersecurity regulation is to provide directives that safeguard information technology and computer systems, forcing companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks, including firewalls, anti-virus software, intrusion detection and prevention systems, encryption and login passwords. Efforts have been made to improve cybersecurity through regulation and collaboration between the government and private-sector that encourage voluntary improvements. Industry regulators recognize the risk from cybersecurity and now include cybersecurity as an aspect of regulatory examinations. (Source: Wikipedia)
A few federal cybersecurity regulations exist, and those that do focus on specific industries. The three main regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information. On Oct. 19, 2016, the Board of Governors of the Federal Reserve System (“Federal Reserve”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Deposit Insurance Corporation (“FDIC,” collectively the “Agencies”) issued a joint advance notice of proposed rulemaking (“Notice”) inviting public comment on cybersecurity regulations and guidance designed to improve the safety and soundness of the U.S. financial system. The Notice includes 39 questions on which the Agencies seek input, including whether the Agencies ultimately issue a formal regulation, guidance or some combination of those tools.
Individual states are also implementing new regulations. For example, New York State Department of Financial Services (NY DFS) implemented its new cybersecurity regulation, effective March 1, 2017, that requires banks, insurers and other financial services firms to meet minimum cybersecurity requirements “to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”
Key requirements of this regulation include:
• Conduct periodic risk assessments updated as necessary in light of changes to the Covered Entity’s systems, nonpublic information, and business operations.
• Maintain a cybersecurity program based on the risk assessment.
• Adopt written cybersecurity policies approved by a senior officer or the board.
• Maintain governance and staffing; compliance certifications and documentation.
• Monitor, or conduct penetration testing and vulnerability assessments of the effectiveness of the Covered Entity’s cybersecurity program.
• Limit user access privileges to systems that provide access to nonpublic information and periodically review those privileges.
• Maintain application security written procedures, guidelines, and standards.
• Vendor risk management program, policies, and procedures.
• Use multi-factor authentication or risk-based authentication.
• Secure destruction of data: adopt policies and procedures for the secure disposal on a periodic basis of any nonpublic information.
• Implement controls, including encryption or compensating controls, to protect nonpublic information.
• Establish a written incident response plan for responding to any cybersecurity event.
• Provide regular cybersecurity awareness training for all personnel.
• 72-hour breach notification that a cybersecurity event has occurred.
These federal and state regulations raise the bar for companies to create programs that address cyber risks and demonstrate their efforts to regulators.
The Standards Perspective
Cybersecurity standards have existed for decades, all with the objective of reducing risks, including preventing and mitigating cyber-attacks. A 2016 US security framework adoption study reported that 70 percent of the surveyed organizations see the National Institute of Standards and Technology (NIST) Cybersecurity Framework as the best practice for computer security, but it requires significant investment.
The NIST Framework
The NIST Framework allows organization’s—regardless of size, level of cybersecurity risk or complexity—to apply the principles and best practices of risk management to improving the security and recovery of critical infrastructure. It provides order and structure to the many approaches to cybersecurity by compiling standards, guidelines, and practices that are effectively working in today’s industry. The Framework is not a one-size-fits-all approach to managing cybersecurity risk. Organizations will continue to experience unique risks, threats, vulnerabilities, risk tolerances, etc., and how they implement the practices within the Framework will vary. It’s up to each organization to determine the activities important to critical service delivery, as well as the financial investment needed to maximize the impact of each dollar spent. Ultimately, the NIST Framework is designed to help organizations reduce and better manage cybersecurity risks. (Source: National Institute of Standards and Technology)
In conclusion, it is the CIO’s role to educate the organization and its board of directors on cybersecurity management practices. He/she must understand emerging risks and regulations, and adopt a cybersecurity framework and program to manage these risks. This requires a flexible framework and program to direct and improve the organization’s capabilities. Like all investments, the balance of risk and reward is important. How much risk management and how fast the organization moves should be based on the risk assessment of each organization.