With ratings, cybersecurity enters executive committee

By François Gratiolet
|

Board members are now accountable

Cyber-attacks are steadily increasing in terms of frequency, impact on business and corporate visibility, despite ever-increasing investments. Yesterday shy on the subject, companies can no longer hide the cyber-attacks of which they are the target. Senior executives are becoming more anxious, not wishing to make headlines.

The Verizon 11th Annual Data Breach Investigations Report (DBIR) published in April 2018 revealed 53,308 security incidents including 2,216 data breaches in 65 countries. According to the 2018 DBIR, “almost three-quarters (73%) of cyberattacks were perpetrated by outsiders … Most attacks are opportunistic and target not the wealthy or famous, but the unprepared”.

For reminder, on top of that Equifax has lost more than $ 5 billion in market capitalization in two days, or 35% of its valuation! The CEO, the CIO and the Equifax CISO had to leave the company. An ineffective cybersecurity strategy can thus jeopardize the members of the board of directors and a general management. It is time for this topic to become one of the subjects of the COMEX and not a matter of the sole responsibility of the CIO or the CISO. Stakes of reputation and turnover risk have become too important.

Compliance and « activists » shareholders movements demand more cybersecurity

European regulations such as General Data Protection Regulation (GDPR) and Network Information Security (NIS) will come into effect in May 2018 with fines of up to 4% of global revenues. We can probably assume that this will put pressure on the leaders and board members of companies in Europe.

Another risk that executives and boards face is the |activist| shareholder. Shareholders can band together to question the re-election of directors when it is perceived that they have not done enough to prevent a cyber-attack. Indeed, on behalf of the shareholders, the role of the board of directors is entirely focused on governance, that is, on the control and oversight of decisions related to business strategies and on effective risk management.

Every company needs a cybersecurity strategy and indicators

Because cybersecurity becomes a real business risk, it must be approached with a strong and professional risk management approach. In early January 2017, the World Economic Forum advocated for the use of cyber resilience principles and tools for the board of directors.

Indeed, unlike all other management disciplines (sales, marketing, finance, etc.), cybersecurity suffers from a lack of data points and key performance indicators (KPIs). Cybersecurity must be driven by metrics.

In October 2017, E*TRADE Board Member, James Lam, stated to Forbes that “he would like to see more cyber risk metrics and analyses, including expert commentary from the CIO and CISO, on the threat environment, risk exposures against risk tolerance levels, and effectiveness of key controls” and that “he would also like to see assurance metrics on overall program effectiveness and early-warning signals on future threats”.

Therefore, board members should receive from the CIO and CISO periodic cyber risks updates through objective metrics, and should also have access to external cyber services with appropriate expertise and experience to rely on for taking decisions about what to do (or not) to manage cyber risks.

Rating helps measure cyber security effectiveness

The leaders, if they are now fully aware of the risk, challenged by headlines in the media, still struggle to assess their performance in cybersecurity, because they lack objective criteria, benchmarks and points of comparison.

To address this shortcoming and the expectations of board members in the United States, rating firms have emerged with the mission of assessing the cybersecurity effectiveness of organizations and providing some « assurance » to board members. In Europe, CYRATING, the first initiative with a pan-European ambition is ongoing.

The cybersecurity rating is likely to enhance cybersecurity, trust and transparency in an ecosystem of partners, but also to ensure that each organization performs better. The massive breach of personal data from Equifax, if not avoided, is now a case study. Simply because its leaders were not prepared to deal with it. In the case of Equifax, particularly, it was revealed, in the midst of the crisis, that the company had been graded for several months with a rating of "F" on the security of web applications a few weeks earlier by a rating company. However, were Equifax executives aware of this grade?

In this context, cybersecurity rating should be considered as an opportunity by each leader. It allows, first of all, to evaluate its cybersecurity performance in relation to these issues and risks, to compare itself to other players and established standards in the industry. It also enables each organization to evaluate its subsidiaries, suppliers and partners, with a view to improving risk management and addressing compliance issues. For example, with the arrival of the GDPR regulation, companies are encouraged to assess the cybersecurity posture of suppliers in their value chain. Companies, subsidiaries, suppliers and partners need to be transparent and hyper accountable for cybersecurity! But how to go for a global corporation to continuously monitor risks of thousands of suppliers?

With a rating, depending on the performance and security issues identified, companies will find independent data points enabling them to identify the most at-risk suppliers and better allocate their resources to better risk management. In full knowledge of the facts, each company can activate the levers allowing it to improve its posture regarding its business risks. With better investments, the overall performance of the company will be improved.

It will allow board members to remain involved in their company's cybersecurity program and engage with a higher level of support. Because board members will be more involved, cybersecurity will be encouraged, and leaders, managers and ultimately all employees will be engaged. Overall, it will improve the digital resilience of companies and we can expect it to bring more value to shareholders.