Cyber threats are more frequent; incident costs are up
A silent crime wave with devastating potential is rolling through global business. Cybercrime, as it has been dubbed, is the new “underworld” threat of this decade, and it is growing at a size and pace that could make traditional fraud and theft pale by comparison. Now is the time for companies to address this issue as a serious priority for 2012—and informed compliance professionals can help lead the way.
What’s driving action now?
Recent developments and study statistics point out reasons for enhanced focus and action:
- 50 businesses taking part in a 2011 study on cyber crime experienced an average of more than one successful cyber attack per company per week – a 44 percent increase over the 2010 rate.
- During recent months, business headlines have reported significant and repeated security breaches at high-profile Internet authentication companies in the U.S. and Europe. In some cases, management learned of the breaches from external sources. According to one study, external parties (e.g., law enforcement) — not the organization itself — discovered 86 percent of all data breaches examined in that 2011 study.
- A former intelligence official, Melissa Hathaway, who led the U.S. government’s cyber security policy review and pushed for Securities and Exchange Commission (SEC) guidance in this area, was quoted as saying, “There appears to be a structured process of hunting those who provide authentication services.” Hathaway also said that authentication mechanisms currently being used by businesses are at risk.
- The recent rise in cyber attacks has prompted action by government agencies. The SEC’s Division of Corporation Finance, for example, provided new guidelines for disclosing cyber risks and cyber attacks, noting that these incidents deserve attention at the highest levels of management and governance and that affected companies should disclose both cyber risks and cyber incidents if the information would be important to investor decision making.
Many companies today are at risk of being compromised—perhaps not at the level of achieving national headlines, but in any number of less sensational though equally destructive ways, such as shutting down networks, perpetrating fraud, stealing intellectual property or negatively impacting a finely honed reputation, ultimately driving customers and investors elsewhere.
In short, cyber crime has become a critical corporate compliance issue and increasing numbers of board members, senior executives and stakeholders are concerned and searching for solutions.
Is your organization prepared?
This all gives rise to the key question: Could it happen at your company? If yes, how likely is it to happen, and what can be done to reduce exposure and keep disruption and costs to a minimum?
Most important for readers, what can compliance officers do to ramp up cyber threat risk management capabilities? While, originally, cyber crime may have been relegated to the IT department or the chief information officer to prevent, detect and fix, today it is a major enterprise-wide issue with many critical compliance angles, including how the organization might be at risk and how much of what is known about a cyber crime — or threat of one — should be disclosed. Here are a few questions that will help elicit specific information about security practices:
- How do we track the information leaving our company and its destination?
- How do we know who is really logging into our networks and from where?
- How do we control the software running on our various electronic devices?
- How can we limit information that is voluntarily made available to a cyber adversary?
By applying a “risk management maturity” perspective to how security issues are addressed, one can gain valuable insights about the organization’s cyber risk management strengths and weaknesses, including areas for improvement.
Risk maturity means setting out on a path that transforms a company’s approach from reactive and fragmented into organized and effective. This process progressively builds an “intelligent” framework of awareness, information and improved organization of people, processes and technology around shared objectives.
These objectives and the overall tone of the approach are set at the top. Over time, cyber threat intelligence and controls become integrated and embedded in all aspects and functions of the organization. When complete and at full maturity, the approach culminates in an enterprise-wide, coordinated and measured effort capable of handling cyber matters within a realistic goal for accepted level of tolerance.
10 steps to more effective cyber threat risk management
Following are 10 steps chief compliance officers and other compliance professionals can take to get more involved:
- Stay informed about cyber threats and their potential impact on your organization.
- Recognize that an intelligent approach to cyber threat risk is as valuable as traditional business intelligence.
- Recommend that a C-level executive be accountable for cyber threat risk management.
- Support sufficient resourcing for the organization’s cyber threat risk management efforts.
- Request management to make regular (e.g., quarterly), substantive reports on the organization’s top cyber-threat risk management priorities.
- Establish continuous monitoring methods that can help the organization predict and prevent cyber-threat-related issues.
- Require internal audit to evaluate cyber threat risk management effectiveness as part of its quarterly reviews.
- Expect executives to track and report metrics that quantify the business impact of cyber threat risk management efforts.
- Monitor current and potential future cyber security-related legislation and regulation.
- Recognize that effective cyber threat risk management can give your company more confidence to take certain “rewarded” risks (e.g., adopting cloud computing) to pursue new value.
Internal control systems often focus compliance professionals on the four distinct but overlapping categories of enterprise risk: strategic, operational, financial and compliance. Whereas cyber issues are mainly thought of with regard to operational risks, there increasingly is a compliance facet as well.
Now is the time for compliance professionals to step up and anticipate what can be done to better understand the organization’s capabilities for managing and mitigating the ever-present — and growing — risk that cyber threats pose. Insights gained through the 10 steps above can help guide an in-depth review of current practices and set the organization on a course for evolving a cyber threat risk management approach that is proactive, preemptive and effective.