The Board’s role in Cyber Resilience

Webinar with Katja Severin Danielsson and Dimitri Chichlo – 9 June 2020

On 9 June 2020, IDN members discussed the board’s role in Cyber Resilience with guest speakers, Katja Severin Danielsson, IDP-C, NED and partner at PwC Sweden, and Dimitri Chichlo, IDP-C, NED and CEO of Swiss Cybersecurity consulting firm AndSecure, in a webinar facilitated by Liselotte Engstam, IDN Board Member, and with Q&A support by Hagen Schweinitz, IDN Board Member.

Cyber damage is accelerating

Katja shared that cyber damage has been increasing as companies are becoming more digital and has accelerated dramatically during the COVID-19 crisis. However, according to PwC’s 22nd Annual Global CEO survey, only 15% of CEOs strongly agree that their company can withstand cyberattacks and recover quickly.  Unfortunately, many boards are not engaged enough with cyber resilience, and need to increase their focus on it, and make it a key part of their agendas.  Further, Dimitri added that 76% of security professions are focused on detection and containment and not prevention.  For companies, it is not a case of whether they will be hacked, but when it will be hacked, and how much the magnitude of the impact of attack will be.  Dimitri notes that the 15% from the PwC survey is rather a grim figure, taking into consideration by how much senior managers are prone to overestimate their capacities.

Katja highlighted key messages on current status and what needs to be done of the World Economic Forum on cyber risk, and specifically emphasised that leaders need to create a culture of cybersecurity from entry level to top level of an organisation.

Source – World Economic Forum

Dimitri further noted that leveraging technology is an opportunity, however many companies were not prepared for the pandemic.

Five cyber risk governance principles

Katja shared the five cyber risk governance principles mentioned in the revised 2020 Cyber-Risk Handbook which was released out by the Internet Security Alliance, ecoDA, and AIG and which was supported by PwC Sweden.  This guide was developed for Europe, however, can be used by a global audience.  There are also specific handbooks developed for other markets for example the US and the UK market.

The first three principles are the responsibilities of the board, with principles 4 and 5 noting how the board should work with and expect from management.

The principles are:

  • Principle 1 – Directors need to understand and approach cybersecurity as an enterprise-wide risk management and strategy issue, not just an IT issue. Katja mentioned that cybersecurity should be integrated with business decisions, its assessment should be comprehensive, and it should consider the ecosystem of organisations (including third parties such as vendors and customers) which the company deals with.  Directors not only need to understand the technical IT matters but also operational matters which impact critical components of the business.
  • Principle 2 – Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances. Katja noted that directors need to consider the industry that the company operates in and the type of company they have. They should note that the type of company impacts the standards which the company needs to comply with; some types of companies may need to maintain certain levels of security and comply with more transparency requirements, else face sanctions if they don’t comply with regulations.
  • Principle 3 – Boards should ensure adequate access to cybersecurity expertise, with appropriate reporting, at both Board and Committee level. Board members should be fully engaged, make enquiries and challenge management.  They also ensure that they have access to the right reporting, at an appropriate level of detail, in plain English which is understandable and easy to use.  Dashboards are often useful to follow trends.  They should integrate experts/competence into the board room for training.
  • Principle 4 – Board directors should ensure that management establishes an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective, and response capabilities, monitoring and communication at all levels.  Resources should be adequate and allocated appropriately by the strategies adopted. Katja stated that the cyber-risk management framework should be aligned to the organisation’s strategy.  Further, the risk management of cyber is an iterative process, whereby companies need to continuously update understand and act on the  changes in their threat profile and current risk position.  She highlighted the importance of understanding the company’s crown jewel assets, understand the current security posture – capture strengths and deal with the vulnerabilities, and ensuring that the controls and investment plans protect the right assets.
  • Principle 5 – Board-management discussions about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, acceptance, etc). Katja highlighted the importance of good reporting to allow directors to challenge management, and of the need to understand strategies that management plans to use to reduce/mitigate or avoid risk, considering the cost/benefit of the strategies. This to ensure investments in cyber security targets the company’s threat profile and contributes to the company being more secure. Ask the question to management “are we spending our money wisely”?

The guide has five tool kits which directors/management can use to benchmark their cyber risk governance.

Participants then engaged in a lively Q&A session which covered a broad number of topics including aligning the cyber strategy to the broader company strategy and day to day operations; how directors and their companies can improve their cyber resilience; whether boards should participate in crisis exercises; the benefits of having a cyber resilience committee; that cyber resilience is as much a HR/people and process issue than a technical risk; the importance of focusing on all stakeholders and dimensions when looking at the risks of a cyber attack (including financial, customer, reputational/media, shareholders, third parties/ecosystem partners); understanding the crown jewels of the company; and how to have the right knowledge of cyber at the board level, and across the three lines of defence.

Summary

In her closing comments, Katja noted that cyber resilience is a board responsibility, and

  • Cybersecurity is one of the fastest growing threats to organisations
  • Cybersecurity is an enterprise wide risk management topic not an IT issue
  • The board needs to increase insights and guide their organisation
  • Boards need to ensure the investments are targeted to company context
  • Boards are responsible to address these threats

Finally, Dimitri concluded by stressing the necessity to have technology and cybersecurity experts in boards, and not only business experts and leaders.

 

Recommended reading

Cyber Risk-Oversight 2020 Handbook – https://ecoda.org/wp-content/uploads/2019/08/ecoDa-cyber-handbook-Final-15.4.20.pdf

Impact of COVID-19 on Cybersecurity (PwC) – https://www.pwc.co.uk/cyber-security/pdf/impact-of-covid-19-on-cyber-security.pdf

CEOs face test of resilience in 2019 (PwC) – https://www.pwc.com/us/en/services/consulting/cybersecurity/PwC_CEOs-face-test-of-resilience-in-2019.pdf

Cyber Handbook 2020 (NACD ISA) – http://isalliance.org/wp-content/uploads/2020/02/RD-3-2020_NACD_Cyber_Handbook__WEB_022020.pdf

WEF Cybersecurity Platform – https://www.weforum.org/platforms/shaping-the-future-of-cybersecurity-and-digital-trust

Cyberattack Map – https://cybermap.kaspersky.com