The Pursuit of Cybersecurity
CFOs in North America view cybeattacks as a serious threat, but many have doubts about their organization’s level of preparedness, according to findings from Deloitte’s Q2 2015 CFO Signals™ survey. Nearly 25% of the 101 CFOs surveyed, most of whom work for companies with more than $1 billion in annual revenue, say they are insufficiently prepared for such crises, and just 10% say they are well-prepared.
The reality is that cyber risk is not something that can be avoided; instead, it must be managed. By understanding what data is most important to an organization, management can then determine what investments in security controls might be needed to protect those critical assets. By adopting a program to become secure, vigilant and resilient, organizations can be more confident in their ability to reap the value of their strategic investments.
Addressing Cyberthreats with Business Decisions
Cybersecurity has moved from the firewall to the keyboard. Every person with a mobile device, a laptop or sitting at a desktop is an organizational vulnerability. What has changed is that implementing cybersecurity strategies comes down to business decisions. For example, organizations have to make a decision about whether allowing employees to plug thumb drives into company computers is worth the risk of infecting the network with malware.
When a security breach occurs, it’s important for management to follow a prearranged cyber- incident response plan. Strong plans include detailed processes for coordinating efforts between different front-line functions, such as the general counsel’s office, public relations and the CIO’s office. Some of the most effective plans are designed by a committee comprising those in the organization with the best understanding of how the organization works with respect to technology, as well as risk. The design plan can then be socialized across the organization, including the board. The board not only should be aware of the plan, but also understand its role in it.
During the design phase, board members should consider asking management two overarching questions: “How is the organization securing its systems,” and “Has the organization conducted a risk assessment of its crown jewels, the assets they have to protect most, realizing that not everything can be protected?” From a vigilance perspective, boards should consider asking if management is establishing risk and threat awareness across the enterprise and how the company detects violations and anomalies. Questions about resilience can focus on whether the organization has the ability to handle a critical cyber-incident and quickly return to normal operation.
Without appropriate information-sharing, it’s almost impossible to detect systemic attacks early enough to contain them. Yet despite increased interest in cyberthreat information- sharing, challenges remain. Private sector organizations, especially those in heavily regulated industries, are understandably concerned that disclosure of cyberthreats may expose them to lawsuits or regulatory fines and penalties. To address private sector anxieties about litigation while bolstering national cybersecurity, President Barack Obama unveiled several policy proposals, including one that would offer “targeted liability protection” to companies that share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and various industry-run cybersecurity groups.
The proposed liability protection may remove a significant barrier to information-sharing. However, giving the private sector some degree of safe harbor from litigation and regulatory action while simultaneously allowing regulators to exercise their duty to protect the public and financial markets remains the federal government’s ongoing challenge with respect to promoting information-sharing.
The ever-evolving cyber risk landscape also is driving interest in cyber insurance as a complementary element of a cyber risk management program, allowing organizations to transfer some of the risks associated with cyber incidents to their insurance provider. Many early adopters were financial services companies, retailers and health care organizations with large amounts of personally identifiable information.
Cyber insurance policies provide a variety of coverage options and pre-conditions for management to consider. First-party coverage protects against losses incurred directly by the company in response to a cyber incident (direct expenses), and typically includes theft and fraud, forensic investigation, business interruption, extortion, and computer data loss and restoration. But overall, the cyber insurance market remains immature.
COSO Framework for Cybersecurity
Companies developing a cybersecurity controls and monitoring program may want to consider using as a guide the 2013 internal controls framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Using the COSO framework enables boards and senior executives to communicate business objectives, and define critical information systems and related risk tolerance levels. Once objectives and risk tolerances are defined, others within the organization, including IT personnel, can perform a detailed cyber risk analysis by evaluating information systems most likely to be targeted by attackers, as well as likely attack methods and intended points of exploitation. In turn, appropriate control activities can be put into place to address the risks.
—Produced by Ed Powers, a Deloitte Advisory U.S. managing principal in Deloitte & Touche LLP’s Cyber Risk Services practice, and Mary Galligan, a Deloitte Advisory director in Deloitte & Touche LLP’s Cyber Risk Services practice.
July 27, 2015, 12:01am
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2015 Deloitte Development LLC.