08448380779 Call Girls In Friends Colony Women Seeking Men
Cybersecurity in the Boardroom
1. Technology Risk
E-Book
Audit | Tax | Advisory | Risk | Performance
Cybersecurity
in the Boardroom
A Briefing Guide for C-Level Executives to Threats,
Tactics, and Strategies
nn Six Critical
Questions to Assess
Cybersecurity Readiness
nn Ten Principles of
Corporate Governance for
Management and the Board
nn Five Steps to Establish and
Maintain a Cybersecurity
Road Map
nn Plus: Seven Crowe Insights
to Share on LinkedIn
2. Cybersecurity in the Boardroom
2www.crowehorwath.com
Boards of directors have extremely limited capacity for
taking on new areas of oversight. Given that constraint,
it is noteworthy that cybersecurity has escalated to
a board-level concern and could become one of the
decade’s major corporate governance trends.
Company executives and top management used
to be responsible for meeting the ongoing strategic
challenges in their industries. For example, being an
oil executive was sufficient experience for running an
oil company, being a retail executive was sufficient for
running a retail firm, and so on.
The demands on management have changed with the
times. The digital age has brought about a convergence
such that no matter the industry, executives now
struggle with a set of common concerns related to
technology strategy and information security. Across
widespread, globalized supply chains, organizations
are diversifying beyond property, plant, and equipment
to acquire assets consisting of information, algorithms,
and talent. This digital convergence opens profitable
opportunities and markets but brings with it additional
risks and exposures.
CEOs and other high-level executives need a starting
point for understanding and responding to growing
board-level concerns about cybersecurity. To help
with this objective, Crowe Horwath LLP examines
why the subject has escalated to the board level and
how executives should guide their board members in
thinking about cybersecurity issues.
Introduction
Cybersecurity has escalated to
a board-level concern and
could become one of the
decade’s major corporate
governance trends.
Crowe Insight
Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of
information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
3. Cybersecurity in the Boardroom
3www.crowehorwath.com
Cybersecurity Readiness: Is Your Organization Prepared?
According to The Institute of Internal Auditors Research Foundation (IIARF), the
critical questions to consider when assessing the cybersecurity readiness of a
board of directors are1
:
nn Does the organization use a security framework?
nn What are the top five risks the organization has related to cybersecurity?
nn How are employees made aware of their roles related to cybersecurity?
nn Are external and internal threats considered when planning cybersecurity
program activities?
nn How is security governance managed in the organization?
nn In the event of a serious breach, does management have a robust
response protocol?
5. Cybersecurity in the Boardroom
5www.crowehorwath.com
Executives have become acutely aware of their
personal stakes in facilitating adequate cybersecurity
by preventing incidents and responding to data
breaches in an appropriate manner. Their jobs are on
the line. Yet the decades of industry experience that
make someone a great leader in his or her industry
might not foster the knowledge or relationships
needed to respond to a major cybersecurity threat.
In addition to the financial damage that ensues,
a data breach causes significant exposure to
reputational risk. An apt illustration is the recent
Sony Entertainment Inc. hack in which executives’
reputations appeared to be among the attack’s
principal targets.2
In such a case, with management
having to deal with matters of national security, the
board’s input and participation become essential.
The list of companies beset by data breaches in recent
years includes some of the marketplace’s highest-
profile brands across a broad spectrum of industries,
including The Home Depot Inc.3
and Target Corp.4
in
retail; Domino’s Pizza5
and P.F. Chang’s China Bistro
Inc.6
in restaurants; JPMorgan Chase & Co.7
in banking;
and Adobe Systems Inc.,8
Apple Inc.,9
and eBay Inc.10
in
the technology sector. Even being a relatively low-profile
organization provides no assurance of safety, as seen by
breaches at the Montana Department of Public Health
and Human Services,11
Community Health Systems
Inc.,12
and Goodwill Industries International Inc.13
In fact, data breaches have become extremely
common, with an estimated 43 percent of companies
experiencing one in the past year.14
In 2014, just
counting those confirmed by media sources or subject
to notification through state governmental agencies,
there were a record-high 783 data breaches in the
U.S.,15
which, due to patchwork reporting regulation and
systemic underreporting, understates the problem.
Yet not all data breaches are motivated by criminal
gain or malicious intent. For most, some sort of glitch
or human error is the cause.16
In fact, employee
negligence plays a role in more than 80 percent
of breaches, whether as the sole cause or acting
as a contributing factor to a cyberattack.17
Human
errors take the forms of misconfiguration, a lack
of patching, and “social engineering” in which an
Crowe Insight
The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands
across a broad spectrum of industries, including retail, banking, and the technology sector.
6. Cybersecurity in the Boardroom
6www.crowehorwath.com
attacker convinces an employee to provide sensitive
information. These avenues enable attackers to deploy
point-of-sale malware, botnets, and viruses; exploit
zero-day vulnerabilities; or make use of stolen or out-
of-date credentials.
A data breach of any type can cause severe
financial repercussions. According to IBM Corp.’s
eight-factor model, breaches cost an average of
$145 per record lost.18
In the event of a breach – especially one that
becomes public knowledge – an organization has to
handle a diverse, exhausting set of demands from
multiple constituencies:
nn Technical remediation involving internal IT and
external consultants
nn Media and public relations – an even more
difficult task when coping with a high-profile
“branded” attack, such as one that involved the
Heartbleed bug
nn Liaisons with government officials at the federal,
state, and local levels in accordance with
differing breach notification and consumer
protection statutes
nn Customer communications, including outbound
messages about notifications and remediation
and inbound response teams to handle the
volume of status inquiries
As such, the responsibility falls on boards of directors
to provide an additional layer of external oversight
to confirm that their organizational leadership is
prepared adequately with incident response plans,
evaluated regularly through independent cybersecurity
assessments, and guided by cybersecurity road maps
designed to address long-term threats.
Data breaches cost an average
of $145 per record lost.
8. Cybersecurity in the Boardroom
8www.crowehorwath.com
Crowe Insight
Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls
risk analysis, rating the maturity of security controls, and building remediation plans.
Employee negligence plays a
role in more than 80 percent of
breaches, whether as the sole
cause or acting as a contributing
factor to a cyberattack.
Despite cybersecurity’s immense challenge, the
general principles of corporate governance remain
intact. In dividing the responsibility, management has
full charge for executing the specific steps required to
mitigate risk while the board of directors acts largely in
an oversight and advisory role.
Principal responsibilities for management:
1. Perform a cybersecurity assessment. The
Crowe approach, which combines input from
the leading industry frameworks with Crowe
professionals’ extensive experience, provides
a highly practical, comprehensive approach to
assessing cybersecurity risks, exposures, and
vulnerabilities. Cybersecurity assessments include
the following steps:
nn Identify critical data.
nn Map data stores and flows.
nn Perform a controls risk analysis.
nn Rate the maturity of security controls.
nn Build short- and long-term remediation plans.
2. Perform an ecosystem assessment. Verify
that vendors and outsourcing providers also have
adequate cybersecurity controls.
3. Facilitate global review. Evaluate data
protection laws and breach disclosure
requirements in each country or state in which
the organization does business.
4. Follow frameworks. Meet the appropriate
requirements of the NIST cybersecurity framework,
ISO 27001 standards, and industry-specific
frameworks and/or standards – for example, PCI
for retailers, SEC for public companies and financial
regulators. Efforts taken to meet the requirements
of multiple security frameworks and/or standards
can be rationalized using the Unified Compliance
Framework, a tool that includes a regulations
database for centralized compliance.
5. Form a mitigation plan. Establish an internal risk
management framework supported with adequate
staffing and a budget for achieving compliance.
9. Cybersecurity in the Boardroom
9www.crowehorwath.com
Principal responsibilities for the board
of directors19
:
1. Revise the agenda. Cybersecurity once was
viewed as an IT issue, but given cyberattacks’
present frequency and intensity, the topic now
is considered an enterprisewide, operational risk
management issue to be monitored closely by
the board.
2. Facilitate legal review. Depending on the region
and industry, cybersecurity will have varying legal
implications pertaining to board responsibilities,
and these implications should be reviewed by
counsel and monitored for changes.
3. Enhance expertise. The challenge’s technical
nature requires boards to have access to
cybersecurity expertise, through either the election of
specialists in the field or use of external consultants.
4. Set expectations. In addition to or in conjunction
with existing goals and responsibilities, management
should be monitored, measured, and compensated
based on its ability to establish and enforce an
enterprisewide risk management framework that
can lower the risk of cybersecurity breaches.
5. Maintain frameworks. The adoption of a
cybersecurity framework is not a one-time affair;
rather, security frameworks are meant to evolve
based on threat levels, risk appetites, industry
profiles, and available capabilities in terms of
technical, financial, and organizational resources.
The board needs to set the parameters of
frameworks’ evolution.
Crowe Insight
Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and
available capabilities in terms of technical, financial, and organizational resources.
10. The Board of Directors: Achieving Cybersecurity Excellence
11. Cybersecurity in the Boardroom
11www.crowehorwath.com
Crowe Insight
Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to
evaluate what went wrong and right.
In meeting these responsibilities, a board of directors
should take steps to provide effective oversight of
cybersecurity risk mitigation along with sound advice
to executive management.
Learn from recent breaches and breach
attempts. Every cybersecurity-related incident,
whether or not it causes damage, offers a valuable
opportunity to evaluate what went wrong and right.
nn If the organization has been affected by a
breach, ask, “How did we react? What did we
tell our customers?”
nn If not affected, ask, “What prevented the
breach? What would have happened if we had
been breached?”
Stress test the incident response plan. Similar to
a disaster recovery plan, the specifics of an incident
response plan have to be carefully planned and tested.
nn Board members should understand their
personal roles in the response plan and have
access to resources to fulfill their responsibilities
as outlined in the plan.
nn Board members should be aware of the expected
reactions to a breach from regulators, law
enforcement, customers, and other stakeholders.
nn Following an attack on the company or broader
industry, the board should convene to review the
company’s response.
12. Cybersecurity in the Boardroom
12www.crowehorwath.com
Perform an independent cybersecurity
assessment. For a cybersecurity assessment,
as with any other type of evaluation, the board of
directors should not rely entirely on information
from management to assess its own performance.
Accordingly, it is essential to receive an independent
evaluation of how the organization is meeting the
requirements of the various cybersecurity frameworks.
An effective, independent cybersecurity assessment
will evaluate:
nn Qualifications and capabilities of the
cybersecurity team
nn The state of the organization’s IT
and cybergovernance
nn Reporting relationships among the CEO, CIO,
chief information security officer, chief audit
executive, and other relevant executives
nn Preventive controls and security
awareness training
nn Other organizations in the industry or
organizations of similar size in other industries
Establish and maintain a cybersecurity
road map. Much like a technology road map, a
cybersecurity road map provides a consensus-driven
framework for achieving realistic short- and long-
term objectives. A cybersecurity road map not only
defines the extent to which an organization intends
to protect itself against data breaches but moderates
risk tolerances in different areas to employ the optimal
alignment of people, processes, and technology.
A cybersecurity road map should include the
following elements:
nn Annual health checks. Establish the capability
to review the performance of the cybersecurity
response team through interviews and
independent data reviews.
nn Year-by-year milestones. Set expectations for
annual improvements in incident rate, incident
response time, employee training hours, and levels
of compliance with cybersecurity frameworks.
43% of companies experienced
a data breach in the past year.
13. Cybersecurity in the Boardroom
13www.crowehorwath.com
Crowe Insight
Perform an independent cybersecurity assessment to determine if the organization is meeting the
requirements of the various cybersecurity frameworks.
nn Risk tolerances. For each type of risk faced
by an organization, identify the risk tolerance –
which risks to avoid, which to accept, which to
mitigate through an operational response, and
which to transfer through insurance.
nn Cybersecurity insurance. Insurance’s cost is
expected to vary greatly in coming years. Price
increases will be affected by the threat level
and virulence of attack vectors, with decreases
driven by the extent to which technology
solutions succeed at improving cybersecurity’s
efficacy. Given the attention and investment in
the cybersecurity sector, as well as interest in
the category by the insurance industry, it’s quite
possible or even likely that an organization that
currently self-insures against cybersecurity risks
will find cybersecurity insurance a much more
attractive proposition in the years to come. The
board of directors should have a sense of the right
price for coverage at the organization and, based
on a set of planning assumptions, incorporate
those expectations into the road map.
nn Long-term remediation plans. The
cybersecurity road map and the broader
technology road map can converge to rework
business processes with the aim of reducing
exposure to cybersecurity threats. Given that
the human element in the form of employee
negligence plays a contributing role in the
majority of data breaches, it follows that an
approach that supplements human labor with
artificial intelligence potentially would reduce the
overall risk of operations from a cybersecurity
standpoint. These and other long-term
considerations should be incorporated into the
cybersecurity road map for annual review.
15. Cybersecurity in the Boardroom
15www.crowehorwath.com
In the next several years, boards of directors have
the opportunity to play an important role in the global
economy by guiding organizations through the present
phase of challenging cybersecurity threats. Even as
technology enables powerful new business models
that still are being explored, IT infrastructures remain
relatively immature from a cybersecurity perspective.
Until the security model catches up with the business
model, organizations will be exposed to malicious and
criminal actions.
Through their cross-industry exposure, high-level
perspective, and influence, board members can guide
management toward proper cybersecurity planning
and mitigation, quickening the process of adaptation
to the present threat environment.
Given the participation of well-funded adversaries,
it’s unlikely the cybersecurity threat ever will go away.
But it’s certainly within the grasp of any organization
to stop making simple mistakes, improve overall
awareness, and establish a solid course toward a safer
computing environment that’s ready to do business in
the 21st century.
Crowe Insight
Cross-industry exposure allows board members to guide management toward proper cybersecurity
planning and mitigation more quickly.
Boards of directors have the
opportunity to play an important
role in the global economy by
guiding organizations through
the present phase of challenging
cybersecurity threats.
16. Cybersecurity in the Boardroom
16www.crowehorwath.com
1
Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014,
pp. 14-15.
2
“Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The
Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/
sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/
a799e8a0-809c-11e4-8882-03cf08410beb_story.html
3
“Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security,
Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-
malware-contained
4
“Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including
Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch.
com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen-
including-names-emails-and-phones
5
“The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The
Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos-
pizza-ransom-hack-data
6
“Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http://
krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs
7
“Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times
DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of-
jpmorgan-data-breach-is-identified/?_r=0
8
“Over 150 million breached records from Adobe hack have surfaced online,” The Verge,
Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-
records-from-adobe-hack-surface-online
9
“Apple Developer site hack: Turkish security researcher claims responsibility,” The
Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple-
developer-site-hacked
10
“EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles.
chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares-
ebay-users-u-s-company
11
“Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www.
informationweek.com/healthcare/security-and-privacy/montana-health-department-
hacked/d/d-id/1278872
12
Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18,
2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-
idUSKBN0GI16N20140818
13
“Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014,
http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months
14
“43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014,
http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197
15
“Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity
Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys-
Studies/2014databreaches.html
16
“2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014,
http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_
Data_Breach_Study.pdf
17
“43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014,
http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197
18
“2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014,
http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_
Data_Breach_Study.pdf
19
Based on principles established by the National Association of Corporate Directors, as
listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www.
theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-
download-pdf-1852.cfm
Sources