This session was presented at the Association of Independent Colleges and Universities of Pennsylvania (AICUP) Member Meeting on Collaboration on June 19, 2019. The session provided tips for IT professionals to escalate issues of cybersecurity and cyber risk to the board of trustees for higher education.
2. 2
Today’s Agenda
Overview of the board’s
role in cyber risk oversight
Review the latest trends
and research related to
boards and cyber risk
Discuss how boards can
prepare for cyber incidents
Mini-Tabletop Exercise
3. Cyber Risk by the Numbers
447 million
Number of personal records hackers
stole last year
206 Days
Average # days it took US
companies to detect a data breach
>70% by 2021
Percentage of all cryptocurrency
transactions used for cybercrime
$6 trillion annually by 2021
Annual cost of cybercrime, which is
already greater than illicit drug trade
1 in every 50
Emails contains malicious content
#10 on the Top 10
Education is #10 on the top 10 most
cyber-attacked industries
3
Sources: https://www.ibm.com/security/data-breach; https://www.comparitech.com/vpn/cybersecurity-
cyber-crime-statistics-facts-trends/; https://cybersecurityventures.com/cybersecurity-almanac-2019/
4. Cybersecurity – programs and processes in place to protect hardware, networks, and data from cyber
incidents
Cyber resilience – the ability to withstand a cyber incident, including:
• Programs & processes in place to ensure operations can continue with minimal disruption both
during & after an incident
• The speed and agility of the organization’s response to cyber incidents
• The ability of the organization to retain & rebuild the trust of stakeholders after a cyber incident
occurs
4
Cybersecurity vs. Cyber Resilience
7. 7
Cyber-Readiness – Boards Lag Behind
53%
North American directors
use personal email for
board communications
(Global: 56%)
45%
North American directors
lost a device that
contained board records in
the past year
(Global: 29%)
29%
North American board
using secured instant
messaging software
(Global: 47%)
37%
North American boards
find it challenging to share
sensitive documents safely
(Global: 47%)
2018 Forrester, Directors’ Digital Divide Report
8. 8
Cyber-Readiness – Boards Lag Behind
82% 67%
13% 51%
School boards have never
conducted a security audit
of board communication
IT/Data security teams that
oversee the security of
board communications
School boards don’t
require cybersecurity
training
School boards “don’t
know” if there is a cyber
crisis plan in place;
another 39% know there
isn’t one.
2018 NSBA School Board Cyber Risk Report
9. What Is the Board’s Role in
Cyber Risk Management?
9
10. Board’s Fiduciary Obligations
Duty of Care
• Acting on an informed basis after consideration of all
available information
Duty of Loyalty
• Putting the organization’s interests above your own &
avoidance of conflicts of interest
Duty of Good Faith
• Exercising care & prudence in business decisions with
adherence to law & policy
10
11. Who’s Accountable?
11
Administration carries out
day-to-day business, reports
to President
President oversees school &
staff, reports to board
Board: oversees mission,
represents stakeholder
interests, oversees
institution
Stakeholders: students, families,
community, local businesses, elected
officials, government agencies, media, etc.
12. Questions for the board to consider
12
• Is the institution’s approach to cybersecurity risks and associated privacy
issues able to meet new legal requirements? (e.g. GDPR, US state laws)
• How frequently is the maturity of the institution’s cybersecurity risk
management framework being assessed and evaluated?
• How is the institution monitoring for new and potential cybersecurity
regulatory changes and complying with new legal requirements?
13. 13
5 Cyber “Discussion Starters” for the Board
1 What’s our plan include? (BC/DR, crisis comm’s, cyber risk coverage)
2 How are we protecting consumer data?
3 How do we know our security/privacy program works?
4 What are the biggest vulnerabilities & how are we preparing?
5 Have we received adequate training & have we practiced the plan?
14. • Divide into teams
• Each team – select a VIP to take notes, someone to be time-keeper, and a team rep.
• Read through the case scenario & discuss:
• What would your board do first, second?
• What unanswered questions need to be resolved?
• Who on the board should be involved and what roles should each person play?
• What reports & data will the board need?
• How should the board’s efforts be coordinated?
14
Exercise: Cyber Crisis
159,700
Number of cyberattacks reported by organizations in 2017 – estimated to actually be closer to 300,000 including those that were unreported
$6.5 million
Average total cost of a cyber breach, including the cost of scrubbing systems, damages, etc. But it does not include ongoing litigation, increases in cyber risk insurance coverage, new fines imposed by regulators.
3.5 million
Number of unfilled cybersecurity jobs by 2021
$6 trillion
Annual cost of cyber crime damages by 2021
1 in every 131
Emails is malicious – most common are phishing, malware including skimmers & ransomware
93%
Cyber attacks that could be prevented by updating software & training – for example, still using Internet Explorer which is no longer being fully patched/supported by Microsoft, not being vigilant about using strong passwords, using the same password on multiple sites
Dottie to provide a brief introduction to the data from the survey:
“Before we dive into the survey data, I want to provide some context on cyber risk. Imagine a scenario where you have a group of part-time employees who are only on-site a handful of days each year. These employees mostly operate outside your firewall, but their job entails receiving, reviewing and responding to some of the most sensitive information your company has. These individuals also may have the ability to take this incredibly sensitive information and save it to local drives, print copies, and potentially email others using personal email accounts on service providers that might be completely unsecured. Even if the systems they use have security, since they are not managed by your company’s data security team, you have no access to of control over the systems these folks are using.
Unfortunately, this scenario is a fairly accurate picture of how boards of directors communicate and operate at many companies.”
These are based on Delaware corporate law, which influences the largest number of corporations in the US and has therefore become the standard.
Duty of Care:
Coming prepared to meetings, ready to deliberate, actively visiting the board portal
Taking the time to research & reflect
Adhering to professional standards – even when you’re off duty
Staying informed on risks, opportunities, finances, activities, successes & challenges
Anticipating consequences of decisions
Duty of Loyalty:
Advocating for the org’s mission & its stakeholders interests above your own
Networking, opening doors, leveraging social media
NOTE: Private opinions tend not to stay private for long
Providing support & care for the CEO
Disclosing & avoiding potential conflicts of interest
Maintaining confidentiality & helping others do the same
Supporting board decisions in public, regardless of personal feelings
Duty of Obedience:
Being a “good student” of the bylaws, policies, laws governing the org. and board
Ensuring others adhere to the rules
Knowing the org’s core documents, ensuring they are current & accurate
Being a “good citizen” – keep the health and welfare of your org.’s stakeholders top of mind
What’s at stake?
Into effect 11/1/2018. Among the new rules are a requirement that companies must keep accurate data about cybersecurity safeguards for two years following, in case breaches are revealed down the line. The law also calls for "appropriate" digital safeguards at all parts of the business, including dealings with third party contractors.
The rules call for stiff penalties, too — up to $100,000 per violation — a sum that should be enough to frighten many businesses into updating their IT infrastructure. But many will have problems complying with the new rules, partly because of a lack of awareness.