Cybersecurity risk on the board’s agenda.
As the number of database breaches, company web site hacks and loss of intellectual properties grows, company boards realize cybersecurity is not just a technology risk. It can be an enterprise risk management issue.
What’s at stake for companies are their so-called “crown jewels,” those information assets or processes that, if stolen, compromised, or used inappropriately would render significant hardship to the business.
Cybersecurity issues are among the top risk management issues facing companies, according to recent surveys by PwC. The PwC 2012 Annual Corporate Directors Survey of 860 public company directors found that nearly three-quarters (72%) of directors are engaged with overseeing and understanding data security issues and risks related to compromising customer data.
“Today, cyberthreats are a clear and present danger to the global business ecosystem,” said Peter Harries, Co-Leader, PwC Health Information Privacy and Security Practice. “Yet many enterprises place the responsibility for managing cyberthreats solely in the hands of their technology team. Now is the time for boards and management to realize such threats are enterprise risk management issues that could severely affect their business objectives.”
The sheer volume and concentration of data, coupled with easy global access throughout businesses in the US and worldwide magnifies the exposure from a cyberattack, according to a PwC 10Minutes on the stark realities of cybersecurity. Such attacks primarily originate from three areas: nation-states, organized crime and “hactivist” communities, according to Harries.
“Nation-states are trying to come up with a certain outcome, such as the illegal acquisition of competitive intelligence,” he said. “In the case of organized crime, they are looking to make money from customer data, such as healthcare and credit card information. Hactivists want to take a stance on a social policy issue with a denial of service attack.”
Additionally, recent data from PwC’s 16th Annual Global CEO Survey found that more CEOs in the US (31%) believe a cyberattack or major disruption of the Internet is likely to occur than global CEOs (20%). In February, President Obama issued an executive order to improve critical infrastructure cybersecurity.
That executive order calls on federal agencies to strengthen US cyber defenses by sharing more public-private information, identifying and prioritizing US critical intellectual property (IP) infrastructure, and building a cybersecurity framework. The order, which impacts the Department of Homeland Security, the Department of Commerce’s National Institute of Standards and Technology, and the Office of the Director of National Intelligence, is going to take effect in phases from June through August. [For more information and a timeline on the order’s phase-in, read PwC’s Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order.]
The order requires the private sector and government to share critical information for those 18 industries deemed “critical infrastructure.” A crucial part of the order calls for building a framework that will include standards and best practices to be used by companies to defend their IT networks against cyberattacks.
“We’ve reached a tipping point for the government sharing critical information with the public,” David Burg, PwC’s US Leader of Forensic Technology Solutions, told Bank InfoSecurity at the 2013 RSA Conference in an interview. “We have reached a phase where we need to institute a cyber immune system to help our commercial industries, or those at a minimum considered to be critical infrastructure, to have much more rapid access around threat information to enable our economy to respond and to reduce the threats.”
In October 2011 the SEC’s Division of Corporation Finance released guidance regarding cybersecurity risk disclosure that states companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.” While there are no disclosure requirements that specifically discuss cybersecurity, the SEC guidance states that companies should disclose cybersecurity risks in the risk factor disclosures consistent with Regulation S-K Item 503 (c) and address such risks in other areas of their filings, including Management’s Discussion & Analysis.
What should directors do
As boards consider how to prepare for and react to cyber attacks, there are certain considerations they should make related to data security, according to PwC’s Directors and IT: What Works Best™ board guide:
For more information on cybersecurity risk, directors also may want to read the following publications: