A new year typically brings a renewed sense of optimism; however, 2021 brings with it promises of unparalleled challenges for board members as their role in cyber risk oversight and increasing organizational resilience has never been more important. Over the course of 2020, as organizations shifted already overburdened staff to build capacity to support remote working, threat actors aggressively exploited weaknesses exposed in the transition. This shift continues as evidenced by the fact ransomware attacks are at an all-time high heading in 2021, surpassing business email compromise for the first time as the attack of choice, and it doesn’t stop there. Sophisticated threat groups lodged deep inside organizational networks have mastered exploiting the trust relationship established across entities in the supply chain.
Unfortunately, even though securing an organization is challenging enough in normal times, the regulatory landscape continues to shift underfoot, adding pressure to already uncertain conditions. Driven by larger and larger breaches, how organizations manage and protect customer data is pushing states to introduce stricter legislation such as the California’s Privacy Rights Act (CPRA), which strengthens the California Consumer Privacy Act (CCPA). From a U.S. federal perspective, the introduction of the Cybersecurity Maturity Model Certification (CMMC) is forcing hundreds of thousands of suppliers across the defense industrial base to transition from an attestation-based compliance model to an onsite validation of controls by a certified assessor.
As a result, 2021 will require boards to ensure they have the appropriate metrics and intelligence to hyper-focus cyber risk oversight on:
- Being able to quantify the risk of a large-scale attack across all impact categories (e.g., financial, operational, brand, reputation, etc.)
- Leveraging validated threat intelligence to reassess the risk appetite and tolerance to address cyber resilience, data privacy and third-party risk management
- With an updated risk profile, Identifying the best methods to minimize or transfer risk
Minimize Business Interruption (Cyber Resilience)
With the adoption of broader remote work, boards need to ensure the closure of security controls that were set aside or exempted in lieu of expeditiously getting employees connected and productive. New business operating models dictate the establishment of an entirely new set of security monitoring capabilities to identify potentially malicious and unauthorized access and activity. As such, boards must proactively determine if existing incident response and cyber crisis management capabilities are adequate for the new workforce paradigm. Investments that help improve threat detection and response mobilization must be prioritized.
Effective questions to ask security leadership include:
- Does the organization maintain a list of its critical information, systems and third parties required to operate the business? Is there a program in place to protect the critical information assets?
- How resilient are our systems? In the latest incident, how many systems were compromised and for long?
- How precise are our controls? Is the security team able to concentrate on high-severity alerts?
Building Digital Trust (Data Privacy)
Boards that have historically treated compliance with a “check-the-box” mentality will find 2021 challenging due to an uptick in regulator actions and consumer-driven litigation to protect sensitive data. Data privacy changes require organizations take a hard look at consent for data collection and use, in addition to the data being protected.
When it comes to revisiting data governance, effective questions to ask legal and information security leadership include:
- Does consent for personal information collection satisfy legislative criteria?
- Is the data collected being used for legitimate business purposes?
- Is customer data stored for the least possible amount of time?
- Are we sufficiently transparent on how the data is used?
- Have we given data subjects enough control over their information, including the right to be forgotten?
With the legislative spotlight shining on data governance, boards should take the opportunity to update a company’s inventory of digital assets, which could also prove valuable during potential M&A activities.
Strengthening Supply Chain (Third-Party Cyber Risk Management)
Recent global supply chain attacks place third-party cyber risk management front and center in 2021, and legislation such as CCPA and GDPR make organizations liable for incidents originating in third parties. This forces boards to take a hard look at whether there is necessary visibility to determine the maturity of organizational cyber security and data privacy controls. But how do boards do this?
Effective questions to ask legal and information security leadership include:
- Do we have visibility into the cyber security and data privacy maturity of our supply chain?
- For vendors with access to critical systems or sensitive data, have we included contractual protections in the event of an incident such as a right to audit or requirements for reducing data exposure?
Mitigating and Transferring Risk
When it comes to managing cyber risk, boards must understand the current organizational risk profile, including the company’s risk appetite and risk tolerance. As a part of a robust risk transference strategy, a fundamental question each board must evaluate is the adequacy of cyber insurance. This presumably simple question may lead to some unexpected findings when the risks are carefully considered and requires an accurate cost analysis to determine potential loss from a cyberattack. For example, some cyber insurance underwriters now require stricter cyber security controls be in place before writing or renewing policies. This brings the board full circle as these mandatory controls may require investments in unanticipated areas. When calculating the amount of required coverage, boards must determine the need and cost for external counsel, retainer-based digital forensics, crisis public affairs support, potentially crippling regulatory fees and possible post-incident litigation.
It’s been said that hope is not a strategy. In 2021, some organizations around the world are hoping for the return to some semblance of pre-pandemic operations; however, for many organizations and boards, the new normal will be nothing like the past. The new year vows a complex array of previously unconsidered challenges. The collective of board recommendations noted herein are centered on establishing a deeper understanding of the cyber risk maturity of organizations and its leadership with the goal of reducing cyber risk and increasing organizational resilience.
This article was originally published in Ethical Boardroom Magazine.