E&Y 5 Insights - Technology risk management in a cyber world: a C-suite responsibility - September 2013 (2011) “Our IT systems are as safe as Fort Knox,” an oil and gas company executive stated with aZsolute conÕdence& @e Õrmly Zelieved that his companyÌs data was secure and Zeyond the reach of would%Ze haccers& @owever, Zased on a cyZer Zreach at several peers, the company decided to engage Ernst & Young to examine its information security program — just to be sure. Two days into an assessment of the organization’s network, the Ernst & Young team discovered that an attacker from a foreign jurisdiction was stealing intellectual property. There was no logical reason for the information to be owing in that direction. The executive who had so Õrmly attested to the security of the company’s network was not the only one surprised by the findings. The board of directors and Audit committee were so taken aback by the breach that they mandated that the company completely rethink its approach to information security. Senior executives acknowledge that information security and cyber threats exist, but often are in denial that it can happen to them. And worse, they often leave managing those threats to just the IT security department. Beyond the fear of a cyber breach is the emerging importance of effective technology risk management functions as an enabler to business performance by speeding product introductions and empowering employees to be able to safely use the latest IT trends, such as mobile and social media. Cyber risks can impact shareholder value, tarnish the brand and expose the company to litigation. You can turn risk into results and enhance business performance, speed new product launches and provide more reliable business decision information through an enterprise technology risk management program. These are issues of importance to the C-suite, elevating the need for boards of directors, general counsels, chief risk organization’s level of due care, approach and preparedness to address cyber risks.
8
Insights for executives 5 “Our IT systems are as safe as Fort Knox,” an oil and gas company executive stated with aZsolute conÕdence& @e Õrmly Zelieved that his companyÌ s data was secure and Zeyond the reach of would%Ze haccers& @owever, Zased on a cyZer Zreach at several peers, the company decided to engage Ernst & Young to examine its information security program — just to be sure. Two days into an assessment of the organization’s network, the Ernst & Young team discovered that an attacker from a foreign jurisdiction was stealing intellectual property. There was no logical reason for the information to be Öowing in that direction. The executive who had so Õrmly attested to the security of the company’s network was not the only one surprised by the Õndings. The :oard of <irectors and 9udit ;ommittee were so taken aback by the breach that they mandated that the company completely rethink its approach to information security. Senior executives acknowledge that information security and cyber threats exist, but often are in denial that it can happen to them. And worse, they often leave managing those threats to just the IT security department. Beyond the fear of a cyber breach is the emerging importance of effective technology risk management functions as an enabler to business performance by speeding product introductions and empowering employees to be able to safely use the latest IT trends, such as mobile and social media. Cyber risks can impact shareholder value, tarnish the brand and expose the company to litigation. You can turn risk into results and enhance business performance, speed new product launches and provide more reliable business decision information through an enterprise technology risk management program. These are issues of importance to the C-suite, elevating the need for boards of directors, general counsels, chief risk g^Õ[]jk Yf\ [`a]^ af^gjeYlagf k][mjalq g^Õ[]jk lg mf\]jklYf\ Yf\ lYdc YZgml l`]aj organization’s level of due care, approach and preparedness to address cyber risks. Technology risk management in a cyber world: a C-suite responsibility The answers in this issue are supplied by: Dan Casciano Americas IT Risk Management Leader +1 336 605 7801 [email protected]Bernie Wedge Americas ITRA Leader +1 404 817 5120 [email protected]Jose Granado Americas Information Security Leader +1 713 750 8671 [email protected]
Transcript
Insights for executives5
“Our IT systems are as safe as Fort Knox,” an oil and gas company executive stated with a solute con dence e rmly elieved that his company s data was secure and eyond the reach of would e hac ers owever, ased on a cy er reach at several peers, the company decided to engage Ernst & Young to examine its information security program — just to be sure.
Two days into an assessment of the organization’s network, the Ernst & Young team discovered that an attacker from a foreign jurisdiction was stealing intellectual property. There was no logical reason for the information to be owing in that direction. The executive who had so
rmly attested to the security of the company’s network was not the only one surprised by the ndings. The oard of irectors and udit ommittee were so taken aback by the breach that
they mandated that the company completely rethink its approach to information security.
Senior executives acknowledge that information security and cyber threats exist, but often are in denial that it can happen to them. And worse, they often leave managing those threats to just the IT security department. Beyond the fear of a cyber breach is the emerging importance of effective technology risk management functions as an enabler to business performance by speeding product introductions and empowering employees to be able to safely use the latest IT trends, such as mobile and social media.
Cyber risks can impact shareholder value, tarnish the brand and expose the company to litigation. You can turn risk into results and enhance business performance, speed new product launches and provide more reliable business decision information through an enterprise technology risk management program. These are issues of importance to the C-suite, elevating the need for boards of directors, general counsels, chief risk
organization’s level of due care, approach and preparedness to address cyber risks.
Technology risk management in a cyber world: a C-suite responsibility
The answers in this issue are supplied by:
Dan Casciano Americas IT Risk Management Leader +1 336 605 7801 [email protected]
Jose Granado Americas Information Security Leader +1 713 750 8671 [email protected]
2 ey.com/5
What’s the issue?Most companies don’t think that they are targets for cyber attackers. As the threat landscape rapidly changes and risks increase, companies need to change their mindset and approach toward information security and privacy to address a new normal. They need to operate under the assumption that unauthorized users are accessing the company’s IT environment on a daily basis — to assume “they’re in.” Cyber breaches can impact shareholder value, tarnish the brand and expose the company to litigation. These are issues of importance to the C-suite, elevating the need for boards of directors, audit committees, general counsels and chief risk of cers to work alongside information security and privacy of cers to fully address their organization’s risk management level of due care, approach and preparedness, and implement an Information Technology Risk Management (ITRM) program that is adequate and effective in managing cyber risks.
1
The US Government estimates American businesses suffered losses of intellectual property totaling more than $1 trillion from cyber attacks.
3
2 Why now?Several recent high-pro le, front-page-headline cyber attacks are serving as a wake-up call for the C-suite. In fact, executive and board-level awareness of cyber risk appears to be at an all-time high — and growing. Executives are realizing, sometimes painfully, that cyber risk needs to be addressed in the boardroom and become a more mainstream part of the enterprise risk management discussion.
As executives are becoming more aware, so too are governments. Unimpressed by the lack of reasonable care that organizations are exercising when it comes to protecting intellectual property and personally identi able information, governments are introducing a wave of legislation at the federal and state level that will have an impact on business. The C-suite needs to be prepared, sooner rather than later, to respond to avoid costly errors made in times of crisis.
Now is the time to broadly address IT risk management at the C-suite, to proactively address business risks and maintain compliance, be prepared for cyber breaches and enable technology to enhance business performance.
4 ey.com/5
3 How does it affect you?Implementing an effective ITRM program that addresses cyber risk begins with understanding the roles that each member of the C-suite needs to play.
Board of Directors/Audit Committee. The Board is responsible for setting an adequate standard of due care and ensuring its execution through its oversight mandate. The Board, through an Audit, Risk and/or Technology Committee, should review the IT risk posture of the organization at least annually. In keeping with recent SEC guidance, the Board and Audit Committee should determine the nature and extent of the requested cyber risk and incident disclosures, if any.
Responsibilities range from overseeing the development and implementation of an ITRM program to monitoring and measuring its performance and effectiveness against the standard of due care set by the Board. An effective ITRM program is broader than cyber risks and information security, addressing the entire IT risk universe (e.g., business risk, cloud, social, mobile, change management).
In the event of a cyber compromise, the GC needs to act quickly to minimize the impact of the breach. The GC’s of ce should be part of a breach response plan in place that includes an external communications plan that has been tested to ensure effective execution in a time of crisis. The GC will need to be prepared to respond carefully to authorities such as the FBI, and to draft responses to subpoenas for evidence that demonstrate a reliable forensic chain of custody.
The CISO function is typically responsible for developing and testing a cyber incident response program, and should oversee a company-speci c threat assessment that analyzes the potential targeted assets and the resulting business impact. The CIO and CISO should work with the CRO to ensure that tactics are effectively mitigating the broader IT risk landscape. CISOs should be transitioning traditional information security functions to be IT risk management functions.
Function (stakeholder)
Technology risk management for cyber threatsGovern(ongoing)
(incident and breach)
Contain (damages and liabilities)
Board/ Audit Committee
Set standard of due care Periodically evaluate cyber risk governance and
review annual cyber risk assessment Issue cyber risk disclosures as per SEC guidance
Receive breach noti cations and governance updates
Re-evaluate cyber risk governance oversight
Re-evaluate standard of due care Re-evaluate cyber risk disclosures
(e.g., CRO)
Oversee ongoing ITRM program for cyber risks Monitor breach and cyber risk trends and measure risk management execution
Evaluate effectiveness of cyber risk response and technology/ risk management, then improve
4 In a hyper-connected world, no organization can be 100% secure. But organizations need to ensure that they are secure enough to protect customer information and intellectual property and avoid potential lawsuits, brand damage and loss of shareholder value.
Actions the C-suite will need to consider include:
1. Identifying and quantifying the real risks. The technology risk management lifecycle is a process that de nes how the external threats speci cally apply to the company; estimates their potential business impact; de nes the possible legal consequences; considers the risk management options based on a cost/risk reduction analysis; presents a prioritized nancial-based set of risk management options for all relevant risks; makes a business decision based on the company’s risk tolerance; and executes the decision.
2. Protecting what matters most. That means protecting the most important information that impacts your bottom line. Senior executives should champion a risk management strategy to protect business growth, brand and high-value data and systems, as well as improve processes that control liability by putting in place programs that help detect, deter and respond to breaches both internally and externally.
3. Sustaining an enterprise-wide program. The management of technology risks needs to be a board-level priority, where executives understand that well-established risk management practices need to be applied to security-related risks.
4. Aligning all aspects of technology risks with the business, including information/cyber security, privacy, and physical and business continuity/resiliency, will not only protect the bottom line, it will also generate cost ef ciencies and improve performance.
5. Enabling business performance. Safeguarding against cyber breaches and protecting the organization’s critical assets should not be only IT’s responsibility. It is rapidly emerging as a board duciary responsibility. And when done well, the proposed enterprise-wide program can enable business performance through faster product launches, more effective customer communication and higher-quality information for decision-making.
6 ey.com/5
What’s the bottom line?Cyber attacks, incidents and breaches are not on the decline; they are on the rise.
ackers’ motives for targeting a company are expanding and might surprise you. The threats are internal and external, and they impact disclosure obligations, regulatory compliance and business performance. You should develop strategies and tactics as if unauthorized users are in your IT environment — assume “they’re in.” Now is the time for all senior executives at the highest levels of the organization to work together to establish a new mindset and approach toward an enterprise-wide ITRM program, including processes before, during and after a cyber breach. Effective IT risk management processes and technologies can enhance business performance, empowering employees and improving customer connections.
5
7
Information security in a borderless world: time for a rethinkTraditional security models that focus primarily on keeping the bad guys out no longer work. It’s time to rethink how organizations can keep their most valuable assets safe. Read this report to learn how you can transform your information security program to enable enterprise-wide business performance and build trust in a borderless world.
visit ey.com/5For related thought leadership
The evolving IT risk landscape: the why and how of IT Risk Management todayOnce thought of only as a low-priority IT-only concern, ITRM has earned its place in the heart of an increasing number of companies’ integrated risk management strategies. Thanks to mobile computing, cloud computing, virtualization, social media and online payments — and the risks that accompany them — IT risks have become a central and critical issue for investors, regulators, shareholders and executives worried about a wide variety of IT-related financial, market and operational risk exposures. A strategic ITRM program is designed to organize, execute, measure and report on efforts to address IT risks consistent with strategic corporate objectives and help set risk culture by providing management with a holistic, enterprise-wide view of risks.
Countering cyber attacksTraditional information security solutions are not enough to protect against advanced persistent threat attacks. This updated report discusses the measures organizations should consider to detect and react to successful cyber attacks.
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.
About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 23,000 Advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject-matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.
We want to hear from you!Please let us know if there are subjects you would like 5: insights for executives to cover. You can contact us at: [email protected]
