From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzesare awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New In the Threat Environment
According to Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, cybercrime costs the global business market $6 trillion annually. This considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
- Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
- Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
- The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
- Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.
Cybersecurity and the SEC
In the past few years, the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February of 2018, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
- occurrence, frequency, and severity of prior cybersecurity incidents;
- probability and potential magnitude of cybersecurity incidents;
- adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
- aspects of the company’s business and operations that give rise to material cybersecurity risk;
- costs associated with maintaining cybersecurity protections;
- potential for reputational harm;
- existing or pending laws and regulations that may affect the cyber requirements; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.