Update on the current board issues: April 2013

April 2013
  • Print-friendly version

Issue in focus

Download a PDF version of this Issue in focus 

Cybersecurity risk on the board’s agenda

As the number of database breaches, company web site hacks and loss of intellectual properties grows, company boards realize cybersecurity is not just a technology risk. It can be an enterprise risk management issue.

What’s at stake for companies are their so-called “crown jewels,” those information assets or processes that, if stolen, compromised, or used inappropriately would render significant hardship to the business.

Cybersecurity issues are among the top risk management issues facing companies, according to recent surveys by PwC. The PwC 2012 Annual Corporate Directors Survey of 860 public company directors found that nearly three-quarters (72%) of directors are engaged with overseeing and understanding data security issues and risks related to compromising customer data.

“Today, cyberthreats are a clear and present danger to the global business ecosystem,” said Peter Harries, Co-Leader, PwC Health Information Privacy and Security Practice. “Yet many enterprises place the responsibility for managing cyberthreats solely in the hands of their technology team. Now is the time for boards and management to realize such threats are enterprise risk management issues that could severely affect their business objectives.”

The sheer volume and concentration of data, coupled with easy global access throughout businesses in the US and worldwide magnifies the exposure from a cyberattack, according to a PwC 10Minutes on the stark realities of cybersecurity. Such attacks primarily originate from three areas: nation-states, organized crime and “hactivist” communities, according to Harries.

“Nation-states are trying to come up with a certain outcome, such as the illegal acquisition of competitive intelligence,” he said. “In the case of organized crime, they are looking to make money from customer data, such as healthcare and credit card information. Hactivists want to take a stance on a social policy issue with a denial of service attack.”

Additionally, recent data from PwC’s 16th Annual Global CEO Survey found that more CEOs in the US (31%) believe a cyberattack or major disruption of the Internet is likely to occur than global CEOs (20%). In February, President Obama issued an executive order to improve critical infrastructure cybersecurity.

That executive order calls on federal agencies to strengthen US cyber defenses by sharing more public-private information, identifying and prioritizing US critical intellectual property (IP) infrastructure, and building a cybersecurity framework. The order, which impacts the Department of Homeland Security, the Department of Commerce’s National Institute of Standards and Technology, and the Office of the Director of National Intelligence, is going to take effect in phases from June through August. [For more information and a timeline on the order’s phase-in, read PwC’s Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order.]

The order requires the private sector and government to share critical information for those 18 industries deemed “critical infrastructure.” A crucial part of the order calls for building a framework that will include standards and best practices to be used by companies to defend their IT networks against cyberattacks.

“We’ve reached a tipping point for the government sharing critical information with the public,” David Burg, PwC’s US Leader of Forensic Technology Solutions, told Bank InfoSecurity at the 2013 RSA Conference in an interview. “We have reached a phase where we need to institute a cyber immune system to help our commercial industries, or those at a minimum considered to be critical infrastructure, to have much more rapid access around threat information to enable our economy to respond and to reduce the threats.”

In October 2011 the SEC’s Division of Corporation Finance released guidance regarding cybersecurity risk disclosure that states companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.” While there are no disclosure requirements that specifically discuss cybersecurity, the SEC guidance states that companies should disclose cybersecurity risks in the risk factor disclosures consistent with Regulation S-K Item 503 (c) and address such risks in other areas of their filings, including Management’s Discussion & Analysis.

What should directors do

As boards consider how to prepare for and react to cyber attacks, there are certain considerations they should make related to data security, according to PwC’s Directors and IT: What Works Best™ board guide:

  • Determining the effectiveness of the company’s security program – Evaluate if the company is effectively addressing data security, understand the company’s perceived level of data security risk and the controls designed to mitigate the risk, and consider whether a chief information security officer (CISO) is needed. If so, ensure that person has appropriate stature in the company.
  • Leading practice is to have a data security approach that is comprehensive and adequately funded – Understand the company’s comprehensive strategy for addressing data security, determine how management tests resistance to attacks, and ask management about the company’s IT security resources and whether the security spend level is appropriate.
  • Detection can be a problem – Discuss the frequency and incidence of data attacks the company has detected in recent years and how the company responded.
  • Protecting the most sensitive and valuable assets – Inquire about the company’s inventory of sensitive information, including IP, and the controls to protect it.
  • Concerns outside the company’s firewall – Ask management if and where sensitive information is housed outside the company and how it is protected.
  • Internal employee risk cannot be overlooked – Understand how the company educates employees about data security risks and the related policies and procedures.
  • Compliance and regulatory risks are rising – Discuss with management whether the company’s disclosures are appropriate and ask about the latest data security regulations.

For more information on cybersecurity risk, directors also may want to read the following publications: