Cyber risk frameworks as a tool for improving cyber resilience
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
Cyber security seems to be the topic of the moment, and rightly so. The systemic risk associated with a critical infrastructure organisation such as a financial institution being compromised is enormous. With the prevailing view of cyber security as an IT problem, it would be easy to jump to the erroneous conclusion that there is a technical solution. However, this simply serves to increase the disconnect between those charged with protecting the organisation and those charged with corporate governance and shareholder returns. This disconnect exists because cyber security continues to be described in IT terms, rather than in the common language of risk required by directors and shareholders.
Why do we need a framework when cyber security is an IT problem?
Whether it be the recent ‘Wannacry’, ‘Petya’ or ‘NotPetya’ incidents, it is clear that in an interconnected world, critical infrastructure organisations and those connected to them, are highly vulnerable.
Around the world, governments and regulators, in an effort to reduce systemic risk, are imposing obligations on company directors to proactively manage cyber risk. In parallel, there are increasing protections given to personal information (the definition of which is, itself, expanding) such as mandatory breach reporting and far-reaching legislation such as GDPR.
How are those charged with maintaining strong corporate governance and ensuring shareholder returns dealing with this?
Unfortunately, all too often the problem is assigned to the CIO. After all, those compliance standards are IT based.
However, compartmentalising cyber security as a technical issue is problematic. First, it lulls an organisation into a false sense of security by equating compliance to cyber resilience (for example, Target was PCI compliant when it experienced its massive data breach). Second, using metrics like firewall incidents and endpoint threat devices, reinforces the isolation of the board from the real risk position of the organisation.
We have a communication problem
The board, charged with governance and shareholder returns, must match opportunity to the organisation’s risk appetite. However, when risk is presented in IT terms it is difficult, if not impossible for the board to translate that into a risk management position.
For example, boards need answers to questions such as: am I meeting my fiduciary requirements of due care? Are we investing in the right cyber security areas and what is the return on investment? What risks are associated with our supply chain, and have our customers passed cyber security risk obligations onto us? Are we meeting regulatory obligations of timely disclosure of material risk? How is the organisation’s risk position changing and adapting to new threat environments?
So is the answer to educate the board and shareholders in IT metrics and compliance standards? Probably not, as this would only serve to further compartmentalise cyber security as an IT issue. Should companies introduce additional compliance standards? Effective security goes beyond compliance, requirements quickly change, new threats emerge and often organisations spend only what they need to spend to meet minimum compliance. What the board requires is a cyber security risk management framework.
Cyber security risk framework
There are a number of cyber security risk frameworks around. Perhaps the National Institute of Science and Technology (NIST) Critical Infrastructure Security Framework (CSF) is the most well-known.
What these frameworks have in common is that they turn cyber security on its head; they describe cyber security issues in terms of risk, and introduce a common risk based language, accessible to all parts of the organisation, shareholders, supply chain partners and regulators.
A cyber security risk framework takes the same fundamental approach to risk management as existing risk management systems with which the board is familiar. In doing, it helps to bridge the gap between those responsible for protecting the organisation and those charged with governance and shareholder returns.
Companies should assess the risk by identifying relevant threats to the organisation, by identifying the internal and external vulnerabilities, by quantifying the harm that would accrue given the threats exploiting the vulnerabilities, and by addressing the likelihood that harm will occur.
They should respond to that risk by developing alternative responses, by matching the response to the organisation’s risk tolerance and by implementing the resulting risk response.
They should also monitor the risk over time to determine the effectiveness of risk responses in terms of the organisation’s overall risk appetite, to identify new risks and threats and to verify that planned risk responses are implemented and traceable.
With terms such as ‘functions’, ‘profiles’ and ‘implementation tiers’, frameworks like NIST appear daunting. However, by distilling the objective down to establishing a common language to align behind, a simple approach can yield immediate benefits.
This may include a workshop with participants from all parts of the organisation, who are asked to identify the information the business stores and uses, and for each piece of information determine its value (what would happen if the information were unavailable, compromised or made public?).
The company should then make a list of all the different places where that piece of information may reside (systems, suppliers, laptops, phones, reports and so on) and try to identify all the potential threats (for example, hacking, lost laptop, forgotten printouts, among others) and the likelihood of that threat occurring. This then provides the fundamental data points for drawing up an impact assessment matrix to prioritise and assign remediation actions.
You would be surprised what can be revealed when you really start to analyse all the information the organisation and its suppliers hold, and the inventory of where this information resides. For example, that employee information you thought was resident only in your human resources system turns out to be on a number of unsecured laptops, tablets and PowerPoint presentations.
Increasingly, regulators are requiring self-assessment, based upon the NIST framework, as a component of the compliance process. For organisations desiring a deeper dive, there are many tools and methodologies available to assist with the implementation and management of the NIST framework’s core functions (identify, protect, detect, respond and recover) and implementation tiers.
Organisations continuing to regard cyber security as a technical problem with identifiable technical solutions will find transformation difficult. On the other hand, organisations that recognise cyber security is a risk management problem will benefit from the cyber security risk management framework as a means of facilitating meaningful dialogue between those charged with protecting the organisation and those charged with corporate governance and shareholder returns.
Kit Lloyd is a lawyer at MinterEllison. He can be contacted on +61 2 9921 4811 or by email: email@example.com.
© Financier Worldwide