How boards can help meet the challenges of technology and cyber risk

This article is based on a webcast presented by RSM and the National Association of Corporate Directors (NACD) as part of the NACD’s Boardroom of the Future series. To learn more about the challenges of technology and cyber-risk that boards are facing, watch the webcast.

When it comes to managing the risk of new technologies, boards have a number of new issues to consider. Some are inherent to the new technologies themselves, others are based on the new types of vulnerabilities present in these platforms that attackers can exploit.

From the attacker’s perspective, changes in business processes and technologies have affected their economics and are changing their focus and behavior. The board’s role is not to solve these issues directly, but to be aware of them and ensure the organization is managing them.

A heightened focus

Any time there is a breach or a major risk event, the question keeps coming back: Where was the board and what was it doing in terms of its oversight responsibilities? The Federal Communications Commission issued new guidance that provides much more transparency in the role of the board and material incidents, all within an enterprise risk management context. As a result, the board’s role goes beyond simply asking if the company is profitable. There is an increased focus on:

• Disclosure of material cyber risks and reporting of incidents
• Digital resiliency and supply chain interdependencies
• Privacy and data protection
• Artificial intelligence and machine learning

New tech, new risks

Organizations are drastically shifting their technology footprints. For most of them, there is no real option to “opt out” of these changes as the new technologies are required to keep pace with their industry. The board’s role in this process is to ensure that organizations have a process to incorporate these new technologies in a way that manages risk.

In many cases, the new technologies are not more or less risky; they just change the nature of the risk. Whether it’s the cloud or artificial intelligence, the consistent factor is that all of this technology is meant to increase business speed, ease of use and customer experience. But they also drastically change how organizations manage data and operations.

How are boards helping to incorporate their companies’ overall risk postures and managing those risks on an appropriate level for the overall business?

A 2018 RSM digital transformation survey report detailing middle market digital strategies analyzed how chief financial officers are embracing innovation to stay competitive. The survey found that 96% of CFOs stating that cloud computing is extremely or very important to their digital strategies; content management as an important digital strategy, followed closely by marketing automation and customer relationship management.

Where a particular organization finds itself on the spectrum between just getting started and completion of the journey is, of course, a matter of self-interpretation. The average respondent described his or her organization as 42% transformation achieved.

But when asked if they were confident that their organizations could accurately assess the security of systems based on artificial intelligence and machine learning, 60% said no.

A changing attacker landscape

Attackers only have to get lucky once to do damage. By necessity, they quietly change their tactics and focus. Hackers will steal everything that isn’t nailed down, but the massive quantities of stolen data available for purchase have caused the value to collapse in the underground markets. This has led hackers to now prefer interruption of operations and direct theft of funds.

The latest RSM US Middle Market Business Index survey on cybersecurity shows that hackers are moving from large organizations to the middle market. Hackers are heavily focused on automation: Where before they would spend a lot of time manually breaching one large organization, now they are so heavily automated that they can breach 15 or 20 midsize and smaller organizations. Whereas they used to steal data, get the data into the underground market, find a buyer, sell it, launder their funds and get the funds out so they can spend it, now they are trying to move into ransomware and extracting payment directly from the victim.

Needless to say, the costs of an attack have a much greater impact on smaller organizations, and data breaches in the middle market continue to rise: 15% of middle market executives disclosed that they experienced a data breach in the last 12 months, triple the amount from just four years ago and up 2 percentage points from last year.

While there are very visible exceptions, hackers have shifted away from large data breaches within a company’s internal infrastructure. They now focus more on gaining access to cloud and mobile infrastructure or cloud-based corporate emails accounts.

The RSM cybersecurity survey found that more than half of middle market executives expect unauthorized users will attempt to access their organization’s data or systems this year. Organizations must develop cybersecurity strategies that consider several threats to limit the risk of as many varieties of these attacks as possible.

The board’s role in managing the risks

Changes in technology clearly create new risks and new vulnerabilities. Yet many organizations did not take into account changes in security controls to prevent attacks aimed at these new platforms.

What role should the board play? Clearly, much of it involves making sure that there's process accountability for the new risks. Many organizations now have cyber insurance to help offset risk, but they often do not know what is actually covered, such as their new platforms. The chief financial officer often fills out the cyber liability questionnaire, and he or she may not be fully aware of the controls the company has in place, or what they are lacking.

Based on their findings, ISACA concludes that organizations that are ahead of the digital transformation curve tend to be those less risk-averse when it comes to considering, testing and adopting emerging, transformative technologies.

There are several questions that directors can ask regarding cyber risk:

• Do we understand our critical digital assets, and the key risks to those assets?
• Have we outlined—and kept current on—our overall risk appetites and tolerances?
• How do we assess the effectiveness of our cyber-risk mitigation approaches?
• Have we effectively lessened the probability and impact of cyber risk within those stated risk tolerances?
• Have we prepared and practiced for a breach?
• Are we digitally resilient as an organization? How do we know?

When it comes to information security and good oversight, boards should think about fulfilling their obligations in five different areas:

1. Governance: Create the right governance and authorizing environment.
2. Policy: Ensure policies are comprehensive and current.
3. Transparency: Get the reporting and metrics you need to manage cyber risk.
4. Testing: Test the security posture of your organization and practice incident response.
5. Resource allocation: Ensure that allocation of resources aligns with goals and desired outcomes.

Q and A

How often should the board engage and get a report on cybersecurity?

There are boards being briefed quarterly on some aspect of the security program. These can vary from key initiatives, overview of critical incidents, the status of risk management initiatives and the like. Deep dive reviews of security programs on behalf of the board often occur every two years or so.

What are the main questions boards need to ask about implementing security controls when moving to the cloud?

First question should be what data is being put into the cloud, followed by who will have access to this data, including other service providers or outside companies.

How do you get in front of these issues that affect the entire business?

It is hard to get ahead of the attacks because their nature keeps changing. The best option is to make sure that the organization is doing what it can to prevent the attacks from happening, but then assume some attack is going to get through and make sure the company is prepared to recover quickly.

What is the best way to ensure a cyber leader is adequate?

Many organizations are asking external consultants, internal audit or both, to review the performance and weigh in.

Following the increasing rate of technology change, do directors need to learn about technology or digitization, like they would learn a language?

It will be critical for directors to continuously improve their understanding, but technology is becoming so fractured and specialized that nobody can be an expert in everything. Directors might be better served at understanding the general trends of technology, how it affects their specific organization, and then expanding their personal network so that they can call on niche skills as needed.