Imperva is honored once again to have Craig Shumard, recognized thought leader and spokesman in the area of information protection, guest blog for us. Craig has dedicated more than two decades to protecting private, sensitive and confidential information as Chief Information Security Officer of CIGNA Corporation from May 1999 until his retirement in 2010.
This is the first in of a series of blogs about Board of Directors’ cyber security best governance practices.
Directors need to be concerned about the enterprise cyber security posture because of their fiduciary responsibilities. Boards of Directors (BoD) have responsibilities to the National Association of Corporate Directors (NACD) and the Security and Exchange Commission (SEC) for the oversight of cyber security measures and cyber security breach disclosures. More importantly, cyber breaches can have material impact on an enterprise’s financial condition. Finally, it has now become an important business continuity concern.
As recent cyber events have demonstrated, security and privacy breaches (e.g., SONY) can have significant and material financial impact to an organization. In today’s world, it is not if you will be breached, but rather when and how big the breach will be. Every organization needs to be prepared. BoD governance and oversight is not only warranted, it is necessary.
1. Drivers for effective security governance
There are several drivers that require the need for more BoD governance over cyber security. Specifically:
- Increase regulatory scrutiny over cyber risks demanding explicit and implicit BoD governance
- Proliferation of cyber threats such as the theft of personal information and intellectual property, denial of service attacks, and last but not least, malware infestations
- Growing amount of damages caused by cyber breaches or incidents
2. Fiduciary Duty Compliance
The NACD recommends BoD governance over cyber security. Specifically, NACD recommends the following for cyber security oversight practices:
- Place information security on the board’s agenda
- Identify information security leaders, hold them accountable, and provide support for them
- Ensure the effectiveness of the corporation’s information security policy through review and approval
- Assign information security to a key committee and ensure adequate support for that committee (usually the Audit Committee)
Boards of Directors are also held responsible by the SEC for oversight to disclose cyber incidents or breaches and their impact.
Laws and regulations designed to force improvement in organizational governance over cyber risks, controls, and their related sanctions and fines are BoD concerns. HIPAA security and privacy regulations for the healthcare industry, PCI security requirements for enterprises processing credit card transactions, and FFIEC regulations for the financial sector over their information processing infrastructure are just the start of a long list of examples.
3. Increasing Cyber Threat Landscape
Cyber threats have also increased the need for BoD governance over cyber security. The major cyber threats include:
- Cyber espionage that result in loss of personal identifiable information or intellectual property. (It seems like the rogue governments are trolling everywhere and everyone these days.)
- Cyber hacktivism such as the Anonymous group dedicated to a variety of social protests
- Cyber assaults like the Distributed Denial of Service (DDoS) attack Sony suffered in 2014
Examples of risks associated with cyber threats include:
- Compromised customer data
- Diminished brand and reputation
- Loss of investor and consumer confidence and loyalty
- Stolen sensitive intellectual property
- Compliance and regulatory sanctions
- And last but not least: Business disruptions
The bottom line is that cyber threats and breaches are increasing in complexity, frequency, and magnitude. No company is immune.
4. Increasing Cyber Breach and Incident Impact
The financial impact to an organization as the result of a cyber breach or incident is also increasing and often material to an organization.
Take the following reported cost associated with some notable recent cyber security breaches: $162M for Target, $63M for Home Depot, $339M for the Office of Personnel Management (and that was for identity theft coverage only), and $171M for SONY.
Cyber breaches are a business continuity concern. The SONY breach highlighted above not only caused a significant business interruption to their PlayStation business, but it also impacted their ability to report their year-end financial statements because many of their accounting systems had been destroyed by malware infiltrated by the hackers. It took SONY months to recover and restore those systems.
In other words, cyber breaches are not only disruptive to the business, they are very expensive to mitigate. They can have a material financial impact to an organization and cause major business disruptions.
Enterprises face cyber threats and attacks every day. In fact, it is not a situation of if a cyber breach will occur, but when and how significant the breach will be. A single cyber security breach can materially affect the financial condition of any enterprise or cause a significant business disruption. As such, BoD governance and oversight over the cyber security posture of the enterprise is not only needed, but required.