Update on the current board issues: February 2014

February 2014
  • Print-friendly version
BoardroomDirect®<br><span>Update on the current board issues: February 2014</span>

At a glance

President Obama’s new cybersecurity framework is the latest tool boards and management can use to address the myriad problems and IT risks associated with data breaches. It has become clear that security of intellectual property and customer data are not just IT problems anymore.

Issue in focus

Download a PDF version of this Issue in focus 

The latest on cybersecurity

Cybersecurity framework

One tool that is now available to US companies is the Department of Homeland Security’s newly released Cybersecurity Framework, which is a set of industry standards and best practices to help organizations manage cybersecurity risks.

Created through collaboration between the federal government and the private sector, the framework is meant to manage cybersecurity risk in a cost-effective way without the need for additional regulations, according to the framework’s executive summary.

The framework includes taxonomy and a risk management tool that allows companies to describe their current cybersecurity condition, assess progress toward their desired cybersecurity state, identify and prioritize opportunities for improvement, and communicate to stakeholders about cybersecurity risk.

Additionally, the Department of Homeland Security created the Critical Infrastructure Cyber Community (C3) Voluntary Program. It is designed to connect companies and governmental agencies with the DHS to help manage their cyber risks.

The SEC recently announced it will hold a cycbersecurity roundtable on March 26 at its Washington, DC, headquarters.

For more background on the Cybersecurity Framework, read PwC’s BoardroomDirect April 2013 Issue in focus.

The new voluntary US Department of Homeland Security standards for cybersecurity and the recent point of sale (POS) data breaches at some US retailers show that cybersecurity is not just an IT problem.

Actually, cybersecurity is a business issue that can wreak havoc with any organization that uses the Internet or wireless technology to do business. In addition to the obvious intellectual property and customer data security, privacy and IT risks, successful cyber-attacks can affect a company’s brand, reputation, and business relationships. The data most vulnerable to attacks have been customer credit card numbers and PINs, employees’ personal healthcare information, and companies’ third party suppliers confidential information.

While 69% of CEOs responding to the PwC 17th Annual Global 2014 CEO Survey say they are somewhat concerned or extremely concerned about cyber threats, 24% of directors responding to the PwC 2013 Annual Corporate Directors Survey say they are still not sufficiently engaged in understanding their company’s cybersecurity spend.

“When you look at the minutes [from board meetings], rarely do you see this as a forefront issue that’s got to be discussed,” Howard A. Schmidt, a principal in Ridge-Schmidt Cyber LLC cybersecurity consultant, said in a recent PwC interview. “That has to be on the agenda and the right people have to be in there briefing the board.

“It is imperative to involve the CEO and board of directors because they are the ones who not only control the corporate strategy and the way it is executed, but ultimately they control the purse strings as well.”

As for the budget to pay for cybersecurity measures throughout the company, Jan Babiak, a director with the Bank of Montreal, Royal Mail, and Walgreens, said the cost really depends on the company risk profile.

“Whether it’s social engineering or technical hacking, we’ve all had these kinds of cyber threats for the past two decades,” Babiak said. “If you haven’t made this a priority for the past decade, then your company may have to spend a lot. But I tell you there are very few boards that can justify not thinking about spending on cybersecurity.”

According to the PwC CEO Survey, 39% of CEOs said cybersecurity is one area where they are investing as a global transformative trend over the next five years. In fact, the survey showed it is the third top technological area of investment for companies, behind only business analytics (44%) and socially enabled business processes (41%) and tied with mobile customer engagement.

Both management and the board should prioritize cybersecurity investments around the data that matters most to the business and its unique ecosystem, according to David Burg, PwC’s Global and US Cybersecurity Leader. A major part of those investments is creating and maintaining a comprehensive cybersecurity strategic plan that protects intellectual property and other data across the business enterprise.

“Boards and executives keeping a sustained focus on cybersecurity do more than protect the business,” Burg said. “They reap bottom-line benefits.”

In the PwC publication, Answering your cybersecurity questions: The need for continued action, Burg and his cybersecurity team point out that there are three areas companies should consider when assessing their cybersecurity plan:

  • Enhancing the cybersecurity strategy and capability: Is an integrated cybersecurity strategy a pivotal part of the organization’s business model? Can the organization explain its cybersecurity strategy to stakeholders, investors, regulators, and ecosystem partners?
  • Understanding and adapting to changes in the security risk environment: Does the organization know what information is most valuable to the business, as a function of its most important value drivers? Does the organization understand the significant changes in the threats facing its business? Who are the organization’s adversaries? What would they target?
  • Advancing the security posture through a shared vision and culture: Do the organization’s employees understand their role in protecting information assets, and have they been provided enough tools and training? Does the organization have standards in place to protect its assets?

In addition to the cybersecurity plan, companies should consider what lessons can be learned from POS hacking incidents such as what happened at some retailers this past holiday season, Burg said. “Boards and executives may consider engaging in a process to understand what the external audits, third-party audits, internal audits, and governance, risk, and compliance reviews by management include, and what they don’t include,” he said.

He offers that boards and executives look into the following actions:

  • Consider a deep-dive risk assessment that covers broad IT risks
  • Boards and executives with retail or payment card operations should understand what compliance with the Payment Card Industry Data Security Standard means.
  • Consider using cyberinsurance to offset a portion of the risk associated with cybersecurity
  • Develop an integrated corporate breach response plan that is ready to operate when there is such a breach.

While it is necessary for management to have a plan to be prepared for such an attack, the board needs to be vigilant in its oversight of such a plan, Babiak said.

“One thing I would tell all directors is, ‘Don’t be afraid of asking the simple question,’” she said. “Too frequently, some directors who are less confident about IT say nothing, especially when IT leaders use technical jargon and fail to engage with board-relevant content. Boards should know that good IT leaders are able to communicate even the most complex IT issue in a way that my grandmother would understand.”

She also suggests directors should be proactively reading and educating themselves about emerging technologies and threats as well as asking management about cyberthreats and related risks to the business. This may include taking independent counsel from experts as they do with other topics.