Cyber Security - Board, Audit and Risk Committee Responsibility

There aren't too many weeks that go by where there isn’t a new significant data breach reported.

It doesn’t matter which report you read, cyber crime is becoming big business for cyber criminals and a major problem for organisations.

This is raising a few questions at all levels with respect to trying to get on top of this issue. One of the discussions currently underway is making Company Directors accountable for cyber security issues within their respective organisations.

This should not be a new thing for Company Directors in the financial sector.

APRA’s CPS 234 standards have already made Company Directors responsible for the cyber security posture of their respective organisations.

However, for many others, this is new and concerning as in discussions with a few Company Directors, the common question seems to be – “How do I control something which I cannot measure?”. This is a fair question which I will help address in the rest of this paper.

However, before we delve deeper into the topic, it must be re-iterated that cyber risk is a business risk. A cyber security incident can easily lead to reputation losses, financial losses, legislative risk and compliance issues. As such, the disciplines needed to manage any business risk needs to be applied to cyber risk. This means we need to measure cyber risk and control it within the organisation’s risk appetite set by the Board/Audit and Risk Committee (ARC).

The current threat landscape

To understand current cyber risk, we need to understand the current threat landscape. The best way to do this is by looking at the top six threats affecting Australian businesses over the 2020/2021 financial year as reported by the Australian Cyber Security Centre (ACSC).

I have documented these below and these will help explain the ways in which organisations are being targeted by cyber criminals:

1. Exploitation of the pandemic environment – cyber criminals using various tactics to gain unauthorised access to organisations by piggybacking off and exploiting employees working from home.

2. Disruption of essential services and critical infrastructure – an attack on critical infrastructure usually by other nation-state actors.

3. Ransomware – generally opportunistic cyber criminals looking for financial gain by locking up an organisation’s computer systems and demanding a ransom to unlock them.

4. Business email compromise (BEC) – cyber criminals compromising an organisation’s email system and using this to send false invoices for payment into their bank accounts.

5. Rapid exploitation of security vulnerabilities – cyber criminals exploiting security gaps in computer systems to gain unauthorised entry into organisations with malicious intent.

6. Supply chains – cyber criminals attacking target organisations via their suppliers to enter the target organisation for malicious purposes.

Questions that the Board/ARC members need to be asking

Knowing how cyber criminals are targeting organisations is one thing. The important part is to ask the right questions of our cyber security teams and executives to ensure the right level of control is being exercised.

Noted below are seven questions that I find particularly useful for this:

•  What cyber risk are we carrying and what threats are we facing?
• What plans and strategies are in place to mitigate our risk, manage privacy and compliance risk, and the policies in place?
• What are our critical assets and how are they being protected?
• What do we look like to a hacker?
• How robust are our Incident Response Plans and Procedures – what if the worst happens?
• How are we managing third-party risk?
• Is cyber security embedded in our business – user awareness and culture?

We cannot control what we cannot measure

MEASURE:

To exercise control, we need to measure cyber risk in the first place. First, you must establish your risk appetite.

This will allow you to establish a bottom line and any risk above this will have to be mitigated or transferred. The most common way to establish this is as a percentage of revenue or funding the organisation is prepared to lose in a single cyber event and using this as your benchmark.

We then need to quantify cyber risk. This needs to take a true risk view by establishing controls gaps, understanding the threats trying to exploit these gaps and then assigning annual loss values to these. Adding individual annual loss values will give you an accurate picture of your cyber risk exposure in dollars and cents after which you can make an informed decision as Board / ARC members as to what actions to take. These generally will involve looking at some level of risk mitigation and some level of risk transference. The latter will involve obtaining cyber insurance for which you should know the level of cyber risk you are carrying to ensure adequate cover.

CONTROL:

Having looked at how we can measure cyber risk, let's explore some key control measures that should be in place to help mitigate the six threats I discussed earlier.  I have discussed these controls at a high level below.

The numbers next to the control name represent the threats they help mitigate:

• Essential Eight: 1, 2, 3, 4 – basic and essential security measures published by the ACSC that help organisations mitigate cyber threats.
• Cyber resilience: 1-6 – the ability for organisations to be able to protect themselves from cyber threats and be able to detect, respond and recover from successful cyber events. The NIST-CSF guidelines are particularly useful.
• Penetration testing: 1-6 – simulating an attack on the organisation to see how susceptible it is to a cyber-attack and proactively addressing any issues found.
• User education and training: 1, 3, 6 – training users, Executives and Board / ARC members to ensure they understand basic cyber hygiene measures which they take to keep the organisation safe.
• Third-party risk management: 5 – measuring and managing third-party risk to protect the organisation from a breach via a third party.
• Policy and ISMS: 1-6 – ensuring the organisation has the right policies and procedures in place to guide cyber security.
• Asset discovery and vulnerability management: 4 – discovering, classifying and protecting the organisation’s key information assets. This is the starting point of any good cyber security program as you cannot protect assets that are unknown.
• Incident response and crisis management: 1-6 – having the ability to quickly and effectively respond to a cyber incident so that the organisation can minimise downtime and damage. This will generally involve incident response planning and crisis simulation exercises.
• Privacy and legislative compliance: 1, 3 – ensuring the organisation has the right measures in place to protect all third-party data and comply with all relevant legislative requirements.

Board / ARC members must ensure that their Internal Audit teams are providing assurance back to them that the above key controls are in place and operating effectively. Internal Audit teams have come under some scrutiny recently with respect to cyber security exposures.

I believe APRA Executive Board Member Geoff Summerhayes’ speech to the Financial Services Assurance Forum sums the situation well –

“But boards are not solely responsible. A company’s internal audit function should be the eyes and ears of the board into their organisations. However, when it comes to cyber, the eyesight is often blurry and the hearing dull. Internal audit functions in many APRA-regulated entities lack sufficient cyber skill sets, are under-resourced, and methodologies are under-developed.”

This, I believe, is a timely reminder of the part Internal Audit plays when it comes to cyber risk management and some of the current observed gaps that needs to be managed by the Board/ARC.

Proposed next steps and timelines

Having discussed how to measure and control cyber risk at a high level, I will now summarise some key steps you can take with timeframes to ensure adequate cyber risk management for the organisations that you have responsibility for:

• Month 1 – Quantify your cyber risk, and identify and classify your information assets.
• Month 3-6 – invest in an Information Security Management System and embed cyber security awareness in the DNA of the organisation.
• Months 6-18 – invest in a cyber uplift program focusing on your risk appetite and cyber security return on investment (ROI) based on value of risk mitigated.
• Ongoing – create a process to constantly evaluate the threat landscape and a continuous improvement program as threats change from year to year.  Ensure Internal Audit act as the Board’s/ARC’s eyes and ears well.

Summary

The threat landscape is evolving for the worse. We will continue to see more breaches with increasing intensity. Cyber security is a key business risk and must be treated as such.

The basic principles of risk management must apply to cyber risk as it does to other forms of business risk. Board’s/ARC’s responsibility for cyber security is increasing. Board/ARC members MUST ask the right questions of management to be able to discharge their duties. Cyber risk needs to be quantified so it can be managed and a methodical program is necessary to stay on top. Ultimately – you cannot control what you cannot measure!

For more information

If you have questions about Cyber Security or would like further information about this article, please contact our Risk Advisory Team.