Moody’s: The Cybersecurity Trifecta for Boards of Directors
Intent To Rate Cybersecurity Risk Is The Third Major Board Of Directors Wake-Up Call
The past 36 months has seen two significant developments that should have woken up Boards of Directors to their cybersecurity obligations.
First, a spate of high-profile cyber events, namely those experienced by Equifax, Maersk, Mondelez, FedEx and others, proved that regardless of money spent on protection, employing high-caliber cybersecurity professionals, and good intentions to purchase the right amount of insurance, current cybersecurity approaches were not working. And in Equifax’s case, the severity of the event resulted in a CEO and CISO change and securities class action litigation that remains ongoing.
Second, in February of this year, the SEC released updated cybersecurity disclosure guidance that implored companies to disclose their understanding of cyber risk versus mere disclosure of events after the fact. As Axio’s post on that announcement noted, “By forcing companies to identify and publish their ongoing cyber risks, [the SEC] is elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.” Subsequent to this disclosure, the SEC didn’t waste much time evidencing its intent to act when it fined Altaba (formerly Yahoo!) $35M for failing to disclose its breach in a timely manner.
And now, the Trifecta – an announcement by Moody’s that it will soon start incorporating an evaluation of an organization’s risk to a major cyber event into its existing credit ratings, with a future possibility of offering stand-alone cyber risk rating. While the specific means by which Moody’s will accomplish this have not yet been disclosed (and may not ever be disclosed), the impact of such a decision cannot be ignored because Moody’s ratings’ importance to the investment landscape. Simply put, if Moody’s issues an un-favorable rating based on its analysis that an organization lacks cybersecurity maturity, that organization could expect to incur higher borrowing costs at a minimum and could suffer further if other entities or investors use the ratings beyond investment transactions.
If the previous two series of events did not garner appropriate Board of Director attention, hopefully Moody’s announcement does. Because unlike those events, an unfavorable rating from Moody’s could cost a company a considerable amount of money and thus precipitate an argument the company’s executives and Board of Directors is not fulfilling its fiduciary responsibility. This announcement and the potential implications should not be disregarded. So what are companies and their Boards of Directors to do?
Luckily achieving appropriate cybersecurity understanding and management is very available today and presumably in a way that could be used to answer any questions raised by Moody’s and others:
ONE: Understand your cyber risk exposure as it relates to the business and in financial terms.
TWO: Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.
Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.
THREE: Maintain the resources and financial ability to recover from a meaningful event.
At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.
FOUR: Evidence all of the aforementioned components with peer benchmarking and best practices insight.
Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?