Posts By :

Scott Kannry

Moody's the Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors 1200 628 Scott Kannry
Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Intent to rate cybersecurity risk is the third major Board of Directors wake-up call

by Scott Kannry, CEO, Axio and Scott Underwood, Director of Business Development, Axio

November 27, 2018

The past 36 months has seen two significant developments that should have woken up Boards of Directors to their cybersecurity obligations.

First, a spate of high-profile cyber events, namely those experienced by Equifax, Maersk, Mondelez, FedEx and others, proved that regardless of money spent on protection, employing high-caliber cybersecurity professionals, and good intentions to purchase the right amount of insurance, current cybersecurity approaches were not working.  And in Equifax’s case, the severity of the event resulted in a CEO and CISO change and securities class action litigation that remains ongoing.

Second, in February of this year, the SEC released updated cybersecurity disclosure guidance that implored companies to disclose their understanding of cyber risk versus mere disclosure of events after the fact.  As Axio’s post on that announcement noted, “By forcing companies to identify and publish their ongoing cyber risks, [the SEC] is elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.”  Subsequent to this disclosure, the SEC didn’t waste much time evidencing its intent to act when it fined Altaba (formerly Yahoo!) $35M for failing to disclose its breach in a timely manner.

And now, the Trifecta – an announcement by Moody’s that it will soon start incorporating an evaluation of an organization’s risk to a major cyber event into its existing credit ratings, with a future possibility of offering stand-alone cyber risk rating.  While the specific means by which Moody’s will accomplish this have not yet been disclosed (and may not ever be disclosed), the impact of such a decision cannot be ignored because Moody’s ratings’ importance to the investment landscape.  Simply put, if Moody’s issues an un-favorable rating based on its analysis that an organization lacks cybersecurity maturity, that organization could expect to incur higher borrowing costs at a minimum and could suffer further if other entities or investors use the ratings beyond investment transactions.

If the previous two series of events did not garner appropriate Board of Director attention, hopefully Moody’s announcement does.  Because unlike those events, an unfavorable rating from Moody’s could cost a company a considerable amount of money and thus precipitate an argument the company’s executives and Board of Directors is not fulfilling its fiduciary responsibility.  This announcement and the potential implications should not be disregarded.  So what are companies and their Boards of Directors to do?

Luckily achieving appropriate cybersecurity understanding and management is very available today and presumably in a way that could be used to answer any questions raised by Moody’s and others:

ONE

Understand your cyber risk exposure as it relates to the business and in financial terms.

Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.

TWO

Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.

Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.

THREE

Maintain the resources and financial ability to recover from a meaningful event.

At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.

FOUR

Evidence all of the aforementioned components with peer benchmarking and best practices insight.

Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?

Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”

agenda item number one

Agenda Item #1 for the Next Board of Directors Meeting

Agenda Item #1 for the Next Board of Directors Meeting 1200 628 Scott Kannry
Agenda Item 1 for the next board of directors meeting

Agenda Item #1 For The Next Board Of Directors Meeting

October 26, 2018

A Duty of Care for Cybersecurity

This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses.  The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead.  Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid.  While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured.  Does anybody still believe that the current cybersecurity paradigm is working?

Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.” That is futile.

The right way to look ahead is to consider an alternative world for a company, where a serious event still occurs, but where management can explain to the board, shareholders, and customers that:

“We’re unfortunately announcing that we have suffered a major cyber event. Surely some painful days lie ahead for our business, but we’ll get through this. Please let me explain.

The event that we’re experiencing is one that we knew was possible. Our reliance on technology runs so deep that eliminating this type of scenario could only have been accomplished by shutting down the business. So we built a cybersecurity strategy around the very possibility that this type of loss scenario could materialize. We’re happy to show you how we executed that strategy, why we invested is certain capabilities versus others, and why, despite having suffered this event, we were confident in the maturity of our cybersecurity program.

Most importantly, because we knew that this scenario, and the magnitude of it, was possible, we’ve constantly been evolving and testing a response plan that you will now see in action, backed by a comprehensive and large dollar limit insurance program that we anticipate will pay for most, if not nearly all, of the costs and liabilities that result. We’re not naïve to know that there are not painful days ahead and that this will cost a lot of money, but we are confident that we will weather the storm.”

None of the aforementioned companies have taken such a position.  If any had, it would have been less likely for individuals to lose jobs, long term liabilities to materialize, trust could more quickly be regained, and executives, directors, and officers would be able to evidence an approach that should meet a ‘duty of care’ test.

Sadly, most companies can’t come anywhere close to meeting that test.  Why?  Because the current approach to cybersecurity is fatally flawed.  Companies blindly rely on assessments and let their guard down until next year after all of the recommendations have been implemented.  Those very recommendations are based almost entirely on threats and vulnerabilities ranked “high” because what consultant is willing to rank something low and risk that they are wrong? Insurance is bought typically not by attempting to understand actual exposure in dollars and cents, but by asking what your frenemies are buying.  Security folks speak an entirely different language than risk management folks than do executives and Boards of Directors.  When that’s the current reality the Tower of Babel stands no chance of even being started.

The good news is that entirely changing the paradigm is not that difficult and only requires three and half components:

  1. Understand your exposure, in financial terms.  Start by asking one question: “If a cyber event happens to us, what might it look like?”  Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be.  Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury?  Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the cost of those events materializing.  It might lack engineering precision but it’s an important start. The exercise is successful 99% of the time, with the 1% attributable to the company who believes the guy or gal that stonewalls the process with the inevitable “That is totally impossible.”
  2. Utilize a maturity based cyber evaluation framework and align it with the scenarios that you’ve quantified in step one.  Why maturity based?  Because that approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor.  Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met.  And why align the methodology with the scenarios?  Because that is the only way to prioritize the universe of tens of thousands of technologies and controls that all claim to be the silver bullet and solve the latest vulnerability.  The current paradigm ranks everything “high” and “critical;” the new paradigm says to focus first on the high cost scenarios that would be the most impactful, and work down from there.
  3. Maintain the resources and financial ability to recover from a meaningful event.  At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others.  How do you get there?  See Step One.
  4. (3.5) Benchmark against peers when possible.  Cyber risk management is a shared responsibility and in a world where standards and certifications can only provide a floor, the rising tide dynamic is the only means to stay as close to, or as ahead of the curve as possible.  All of the aforementioned components contribute to that dynamic: Are you as good as, or ideally better than, the median marker for the maturity of your cyber program, what’s at risk from an exposure standpoint, and if you have appropriate abilities and financial resources to recover from an event.

Put it all together and you can confidently and continuously validate that you are meeting your duty of care for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from an unfortunate event.”

Summary

This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses.  The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead.  Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid.  While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured.  Does anybody still believe that the current cybersecurity paradigm is working?

Axio

Company

Support

Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.