Cybersecurity

a new litmus test for board directorships

A New Litmus Test for Board Directorships

A New Litmus Test for Board Directorships 1200 628 Axio

A New Litmus Test for Board Directorships

by Michael O’Halleran, Experienced Public Company Director

February 21, 2019

Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of that organization. It’s also an honor that comes with great responsibility because if the Board fails, individual board members can be held personally liable.

That’s why deciding to accept a directorship requires meaningful thought.  There’s no failsafe playbook for this decisioning process but elements certainly need to include an evaluation of what the business does and what markets it operates in, whether the management team has shown itself to be competent and trustworthy, and at a practical level, if the company maintains the right type of D&O insurance.  Some of these elements might be personal in nature such as whether you support the nature of the business itself, and some are very practical like confidence in management.

I’ve used my own decisioning framework consistently for many years until very recently when it became necessary to add a new and very practical element: the need to understand how the organization understands and manages its cyber risk.  It’s an issue that has become too important, and too relevant to the Board, to simply trust as a byproduct of trusting management and believing that the organization probably spends a lot of money and has smart cybersecurity folks.

That’s because events of the last few years have shown that spending a lot of money and having smart cybersecurity folks does not solve the problem.  Companies like Maersk, Merck, FedEx, Marriott and others all presumably had seasoned cyber leaders, spent extraordinary amounts of money and thought that their insurance programs were sound, only to look back on major events that cost hundreds of millions of dollars and wonder how they could have gotten everything so wrong.  That coupled with the SEC’s 2018 new guidance on how companies should achieve a proactive understanding of their cyber risk, Moody’s announcement that it will start considering cybersecurity in financial ratings, and the recent D&O settlement related to Yahoo’s security breach all combine to definitely embed cybersecurity as a Board of Directors concern.

Therefore as a Board concern and one that speaks specifically to a Board’s fiduciary responsibility, prospective Board members ought to evaluate cybersecurity specifically.  But how, given the deeply technical nature of the concern and language that is foreign to most people outside of the cybersecurity discipline?

My advice is to use the following four-part evaluation framework:

ONE

Understand the cyber risk of the organization in business terms.

Meaning what type of cyber events could the organization suffer, and what costs and losses would result from those variety of events?  Not only does this approach make cyber risk comprehensible to you, but whether the organization can articulate their risk this way is a great initial litmus test on how well they understand it.  If the question can’t be answered, that’s a red flag.

TWO

Understand how the organization manages its cyber risk.

With the most important component being an understanding of the methodologies or frameworks used to guide the strategy. Does the organization do an annual assessment, fulfill the recommendations and call it a day until the next time around? Or does it use a maturity-based methodology that drives continual understanding, road-mapping, and evolving?

THREE

Understand the organization’s recovery ability.

Is the organization prepared to respond to and recover from the variety of events described in step one?  Can it pay for the anticipated costs and losses?  Is the right insurance portfolio in place, recognizing that for many organizations, insurance for cyber risks requires a combination of insurance types and not just a single “cyber insurance” policy?

FOUR

Gain confidence with the data behind these components and what drives decision making.

Ideally, you want to gain confidence that the organization has aligned its controls and processes to its greatest areas of risk and is not just plugging holes. That’s the difference between a risk-based approach and compliance approach, the latter being a vastly inferior way to manage the problem (despite necessity in some industries).

A good way to contextualize this all is to imagine yourself at the emergency board meeting called when the organization suffers a major security event and is on the cusp of having to announce it.  Do you want the board briefing to sound something along the lines of “We’ve suffered a serious cyber event that we had no idea was possible.  We thought we had the right controls in place and we spent a lot of money on a lot of different things but it looks like we missed something obvious.  We’re scrambling to find folks that can help and we think we bought the right insurance.  We’ll figure all of that out over the next days and weeks.”

Alternately, “We’ve suffered a serious cyber event but one that we’re prepared for because we understood our risk and we can prove that our cybersecurity strategy was operating a very mature level.  The damage is far less than it would have been and we’ve now activating the recovery plan designed for this situation.  Further, we should have sufficient insurance proceeds to cover the majority of losses.  We’re going to be ok.”

The first briefing sadly happens time and time again.  The latter is from the type of organization that I’d be proud to serve on the Board of, and that’s why it’s important to consider cybersecurity when evaluating a Board opportunity.

Contact Axio today to learn more about how your organization can better manage cyber risk.

making sense of the nist csf

Making Sense of the NIST CSF

Making Sense of the NIST CSF 1200 628 Craig Shuster
making sense of the nist csf

Making Sense of the NIST CSF

How I Learned to Stop Worrying about Ambiguity and Love the NIST CSF

by Craig Shuster, Axio Director of Cyber Engineering

November 27, 2018

Of course, the whole point of a Doomsday Machine is lost, if you keep it a secret!

Dr. Strangelove

The Framework for Improving Critical Infrastructure Cybersecurity (aka the NIST Cybersecurity Framework, aka the NIST CSF) offers security organizations a framework to build, manage, and measure their cybersecurity programs.

However, when reading the document, it can feel like the actual framework is a secret—much like Dr. Strangelove’s doomsday device. I don’t actually believe the framework is a secret, but there is a certain level of decoding that organizations need to do to understand how to apply the CSF.

But before I dig into how, let’s look at why the NIST CSF is even worth decoding in the first place. After all, your time is finite. Is it worth the effort to understand the CSF as a framework for your cybersecurity program? We think that it is.

As we’ve written previously, the NIST CSF can help security professionals overcome the three hurdles of security maturity reporting. These are: building a shared language with executives and the board of directors, facilitating complex cybersecurity conversations, and mapping cybersecurity assessment findings to cybersecurity roadmaps.  It’s critical that security organizations overcome these challenges because boards and executives are becoming increasingly interested in cybersecurity planning and strategy. Once you have the Board’s attention, you need to present a cybersecurity assessment they’ll actually care about. That’s where the NIST CSF fits in.

OK, so let’s dig in. The NIST CSF is structured into four core elements:

  • Five Functions
  • Twenty-two Categories
  • Ninety-eight Subcategories
  • Numerous Informative References

The Functions and Categories are generally a grouping methodology. The Subcategories are described by NIST as “specific outcomes of technical and/or management activities.” It is excellent to know what outcomes an organization should look for from a cybersecurity program. However, if the desired outcome for a Subcategory is not being achieved, what activities should an organization start to perform or enhance to achieve that outcome? This information isn’t spelled out in the NIST CSF document. You need to dig into the Informative References.

The Informative References section includes references to a number of standards, guidelines, and practices, including the Center for Internet Security Critical Security Controls, COBIT, ISO 27001, and NIST SP 800-53. These resources are great tools that organizations can use while determining the cybersecurity controls and activities that will be the most beneficial to the organization’s cybersecurity posture. For example, NIST SP 800-53 contains over 700 cybersecurity controls and control enhancements that can be leveraged to meet the outcomes included in the NIST CSF Subcategories. That alone can be overwhelming—if you go it alone.

In order to assist organizations, build, manage, and measure their cybersecurity programs with the NIST CSF, we have created the NIST CSF Edition on the Axio360 platform. The Axio360 platform enables organizations to evaluate their cybersecurity programs using the NIST CSF (as well as the Cybersecurity Capability Maturity Model (C2M2)). The NIST CSF Edition of the Axio360 platform contains direct linkage to the NIST SP 800-53 controls that correlate with the NIST CSF Subcategories, which allows users to quickly and easily dive deeper into areas and controls where additional information is required. Users are then able to use the Axio360 platform to create Action Items and Targets to which the organization can manage.

These resources on the Axio360 platform ensure that organizations are driving towards cybersecurity industry best practices and have the means to measure themselves against targets they can set for themselves.

By providing a framework for assessing and communicating the organization’s cybersecurity posture, the NIST CSF accomplishes several very important objectives. However, there is a gap when organizations look for guidance on shoring up their weaknesses. This is where the Axio360 platform comes into play. And we’d love to show you how.

ONE

Understand your cyber risk exposure as it relates to the business and in financial terms.

Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.

TWO

Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.

Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.

THREE

Maintain the resources and financial ability to recover from a meaningful event.

At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.

FOUR

Evidence all of the aforementioned components with peer benchmarking and best practices insight.

Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?

Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”

using nist csf to overcome hurdles of security maturity reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting 1200 628 Axio
Using NIST CSF To Overcome The 3 Hurdles Of Security Maturity Reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting

by Jason Tugman, V.P. Cyber Risk Engineering

December 18, 2018

A key challenge for cybersecurity professionals is communicating their organization’s cybersecurity successes and challenges to senior leadership, each of whom is likely to have varying degrees of technical understanding. However, finding a shared language—one that strikes a balance between ambiguity and complexity—is critical to an organization’s ability to form a unified understanding of its security maturity. Communicating without a shared language can result in frustration or, worst, a misrepresentation or misunderstanding of a critical cybersecurity challenge.

In this blog post I’ll discuss how the NIST Cybersecurity Framework’s (CSF) Framework Core can help you overcome the three hurdles of security maturity reporting. I’ll also demonstrate how the Axio360 Dashboard leverages the Framework Core to generate board-ready information graphics that enable cyber risk and security professionals to clearly communicate the security maturity of an organization.

Hurdle #1: Building a Shared Language

The first hurdle on our way to effective security maturity reporting is finding a shared language that enables unambiguous communication to technical and non-technical executives and board members. Thankfully, the CSF Framework Core1 offers a solution for framing these nuanced cybersecurity conversations.

According to NIST, “The Framework Core consists of five concurrent and continuous Functions – Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.2

In more detail, these five functions are:

The 5 Functions of the NIST CSF Framework Core

Identify

Develop an organizational understanding to manage cybersecurity risk to the systems, people, assets, data, and capabilities.

Protect

Develop and implement appropriate safeguards to ensure delivery of critical services.

Detect

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

Respond

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

Recover

Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.3

As you can see, the CSF Framework Core Functions are commonly understood verbs, and each has a clear call to action associated with it. Thus, the Functions can set the stage for operative-level communications. Security professionals can align the organization’s security maturity roadmaps, metrics, programs, and initiatives with each of the five Functions.

In Hurdle #3 we will discuss how Axio360 natively supports the CSF Functions in both the CSF and C2M2 (DOE Cybersecurity Capability Maturity Model) Dashboards.

Hurdle #2 – Facilitating Complex Cybersecurity Conversations

The second hurdle on our way to effective security maturity reporting is distilling complex, often multi-threaded, cybersecurity projects and initiatives.

Having established the CSF Framework Core as our common language, we can begin to communicate the successes and challenges of our cybersecurity programs through their respective Functions. A sampling of topics by CSF Function can be found in the below table.

As you can see, framing a cybersecurity discussion within the context of the CSF Functions provides context and clarity for every member of the board regardless of their technical knowledge.

Hurdle #3 Mapping Cybersecurity Assessment Findings to Cybersecurity Roadmaps

The third, and probably most important, communication hurdle is having the ability to correlate recent cybersecurity assessment findings to security investment requests. No amount of improvement in the communication of what or how of our cybersecurity program will compensate for our inability to communicate the why:  Why a security investment is needed; why a project is on the roadmap; why one project requires priority over another.

CSF Functions are natively integrated into the Axio360 dashboard, so no matter if you are performing a CSF or C2M2 assessment, you have the ability to talk about the organization’s security maturity directly through the language of CSF.

Axio360 allows you to communicate workstreams, target profiles, mitigation projects, and security investments using the CSF Functions.

Bringing it all together: Connecting Security Maturity Reporting/Metrics and Cybersecurity Initiatives

Framing a conversation through the CSF Functions allows for easy correlations to be drawn, and understood, between the Functions. For example, it allows you to say, “We lack a capability to Identify all of our assets (ID.AM). While, we have robust applications and processes in place to Protect Access (PR.AC), those protections are only effective for our known assets. We are seeking a security investment to improve our ability to Identify organizational assets. Doing so will allow us to ensure that all assets are not only inventoried, but they have the appropriate controls in place to Protect access to them.”

Even better: The Axio360 platform does the work for you—correlating your organization’s security maturity roadmaps, metrics, programs, and initiatives, with each of the five Functions. This has the power to transform how you communicate to senior leadership. Using Axio360’s native integration with the CSF Functions, you now communicate a unified understanding of your organization’s cybersecurity posture.

 

SOURCE

(NIST, pp. 6-8)
2 (NIST, p. 3)
(NIST, 2018, pp. 9-8)

Works Cited

NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity Ver.1.1. National Institute of Standards and Technology.

Moody's the Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors 1200 628 Scott Kannry
Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Intent to rate cybersecurity risk is the third major Board of Directors wake-up call

by Scott Kannry, CEO, Axio and Scott Underwood, Director of Business Development, Axio

November 27, 2018

The past 36 months has seen two significant developments that should have woken up Boards of Directors to their cybersecurity obligations.

First, a spate of high-profile cyber events, namely those experienced by Equifax, Maersk, Mondelez, FedEx and others, proved that regardless of money spent on protection, employing high-caliber cybersecurity professionals, and good intentions to purchase the right amount of insurance, current cybersecurity approaches were not working.  And in Equifax’s case, the severity of the event resulted in a CEO and CISO change and securities class action litigation that remains ongoing.

Second, in February of this year, the SEC released updated cybersecurity disclosure guidance that implored companies to disclose their understanding of cyber risk versus mere disclosure of events after the fact.  As Axio’s post on that announcement noted, “By forcing companies to identify and publish their ongoing cyber risks, [the SEC] is elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.”  Subsequent to this disclosure, the SEC didn’t waste much time evidencing its intent to act when it fined Altaba (formerly Yahoo!) $35M for failing to disclose its breach in a timely manner.

And now, the Trifecta – an announcement by Moody’s that it will soon start incorporating an evaluation of an organization’s risk to a major cyber event into its existing credit ratings, with a future possibility of offering stand-alone cyber risk rating.  While the specific means by which Moody’s will accomplish this have not yet been disclosed (and may not ever be disclosed), the impact of such a decision cannot be ignored because Moody’s ratings’ importance to the investment landscape.  Simply put, if Moody’s issues an un-favorable rating based on its analysis that an organization lacks cybersecurity maturity, that organization could expect to incur higher borrowing costs at a minimum and could suffer further if other entities or investors use the ratings beyond investment transactions.

If the previous two series of events did not garner appropriate Board of Director attention, hopefully Moody’s announcement does.  Because unlike those events, an unfavorable rating from Moody’s could cost a company a considerable amount of money and thus precipitate an argument the company’s executives and Board of Directors is not fulfilling its fiduciary responsibility.  This announcement and the potential implications should not be disregarded.  So what are companies and their Boards of Directors to do?

Luckily achieving appropriate cybersecurity understanding and management is very available today and presumably in a way that could be used to answer any questions raised by Moody’s and others:

ONE

Understand your cyber risk exposure as it relates to the business and in financial terms.

Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.

TWO

Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.

Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.

THREE

Maintain the resources and financial ability to recover from a meaningful event.

At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.

FOUR

Evidence all of the aforementioned components with peer benchmarking and best practices insight.

Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?

Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”

outrunning the bear a cybersecurity assessment boards actually care about

Outrunning the Bear

Outrunning the Bear 1200 628 Jason Christopher
Outrunning the Bear by Jason Christopher Axio CTO

Outrunning the Bear

A Cybersecurity Assessment Boards Actually Care About

by Jason Christopher, Axio Chief Technology Officer

November 5, 2018

Boards and executives are becoming increasingly involved in cybersecurity planning and strategy discussions. This is a marked improvement over the last decade, much of which is due to media-catching headlines and public incidents. But those headlines are a double-edged sword. Now executives not only want to know how their organization is doing with regards to cybersecurity, but also how they compare to their peers.

In my recent Forbes piece, I discuss the usefulness of maturity models and specifically discuss the use of the Cybersecurity Capability Maturity Model (C2M2) and the NIST Cybersecurity Framework (CSF). Both of these bodies of work contain guidance for new and existing programs while also providing a self-assessment methodology for evaluating your organization’s cybersecurity practices. As the former technical lead for the C2M2 and the federal energy sector lead for the CSF, I have been able to see both programs evolve across industry, but they always lead to the same question by executives—“But how do we benchmark across industry?”

There’s no mystery as to why this question comes up—cybersecurity is full of acronyms, terms of art, and is deeply technical. It may not always be obvious what steps to take next. And while maturity models inherently describe how to “crawl, walk, and run,” some organizations may rightfully ask, “do we really need to run right now, or is walking fine for our cybersecurity program?” Well, as the old adage goes, when fleeing from a bear at a picnic, you do not need to be faster than the bear—just the person next to you. Some executives, whether right or wrong, may just want to know if the person next to them is running faster.

At Axio, we believe maturity models have a vital place in program management. But we also understand the power of benchmarking and data analytics. That’s why our Axio360 platform leverages both. Not only can you evaluate your program using either the C2M2 or CSF, but you can also provide valuable benchmarking analytics to board and executives. Combined with the other elements of 360, including cyber risk quantification and insurance analysis, your security program will be equipped with meaningful metrics. We’ve seen clients use our platform to promote budget justifications, hiring additional resources, and getting further executive buy-in on important security and financial controls.

At the end of the day, executives want to know the right thing is being done. Maturity models, and data analytics, can provide that peace of mind. Read more about the C2M2 and CSF and see how these self-assessments can help your program.

agenda item number one

Agenda Item #1 for the Next Board of Directors Meeting

Agenda Item #1 for the Next Board of Directors Meeting 1200 628 Scott Kannry
Agenda Item 1 for the next board of directors meeting

Agenda Item #1 For The Next Board Of Directors Meeting

October 26, 2018

A Duty of Care for Cybersecurity

This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses.  The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead.  Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid.  While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured.  Does anybody still believe that the current cybersecurity paradigm is working?

Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.” That is futile.

The right way to look ahead is to consider an alternative world for a company, where a serious event still occurs, but where management can explain to the board, shareholders, and customers that:

“We’re unfortunately announcing that we have suffered a major cyber event. Surely some painful days lie ahead for our business, but we’ll get through this. Please let me explain.

The event that we’re experiencing is one that we knew was possible. Our reliance on technology runs so deep that eliminating this type of scenario could only have been accomplished by shutting down the business. So we built a cybersecurity strategy around the very possibility that this type of loss scenario could materialize. We’re happy to show you how we executed that strategy, why we invested is certain capabilities versus others, and why, despite having suffered this event, we were confident in the maturity of our cybersecurity program.

Most importantly, because we knew that this scenario, and the magnitude of it, was possible, we’ve constantly been evolving and testing a response plan that you will now see in action, backed by a comprehensive and large dollar limit insurance program that we anticipate will pay for most, if not nearly all, of the costs and liabilities that result. We’re not naïve to know that there are not painful days ahead and that this will cost a lot of money, but we are confident that we will weather the storm.”

None of the aforementioned companies have taken such a position.  If any had, it would have been less likely for individuals to lose jobs, long term liabilities to materialize, trust could more quickly be regained, and executives, directors, and officers would be able to evidence an approach that should meet a ‘duty of care’ test.

Sadly, most companies can’t come anywhere close to meeting that test.  Why?  Because the current approach to cybersecurity is fatally flawed.  Companies blindly rely on assessments and let their guard down until next year after all of the recommendations have been implemented.  Those very recommendations are based almost entirely on threats and vulnerabilities ranked “high” because what consultant is willing to rank something low and risk that they are wrong? Insurance is bought typically not by attempting to understand actual exposure in dollars and cents, but by asking what your frenemies are buying.  Security folks speak an entirely different language than risk management folks than do executives and Boards of Directors.  When that’s the current reality the Tower of Babel stands no chance of even being started.

The good news is that entirely changing the paradigm is not that difficult and only requires three and half components:

  1. Understand your exposure, in financial terms.  Start by asking one question: “If a cyber event happens to us, what might it look like?”  Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be.  Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury?  Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the cost of those events materializing.  It might lack engineering precision but it’s an important start. The exercise is successful 99% of the time, with the 1% attributable to the company who believes the guy or gal that stonewalls the process with the inevitable “That is totally impossible.”
  2. Utilize a maturity based cyber evaluation framework and align it with the scenarios that you’ve quantified in step one.  Why maturity based?  Because that approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor.  Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met.  And why align the methodology with the scenarios?  Because that is the only way to prioritize the universe of tens of thousands of technologies and controls that all claim to be the silver bullet and solve the latest vulnerability.  The current paradigm ranks everything “high” and “critical;” the new paradigm says to focus first on the high cost scenarios that would be the most impactful, and work down from there.
  3. Maintain the resources and financial ability to recover from a meaningful event.  At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others.  How do you get there?  See Step One.
  4. (3.5) Benchmark against peers when possible.  Cyber risk management is a shared responsibility and in a world where standards and certifications can only provide a floor, the rising tide dynamic is the only means to stay as close to, or as ahead of the curve as possible.  All of the aforementioned components contribute to that dynamic: Are you as good as, or ideally better than, the median marker for the maturity of your cyber program, what’s at risk from an exposure standpoint, and if you have appropriate abilities and financial resources to recover from an event.

Put it all together and you can confidently and continuously validate that you are meeting your duty of care for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from an unfortunate event.”

Summary

This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses.  The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead.  Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid.  While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured.  Does anybody still believe that the current cybersecurity paradigm is working?

update secs new cybersecurity risk guidelines

UPDATE – SEC’s New Cybersecurity Risk Guidelines

UPDATE – SEC’s New Cybersecurity Risk Guidelines 1200 628 Axio Global
UPDATE – SEC’s New Cybersecurity Risk Guidelines

UPDATE

SEC’s New Cybersecurity Risk Guidelines

by Axio

October 25, 2018

As we noted in our recent piece “What do the SEC’s New Cybersecurity Risk Guidelines Mean for You as a Board Member?”, the Commission is increasingly focused on cyber risk as it pertains to disclosure requirements.

The 2018 guidance addressed one of the criticisms of the original 2011 guidance – namely, that it lacked the teeth of enforceability – and statements by Chairman Clayton and others left little doubt that cyber disclosures were near the top of the SEC agenda. Perhaps it shouldn’t come as a surprise then, that on April 24th the SEC reported a $35 million agreement with Altaba (formerly Yahoo) for a multi-year delay in reporting a 2014 data breach.

This is the first enforcement action of its kind following the new SEC guidance. There is no doubt that a message is being sent to reporting companies with this action. As Jina Choi, Director of the SEC’s San Francisco Regional Office, commented, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” We suspect this will be the first of a number of similar actions, but stress that appropriate and comprehensive cyber disclosure practices are readily achievable.

key cybersecurity trends in the utility sector

Key Cyber Security Trends in the Utilities Sector

Key Cyber Security Trends in the Utilities Sector 1200 628 Axio Global
Key Cyber Security Trends in the Utilities Sector

Key Cyber Security Trends In The Utilities Sector

by Axio

March 20, 2018

At Axio, we are committed to helping companies quantify the impact of a potential cyber event. What would it mean to a company’s bottom line? What vulnerabilities exist in an enterprise’s security controls and insurance programs? And from an investment standpoint where does it make the most sense to effectively reduce cyber risk?

For all these reasons and more, we are extremely pleased to announce a new strategic partnership with North Highland, a global management consulting firm. We will be providing North Highland’s energy and utilities clients with our unmatched technology and services, all geared to addressing and protecting against cyber security events.

Our partnership with North Highland focuses on delivering:
· Exposure Quantification. Understanding the types and scale of financial impacts that could arise from a complex cyber event.
· Cyber Program Evaluation. Measuring the current maturity of the cyber security program, establishing a targeting profile, and building the plan to achieve higher maturity.
· Insurance Analysis & Stress Test. Understanding the organization’s ability to recover from a complex and costly cyber event, and how the insurance portfolio will respond.

North Highland Vice President Stephen Kinney notes the importance of the utilities industry to the world —and why, therefore, it’s critical that utility companies take a risk-based approach to cybersecurity—in his latest post, Key Cyber Security Trends in Utilities Sector:

Utilities are evolving fast through digitization. More assets are getting connected today than ever in order to become agile, customer focused and innovative. This leaves the sector vulnerable to cyber attacks, as has been witnessed throughout the world in recent years.

Stephen Kinney

6 cyber risk insights from aig axio executive risk summit

Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit

Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit 1200 628 Axio Global
Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit

Six Cyber Risk Insights from AIG and Axio’s Executive Risk Summit

by Hanno Ekdahl And Jeff Luther

March 15, 2018

Idenhaus recently attended AIG and Axio’s Executive Risk Summit, which brought together a panel of insurance experts to discuss Cyber Risk management. Cyber exposures are expanding rapidly as businesses move their IT systems to the cloud and adopt the Internet of Things (IoT) and Bring Your Own Device (BYOD). These changes introduce fundamental new threats to businesses of all sizes and shapes. This half-day conference cited recent examples to identify these threats and shared how businesses can mitigate risk with technology, insurance, and training.

Broader questions that were discussed included:

  • How is the insurance market responding?
  • Are current policies providing adequate coverage? If not, where are the gaps?
  • Have businesses considered the impact of a breach that causes significant business interruption?
  • Have they considered the need to more closely evaluate their partners and vendors to ensure they are compliant with best practices?

The panel was moderated by Forrest Pace and featured the expertise of David White , Founder and Chief Operating Officer of Axio; Guenter Kryszon , Head of Large Limits & Terrorism Property, AIG; and Garin Pace , Cyber Product Leader – Financial Lines & Property, AIG.

Here are 6 insights from the Cyber Risk discussion at the Executive Risk Summit at TechSquare Labs in Atlanta, GA:

1. The number of cybersecurity intrusions and breaches has grown exponentially in the past year.

Equifax  is a case in point. The breach affected at least 143 million consumers and is still making headlines with the former CIO being charged with selling $1 million in company stock  prior to the breach announcement in September 2017.

TRITON/TRISIS  represents the first-ever malware to infect safety-instrumented systems (SIS) equipment. Industrial sites such as oil, gas, and water utilities typically run multiple SISes to independently monitor critical systems to ensure they are operating within acceptable safety thresholds, and when they are not, the SIS automatically shuts them down. This malware was clearly designed to harm people and property and was not about making money, representing a new rationale for creating malware that raises the risk profile. Weaponized malware has created a new set of threats that organizations are just beginning to understand.

Losses like these may not be covered under traditional insurance programs because they may be classified as an act of terrorism, or fall under property coverage. Panelists discussed current ambiguity over property coverage for cyber-related risks and ways to find solutions that clarify appropriate coverage for buyers.

  • Property programs are complementing cyber policies and are part of managing the business’ cyber exposure.
  • GOAL: Stability in the insurance program so that rates do not fluctuate wildly and coverage is adequate.
  • Look at 2017 from a threat perspective, particularly events such as Reaper Petya  (Eternal Blue), and WannaCry.
  • How can companies quantify the risk?
This is not an IT problem, it’s an enterprise problem.

Garin Pace

2. This is an enterprise issue, not just an IT concern, and insurance underwriting must take this into consideration.

The enterprise needs to understand the impact as it is incorporated into the insurance underwriting for the business. This is best considered based on scenarios the enterprise faces. This includes concerns with:

  • Business continuity
  • Availability
  • Confidentiality
  • Integrity
  • Possible financial loss to the enterprise

 3. The more connected we become, the more risk we introduce.

  • Electronic Medical Records are now being attacked.
  • The Internet of Things was not designed with a security-first mentality .
  • There are chips in everything.
  • What is the cost and time to restore business when continuity is interrupted?

4. We lack clarity on the long-term effects of business interruption.

What happens when just-in-time manufacturing and supply chain is interrupted? In particular, just-in-time manufacturing has significant financial penalties for late/missed deliveries. What is the restoration process? How can the recovery be faster? We need to understand the entire process by reviewing various scenarios and utilize stress tests to understand the bottom-line impact to the balance sheet.

5. Risk managers need to make new friends in the business.

Risk management has a broader scope than just physical and cyber security.

6. The scope of cyber risk insurance must plan for attacks of never-before-seen magnitude.

  • An area-wide event is possible, especially given the fragile US infrastructure, e.g. the power grid. This overwhelms insurers due to the scope and impact of the attack.
  • Terrorism will touch cybersecurity and must be accounted for in insurance programs.
  • 60 nations are actively creating cyber weapons. Once these weapons are released they cannot be controlled and, once on the grid, they are there for anyone. What happens if they fall into the wrong hands?
  • Sophisticated malware released into the wild is now available for the average hacker to use for nefarious purposes. What happens when an irrational actor gains control of a cyber weapon , or when you pair a sophisticated tool with an irrational actor?
This is a manageable risk with proper oversight and governance.

Forrest Pace, Moderator

We continue to see major cybersecurity breaches impacting a wide variety of industries. When addressing cybersecurity in your organization, here are three items to consider.

  1. This is an enterprise-wide problem and cannot be addressed in isolation by a standard risk approach. These risks go far beyond data breaches, where records are compromised or credit card information is stolen. Risks today include company safety systems, networks, supply chains, and business continuity. This is not limited to your organization but the organizations with which you do business, especially if you provide just-in-time materials or services.
  2. The best way to address risk today is with a holistic approach. Bring together the principal stakeholders and/or functions within your organization, such as Human Resources, Security, IT, Facilities, and Treasury. Consider bringing in your insurance broker or provider to conduct industry analysis and offer guidance on change risk issues. You may also want to include parts of your supply chain in this group.
  3. Scenario testing is the best way to understand the risk impact. Outline and define the different business scenarios that could compromise your organization and test them from end-to-end. This would include people, process, and systems .

To summarize, organizations must stress test their insurance portfolios, think holistically across cyber and physical security, look at the whole supply chain, and understand that cyber is now a critical component of the business.

This article was co-authored by Hanno Ekdahl  and Jeff Luther .

what do the new cybersecurity risk guidelines mean for you as a board member

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member? 1200 628 Axio Global
What Do The SEC’s New Cybersecurity Risk Guidelines Mean For You As A Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

by Chris Amery, VP Professional And Financial Services

February 26, 2018

This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.

Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation , “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.

The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. This is a sea change in the regulatory view of cybersecurity. The SEC is pointing out that it’s no longer good enough to purchase technology controls and meet compliance mandates. By forcing companies to identify and publish their ongoing cyber risks, they are elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.

Axio’s CEO, Scott Kannry, wrote about this just last October:

 

Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.

Scott Kannry, Axio CEO

What must board members understand about the new disclosure requirements? First, the good news – they are not technology based. This will not require board members to become tech experts in the latest cyber security technology. They are ‘risk-based’, which means that they require a more holistic approach, and that the current paradigm of assessments, technology controls, and compliance frameworks is clearly not enough to satisfy the SEC guidance. Maintaining accurate risk disclosures requires a dynamic cyber risk management program. In our view, the following four components of a cybersecurity program allow companies to meet this hurdle, and Board members to confidently sign off on these disclosures:

  1. Quantify your exposure in financial terms. As the SEC notes , “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude…[and] also depends on the range of harm that such incidents could cause.”
  2. Evaluate the caliber of your current cyber program within a maturity-based framework. This approach recognizes that cyber risk and maturity is dynamic and allows a company to evolve continually as the cyber landscape changes. Compliance standards can act as a floor, but they do not appear sufficient to meet the SEC guidance that “[w]here a company has become aware of a cybersecurity … risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.”
  3. Maintain adequate insurance and reserves to recover from a cyber incident. This goes hand in hand with required public disclosures, as firms utilizing this approach will naturally manage their financial risk to appropriate levels on an ongoing basis. Steps one and two inform the proper levels of financial defense on a dynamic basis.
  4. Benchmark your performance against your peers. Cyber risk management is ultimately in the public interest, and the ability to measure your current program against both an internal target state and your peers will be a significant input in determining whether a Board has met it’s duties with respect to cyber risk.

When these four key components of cyber risk management have been employed on an ongoing basis, a Board can confidently say to the public markets, “We know what our risk profile looks like, we have an updated analysis of our program maturity, our financial controls are adequate to survive a cyber incident, and our overall program is in the top 10% of our industry group.”

We applaud the SEC guidance and look forward to a world where Boards, executive teams, risk managers, and technologists embrace this comprehensive risk- and maturity-based approach to cyber program management.

External Documents

Axio

Company

Support

Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.