3 Trends: Taking a Deliberate Approach to Cyber Risk Mitigation

A recent “Advice from Counsel” study led by Gartner Research and FTI Technology shared emerging compliance and information governance trends revealed through interviews with general counsel at public companies. Three of the trends suggest that directors and management adopt a more deliberate approach to cyber risk mitigation:

1. Increasing SEC focus on cybersecurity
   In the past few years, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has stepped up its expectations of public companies. They now examine financial services institutions to ensure that appropriate governance and risk assessment measures are in place to mitigate cyber risk.

   Public statements in 2014 by former SEC commissioner Luis Aguilar raised the stakes for corporate directors. He repeatedly asserted that they could be held personally liable for cyber breaches if they had failed to insist that appropriate cybersecurity measures be taken.

   Beyond the threat of personal liability, directors recognize their ethical responsibility to reduce risk to shareholders. Since cyber risk is the leading threat to valuation for most companies, ensuring that the company is adequately prepared for SEC examinations requires a board focus.

2. Compliance with data security regulations
   A common cause of cyber breaches is complacency. To protect against cyber-attacks by securing personally identifiable information and intellectual property, organizations must make ensuring highly secure network access for approved partners as well as employees a high priority.

   Following existing data security regulations provides a path to greater security. In the U.S., the NIST Cybersecurity Infrastructure Framework is the gold standard for cybersecurity best practices, while conscientious organizations outside North America are likely to follow guidance from the International Standards Organization (ISO). Complying with regulations from HIPAA, FFIEC, FERPA, and other more targeted organizations can ensure that application-specific data is handled safely and appropriately.

   Vendors and partners provide everything from infrastructure services to credit card processing. Many of the most highly publicized breaches began with sloppy vetting of vendors. An example is the Target breach, which occurred when hackers stole the network credentials of an HVAC subcontractor. Compliance efforts must include careful attention to risks introduced by vendors and partners.

3. More collaboration across the organization
   We have previously pointed out that the sole responsibility for cybersecurity has wrongly fallen upon those in charge of information technology. Since a breach represents a significant threat to valuation, and since lax or inappropriate behavior across the organization increases the level of cyber risk, improving organizational cyberattack readiness has ascended to become a board level issue.

   Growing pressure from regulatory agencies and shareholder lawsuits are motivating corporate directors to assume a larger role in urging organizations to improve cybersecurity readiness. This increasing focus by directors is elevating the importance of cyber risk in the eyes of executive management. Having to report on cyber risk mitigation progress at each board meeting is a powerful motivator.

   As companies realize that cyber risk is an organizational issue not restricted to IT, more parts of the company become involved. For example, HR becomes more responsible in working with IT to assign an appropriate risk level and access to control to new employees. Purchasing becomes more attuned to rating vendors not just on the best price; they recognize that the risk that a low-priced vendor may introduce could negate any cost savings they might deliver.

In pursuit of a more deliberate approach to dealing with cyber risk, leaders have begun seeking ways to automate the process. Some software tools focus on understanding threat intelligence, while others focus on defense intelligence. Some focus on network protection, while others focus on compliance.

In a future post, we’ll propose how to categorize cyber risk mitigation tools.