A notable recent development affecting public companies is the SEC’s issuance of proposed rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (https://bit.ly/3YxIHYF). In New York State, the Department of Financial Services has proposed amending the cybersecurity regulation (23 NYCRR 500) to include enhanced governance requirements, amongst other amendments, to increase accountability for cybersecurity at the board and C-suite levels (https://on.ny.gov/3XhmNIm). These developments, along with heightened media interest in cyberattacks, have significantly heightened directors’ concerns about understanding how their organizations manage this risk and reduce it to tolerable levels.
Some organizations have established a cybersecurity committee of the board of directors. The purpose of such a committee is usually to assist the board with its oversight of the organization’s cybersecurity program. A charter, like that used for audit committees, communicates key responsibilities and expectations; this will become increasingly important as regulators heighten oversight requirements. Yet, such committees remain an exception to general practice.
Directors typically have excellent business and financial acumen; unfortunately, that expertise might not extend to cybersecurity matters. Some organizations have begun adding cybersecurity experts to the audit or cyber committee. Many board members rely on guidance from prominent accounting and advisory firms as to which questions they should ask. The combination of the yes/no format of many of these questions and board members’ limited cyber understanding, however, may not provide the assurance or knowledge sought.
Time and resources represent additional challenges for directors seeking answers. Cybersecurity represents but one risk, however timely, facing the board and audit committee. Given these pressures, reading off a list of questions is not practical. Questions should be phrased in an open-ended manner to obtain as much relevant information as possible in the shortest time period. A director’s goal should be to sample the information provided to determine if risks are appropriately managed and further inquiry is needed.
There are minimal standards related to cybersecurity reporting, which can lead to inaccurate, incomplete, or unreliable presentations. Unfortunately, whether due to management incompetence, negligence, or intended misrepresentation, directors should guard against incomplete, incorrect, and misleading information. This can occur when management filters information for presentations and pre-selects the type of control weaknesses or poor cybersecurity-related control activities that will be presented. Although an internal audit function can help reduce this risk, limitations in terms of resources, access to expertise, and influence might restrict the ability to do so effectively.
Targeted Key Considerations
The following targeted considerations should enable directors to obtain a preliminary understanding of how well management addresses cybersecurity risks and whether further action is required. These considerations can help directors identify the status of their organization’s cybersecurity program in a relatively short time.
Inventory and categorization of all assets.
A complete, accurate, timely list of all assets should be available upon demand. This list should include internal (within the company) and external (outsourced, cloud) assets. Each asset should be categorized by its risk in order to prioritize controls, including vulnerability remediation. The primary oversight concern is that if management cannot identify the assets it is responsible for, how can it protect them?
Vulnerability/patch remediation days outstanding.
Some organizations have a documented vulnerability/patch management program that specifies risk-based expectations to remediate vulnerabilities. In many due diligence questionnaires, this would result in a yes or positive response. Yet, the existence of a program does not alone mitigate cyber risk. The oversight challenge includes determining the program’s effectiveness and whether management adheres to its requirements. Some relevant metrics include determining the days outstanding on vulnerabilities/patches by risk and the exceptions to the established schedule detailed in the approved program.
Thoughtful cybersecurity risk assessment.
The NIST defines risk assessment as follows:
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses. It considers mitigations provided by security controls planned or in place (https://csrc.nist.gov/glossary/term/risk_assessment).
Some organizations follow the “letter of the law” and complete a minimal yes/no questionnaire to identify potential issues. Rarely do they test responses to confirm understanding; sometimes, they may not appreciate the threat that the questionnaire raises. Even when correctly performed, management might only report on the top identified risks and proposed remediations. From an oversight perspective, not adequately considering all threats and testing key assumptions could result in incorrectly relying on false risk management narratives. If they are only informed of high risks, board members may be unable to identify risks that need additional resources or attention. By latterly responding to questionnaires and not thinking through the issue, members might not adequately consider evolving threats.
Quality of internal audit comments.
Directors can learn a lot about their organizations through the internal audit reports performed and the issues raised by those reports. From an oversight perspective, it is essential that such reports have an independent review, appropriate scope, and recommendations that add value to the organization. The inherent complexity of technology and its continued evolution causes managerial control challenges. Even when a prior security issue has been remediated, technological advances may require that a new control be implemented.
Ensure organizational resiliency.
The ability of an organization to continue as a going concern has always been a fundamental concern for boards and their audit committees. Evolving regulatory expectations have also increased the need for organizations to properly plan for and recover from cybersecurity incidents. Applicable guidance suggests that organizations should develop a resiliency and incident response program to facilitate response and recovery should an incident occur. The quality and detail of such programs vary significantly. Variations include defining covered incidents, individual responsibilities, testing requirements, and board reporting. Cybersecurity professionals highly recommend periodic program testing to ensure practicality and awareness. The scope and completeness of the program (e.g., IT department only, end-user computing, in-house, cloud) are usually of significant oversight concern. Testing the program’s effectiveness and ensuring appropriate communications to executives and directors—especially with respect to regulatory-mandated notifications—are also oversight priorities.
The number, type, and utilization of user and system accounts can be a leading indicator of how well an organization manages these accounts. If administered properly, access, accountability, and monitoring accounts enable organizational activity while protecting data. Considerations include the number and percentage of users designated as privileged, stale users (accounts not used within a specific time), and generic accounts (not assigned to individuals). From an oversight perspective, primary concerns are the effectiveness of administering user privileges to enforce organizational controls and ensuring accountability for activities over protected digital resources.
Confirming the assurance provided by penetration testing.
There are various definitions, forms, and scopes related to penetration testing. The idea is to simulate an attack that an intruder could conduct. Often directors are presented with results that summarize technical vulnerabilities. From an oversight perspective, directors should ensure that the scope of what was tested is clear. This should include not only which assets were tested but scope limitations, assumptions, and other factors that could provide a false sense of security when reviewing testing results.
Ongoing Oversight is Critical
Ongoing diligence and oversight by directors are critical in managing cybersecurity. In many organizations, management designs and steers the contents of cybersecurity presentations and discussions for the board or audit committee. These presentations tend to focus on management accomplishments, or discussions of the latest reports of breaches in the media. Although essential and worthy of discussion, this approach means that relevant oversight topics might be relegated to future meetings and, in some situations, forgotten until an emergency arises. As a result, some cybersecurity committees have developed and defined a calendar whereby key topics are reported on by management and discussed periodically on a risk-based basis. From an oversight perspective, this helps ensure that all relevant areas, including those identified above, are considered—rather than just those selected by management.