Qualitative Risk Assessment
When it comes to IT and cybersecurity risk assessment, the qualitative risk assessment model may be more attractive and useful for you and your business. This guide covers the complete process of Risk Assessment in a company or a business with best examples.
Qualitative risk assessments do not utilize detailed calculations to assign monetary values to assets and losses like the quantitative method. Rather, the qualitative risk assessment method recognizes the difficulty present in assigning realistic values to information and the likelihood of risk.
As such, this method provides relative measures of risk and asset value based on ranking specific items into categories such as high, medium, or low or on a numeric scale.
Qualitative risk assessments are a popular method of calculating cybersecurity risk. While not as precise as the quantitative method, they generally are faster, easier, and less expensive to produce and give senior decision-makers actionable information in a more timely manner.
We’ll use the example of another fictitious Western Pennsylvania company to illustrate the qualitative risk assessment methodology of calculating cybersecurity risk to a business.
You are the CEO of BigRX, a large (the US $10+ billion) regional medical enterprise with over 20 major hospitals and 400 operating locations. Your business is an industry leader and has a good reputation. You carefully guard your brand.
Cybersecurity is on your agenda. Reports from across the medical sector indicate an increase in violations of the Health Insurance Portability and Accountability Act (HIPAA) as systems fall out of compliance with HIPAA standards and disclosures of sensitive patient records have spawned litigation that has cost other similar businesses tens of millions to repair and litigate.
You are concerned about hackers penetrating your systems, which would expose your business to potential disclosures and/or corruption of data that could cost your business tens of millions of dollars and potentially sully your sterling reputation.
BigRX has a large medical information management system called BigMIMS that is the heart of its business operations. BigMIMS has approximately ten million sensitive records in its database.
Medical providers at your remote and contracted facilities love BigMIMS as they can access the records through a convenient web interface that your IT department delivered through a contract with a major software vendor.
BigMIMS cost you the US $20 million to develop and field and costs you the US $5 million to operate and maintain. Your accounting team recently conducted an analysis of BigMIMS’s information and determined that the replacement cost of each record is the US $100.
The Thesis_Scientist CEO asked if you had heard about the cyber attack against the retailer that resulted in the loss of thousands of credit card numbers and threats of litigation.
When you said you hadn’t, he advised he was conducting a risk assessment of his cybersecurity posture and recommended you consider doing the same at BigRX, “…if you hadn’t already.” Good advice. Perhaps, these luncheons do have value after all!
When you return to your office, you have your regularly scheduled senior leadership meeting with your COO, CFO, chief medical officer, CIO, and chief risk officer (CRO).
You tell them that you are concerned about reports of cybersecurity incidents and the major retailer incident is hitting “too close to home.” You want a cybersecurity risk assessment conducted, starting with BigMIMS.
Based on their experience with qualitative risk assessments, your staff recommends using this methodology to assess your risk.
The first step of the qualitative risk assessment is to identify your threats and threat sources (know your enemy!)
Improper data entry
This is an improper entry of data into BigMIMS, either intentional or deliberate, that compromises the integrity of the data in the database
This is the insertion of malicious code into the computer network that compromises the security and integrity of your network and jeopardizes the information residing on it
This is the access of patient information in the BigMIMS database to individuals not authorized to view or handle it
This is an action where a hacker gains access to BigRX networks and information. It may or may not result in malicious activity yet will drive costly remedial activities and notifications in accordance with the HIPAA
This takes into account the possibility that a power failure in the BigMIMS facility could damage the system or otherwise interrupt operations
This takes into account the possibility that an HVAC failure in the BigMIMS facility could damage the system or otherwise interrupt operations
This takes into account the possibility that a fire in the BigMIMS facility could damage the system or otherwise interrupt operations You like this format and are comfortable with it as BigRX uses this format across the organization. You standardized the format for risk assessments to improve management oversight, consistency, reliability, and repeatability.
Employees across all operating units are trained to use this format, which was developed as a result of a previous risk management exercise.
Having a standard and repeatable risk assessment process across the organization reduces variance and confusion while enhancing accuracy. You agree that these are reasonable threats but you still want to see your vulnerabilities.
Your team produces numerous tables identifying hundreds of vulnerabilities. Because you are focusing on cybersecurity vulnerabilities to BigMIMS and its data, your team consults with those most familiar with the system: the system developers, the system and database administrators, program managers, and cybersecurity personnel.
Technical teams are a treasure trove of information in identifying potential vulnerabilities. Based on their technical knowledge and their daily interaction with the systems, they know the strengths and weaknesses of the system.
If you want to know where your greatest cybersecurity risks are, they are the best people to ask. They will either have the information you need or know how to get it for you.
Vulnerability scanning results are a prime source of information to identify your cybersecurity vulnerabilities.
Good technical teams routinely run vulnerability scanning software to examine operating systems, network devices, applications, databases, and other critical infrastructure for known flaws by comparing the systems and their responses against databases of known flaws or signature files.
Internal scans are standard procedure for professionally managed networks. Great technical teams not only do regular internal scanning but also do external scanning of your network boundaries as well.
Great technical teams also ask for help and do regular independent penetration testing to find out where their security is weakest and can be exploited. Penetration testing (also known as “Pen-testing”) features specialized security analysts who exercise threats against the system under controlled nonmalicious circumstances.
The best ones don’t just challenge your technical team, they also use social engineering, on-site physical security probes, and other techniques to find ways to penetrate your defenses.
In essence, Pen-testers figure out ways to hack into your system so you can find your weakest links. We highly recommend you include Pen-testing on a regular basis with vulnerability scanning to provide you with the vulnerability information you need to make informed decisions.
Vulnerability scanning and penetration testing are not the only sources of vulnerability analysis. Your organizational and management control program also ought to be used to identify areas of vulnerabilities.
Internal audits and control procedures are used to ensure that your policies and procedures are routinely and accurately adhered to. We believe this is an essential part of your internal control program and a rich source of vulnerability information.
As an example, several years ago, the author found a vulnerability through his internal audit and management control program that is worth sharing.
The author was responsible for the network operations, maintenance, and security supporting a 160,000-person organization with 20 major operating locations around the world.
In order to maintain effective, efficient, and secure network operations, the author ordered standardized procedures to be followed in the installation of software and patches.
Nothing was to be installed on the network or devices until it had been properly tested in the organization’s central cyber test facility. Once software and patches had been cleared by the lab, we used technical means for designated system administrators to automatically push software updates to devices across our network enterprise.
This process saved significant resources by reducing the need for touch labor, reduced the time to patch and install from weeks to minutes, and significantly improved reliability and security.
Key to the process was the system administrators following the process in a disciplined manner. We routinely ran scans looking for unauthorized software appearing on the network as part of our cybersecurity program and saw an alarming rise in the appearance of unauthorized software.
We were concerned because the unauthorized software not only could contain malicious code that could jeopardize our operations but also it could be unlicensed software that could open us to litigation for using copyrighted material without proper permission.
Only a system administrator could install software and the entire technical team had received thorough training; they knew the process and swore they were following it. We had to find out who was installing the unauthorized software, why they did it, and what caused them to do so. Only then could we resolve our problem.
I directed my deputy to lead an internal control audit of the system administrator process and procedures to see if he could find the root cause. Sure enough, he did.
The internal control audit discovered that indeed the system administrators on our technical team were well versed on the policies and procedures.
They were regularly tested and followed the procedures with discipline and rigor. What my deputy discovered through the internal audit, however, surprised us. Not everybody with system administration privileges was on the technical team.
The internal control audit revealed that business unit administrative staff members at one of our operating locations had asked for and been given system administrator level privileges to enable them to assist members of their business units with routine computer problems.
There was no evidence that they had received the requisite training on our software and patching policy nor were they formally trained as system administrators.
Several of them had violated corporate policy and had installed untested and unlicensed software. We quickly moved to remedy the situation by removing the software, implemented very tight access control procedures to centrally manage privileges, and alerted management at the operating location of the issue.
Fortunately, we detected and fixed the problem before the damage occurred, but it highlights the positive impact of internal control and management programs have in helping you find your weaknesses. Do not rely solely on your technology to reveal your problems!
BigRX uses all the techniques cited in the preceding text to expose their list of vulnerabilities to BigMIMS. Their internal and external security scans reveal a list of software and configuration weaknesses that are common to many of the vendor products.
In fact, the technical team tells you that these vulnerabilities are well known and available for anyone to see on the Internet.
Your staff identifies hundred of vulnerabilities, but you zero in on the one below; the same one you heard was used to exploit the Pittsburgh retailer. You have the same vulnerability!
Web page software
SQL injection is a code injection technique, used to attack applications, is vulnerable to in which malicious SQL statements are inserted into an entry field for SQL injection execution (e.g., to dump the database contents to the attacker)
Validating Threat and Vulnerability Matching. Matching threats to vulnerabilities is an important part of your risk management process. The reasoning is straightforward.
A threat without a vulnerability does not produce a risk. Similarly, a vulnerability without a threat does not produce a risk. However, a threat from a legitimate threat source directed toward a vulnerability generates risk, risk that you need to address.
In the case of BigRX, the SQL injection vulnerability has been identified. It can enable an attacker to gain access to the BigMIMS database potentially revealing, altering, or destroying sensitive patient records and opening BigRX up embarrassing litigation, regulatory fines, and damage to its valued brand. The vulnerability is serious.
But is there a threat? How do you know?
There are several methods to determine whether you have a threat directed against a cyber vulnerability. Let’s introduce you to some of the most common:
The threat-source identifies you as a target:
Strange as it seems, some threat sources clearly identify their targets, giving them a heads-up they are the subject of future attack. The previously cited anonymous DDoS attacks on PayPal, MasterCard, and Visa are examples of this type of threat and vulnerability match.
The threat-source performs reconnaissance against you:
Potentially hostile threat sources are continually scanning the Internet looking for vulnerabilities to exploit. Your IT team should be continually reviewing their security logs to see who is scanning you. If there are a lot of repeat visits from the same Internet address, be concerned and block them.
The threat source has a pattern of misconduct indicating “you are next”:
Cybercrime statistics indicate when cybercriminals find a technique that works, they continue to tap it until it runs dry or they are apprehended. Albert Gonzalez had his acolytes execute successful attacks on retailers by hacking in through their Wi-Fi to steal credit card numbers.
Do you think if the other retailers in the area knew about the exploits they would have made the linkage between the threat and their own vulnerabilities? We would have!
BigRX suspects, there is a problem. Nobody has directly communicated a specific threat to the company’s information systems, but the network is constantly being bombarded with scans and probes.
You are not sure that it is part of widespread scanning or is directed toward BigRX, but conclude that regardless of the source it is reconnaissance of your network.
Moreover, your neighbor in retail was just burglarized through a SQL injection exploit that is buffeting their reputation and driving embarrassing litigation and potential losses due to the theft of sensitive customer data.
Does BigRX think there is a threat and vulnerability match? Absolutely! So what’s next? How likely it is that someone will attack you?
Estimate Incident Likelihood.
Before we continue with the BigRX example, let’s use a cyber-related example to highlight how some people look at how to decide that an event is likely (event likelihood).
Some people like to think that it is unlikely Apple products will be hacked. They point out that Microsoft often patches their software to remedy vulnerabilities and most hacking activity is directed against Microsoft products.
They point to Apple as a example of a company that “doesn’t have to do that” and use the software patch metric as a measure of relative quality. Is that true? Not entirely.
The fact of the matter is that Microsoft has become the world’s single largest source of software, making their product set the largest target for hackers. Why? To quote the famous bank robber Willie Sutton, “Because that’s where the money is.”
Because businesses predominantly use software based on the Microsoft architecture, hackers pay great attention to Microsoft products, relentlessly searching for vulnerabilities they can exploit.
Cybercrime is big business and it is logical the widespread use of Microsoft products by businesses, governments, and the public at large would make Microsoft products the huge target it is for hackers.
But just because Microsoft gets a lot of attention from the hacker community doesn’t mean you are safe with your iPad, iPhone or Macbook.
In fact, Apple’s resurgence and an increase in market share have made it an increasingly inviting target for hackers. Don’t believe it? Even Apple itself was recently hacked and had to temporarily shut down its application developer web site.
The lesson is that you have to be careful when you are deciding “event likelihood” to not succumb to bias and tradition. Rather, be strategic in your view and look to multiple diverse sources of trusted information in making your judgments.
BigRX uses their standard corporate model to characterize the likelihood or probability that the threat will be acted upon in the next 12-month period. Like numerous other companies, they use a format familiar to those who have graduated from business schools and other executive development programs.
0–33% chance that the event will occur in a 12-month period
34–66% chance that the event will occur in a 12-month period High 67–100% chance that the event will occur in a 12-month period.
This is the method used by BigRX but there are many other ways you can categorize the likelihood of an event. Some people prefer more categories (e.g., very low, low, medium, high, and very high). Others prefer different ranges for their categories (e.g., high = 90–100%, medium = 60–90%, and low = <60%).
We have found that regardless of which characterization is selected, there is a great benefit in consistency. When your organization and its employees are trained to employ a standardized methodology, are comfortable with it, and use it as designed, the resulting analysis is consistent, reliable, and trusted across the organization.
When considering which likelihood category to select, there are many methods you can use. They include but are not limited to:
Leadership selection: The boss or delegate picks.
Nominative group decision: Everyone involved in the process votes and you (the boss) select the average.
Delphi group technique: Everyone involved in the process presents their recommendation, and the group debates options until a consensus is reached.
Plurality rules! Everyone votes. Whichever category gets the most votes is selected.
Which one your organization selects depends on the culture of the organization and the decision to be made. Those that are time sensitive are more likely to use either the “leadership selection” or “plurality rules!” techniques. Where the decision is potentially very contentious, the “nominative group decision” or “Delphi group technique” often are preferred.
So what did you do at BigRX? You followed your established corporate risk management process. You gathered experts from your IT and financial departments and business operations and even some cybersecurity consultants.
They used the Delphi group technique to make a recommendation to management that the likelihood was HIGH that BigRX would face a successful hacking incident using the SQL vulnerability in a 12-month period. Based on the reports you are seeing in the news about cyber attacks at home and abroad, you are not surprised.
Risk assessment is a process. Regardless of whether you are measuring risk from natural disasters, new product launches, or even cybersecurity incidents, you use the process to determine the likelihood (or probability) of a threat occurring against a vulnerability resulting in an impact.
Using the qualitative risk assessment method, you create a matrix to determine the relationship between the likelihood of an event occurring and the impact it will have if it does. You’ve already analyzed likelihood and impact in previous steps, so you can compare them in your matrix to portray the relative risk you have calculated.
Remember that in the qualitative risk assessment, you normally do not use numbers in your risk measurement. Since in this cybersecurity-related example you do not have accurate numbers to estimate the likelihood of the event, using this construct adequately conveys the range of risk to focus management attention to matters of gravest concern.
As the CEO of BigRX, you review the team’s work and conclude you most likely face a high risk of a significant cybersecurity event in the next 12 months. You want options on what to do next.
Life is full of risk. Recall that as an executive, one of your primary responsibilities is to manage risk to protect your business and create an environment for it to grow and thrive.
In our opinion, you have four basic options when confronted by risk: mitigate, transfer, accept, and avoid. Note that the four options also hold for any type of risk encountered in life.
Each one should be supported by the facts and a thoughtful review. During your evaluation of options, remember that you can choose one or more in making your decision. The options are:
This is one of the most common techniques used to address cybersecurity risks as part of your risk management strategy. Mitigation focuses on fixing the deficiency that creates vulnerabilities and/or leveraging some other form of compensation that controls your vulnerability.
For example, mitigation techniques we have used include patching software to close security vulnerabilities, training personnel, installing and configuring new and/or better security apparatus like firewalls and encryption devices, and adding improved physical security controls such as special access control devices.
We cannot overemphasize the importance of the business case analysis as part of your mitigation process.
If you agree it does not make sense for you to spend 10 dollars on a lock to protect a five-cent pencil, you’ll probably also agree that it doesn’t make sense to spend a million dollars on an IT system to protect information valued at US $500,000. Mitigation is a business decision enabled by technology to support business objectives.
Make sure you have a good business case before you invest in any mitigation technique! The right investment should jump out at you as a result of your business case analysis!
As a reminder, after you implement your mitigation steps, make sure you reevaluate your residual risk in light of the new controls and configurations you may have placed into effect.
Whenever you confront a risk, some of your first questions to your subordinates should be, “How can I mitigate this risk?” “How much will it cost?” “How long will it take?”
While you can never transfer responsibilities, you can transfer risk. You do it all the time. You likely have car, property, and life insurance policies in effect right now. You pay premiums to the insurance company who in turn underwrites your liability based on how much coverage you are willing to pay for. Can you underwrite cybersecurity risk?
Absolutely! In fact, there are several insurance companies around the world that now offer insurance for cybersecurity events. It is estimated that the cyber insurance market already has surpassed the US $1 billion.
Often, the cost of fixing a vulnerability is more than the asset you are trying to protect. Sometimes, you don’t have the resources to fix the vulnerability.
Other times, you may decide that the high costs associated with mitigation are too much to pay based on the likelihood of an event and its potential impact. In cases like this, many people decide to accept the risk and allow their systems to operate with the known risk.
Acceptance of risk is a decision reserved for senior leadership and management. As an executive, insist on a formal risk acceptance process for each and every risk acceptance decision.
Ensure that all documentation regarding the risk assessment and decision-making process is complete and accurate. Also, make sure the risk acceptance decision is in writing and accepted by the senior leader making the decision. Remember, with great power comes great responsibility.
Acceptance of cybersecurity risks is a business decision senior executives will be called to make. Be ready. Know your enemy. Know yourself. Know what mitigation and transference options you may have. When you know all of these, your decision will be much easier to make and be auditable and defendable.
Avoidance happens when you stop doing that which exposes you to risk. We exercise the avoidance technique all the time in the cyber environment.
An example of cyber avoidance is the practice of removing or disconnecting the vulnerable component or system to avoid risk. Let’s say you have a faulty old web server configured with antique software that has numerous vulnerabilities.
Rather than spending valuable staff time trying to resurrect the antique equipment and load contemporary software on it (which may or may not work on the older gear), you find it is cheaper and more effective to replace the server and software completely to avoid the risk.
Another simple example addresses the information itself. Many senior executives post their biographies online. Many post information about their spouse, children, and homes in their biographies.
What a treasure trove of information for criminals! While your business may harden your cyber defenses at work, does your family have the same cyber protection? Could a criminal or hacktivist use that information to threaten your family?
Avoiding the placement of personal and other potentially exploitable information on your website is an important risk management technique. Don’t forget to check your official biography today!
Finally, few companies operate alone. Your organization likely shares information with one or more organizations, often with so-called trust relationships, that permit transparent information sharing with the other organizations.
Opening your network to a less secure partner may impose an undue risk to your organization. Since a risk taken by one is a risk taken by all, make sure you choose your partners well.
You may very well find that you need to avoid entering into a business relationship because your proposed partner does not maintain an effective cybersecurity program.
So, what about Thesis_Scientist Corporation and their risk? What risk decisions does their CEO face? What are his options? What strategy does he adopt?
The CEO and his senior leadership team know they are at risk of losing their intellectual property and trade secret (the alloy formula) to a cybersecurity incident.
Their analysis of threat sources, potential threats, vulnerabilities, and exposure indicates they are at high risk and the estimated loss is over the US $50 million. Their estimates based on available data indicate it is likely they will face an incident soon. They have a new sense of urgency to address this risk.
Based on the scenario provided, we have several risk management strategy suggestions for the Thesis_Scientist CEO and his senior executive team. Perhaps you will find these helpful considerations as you look at your own organization:
Here are our top ten recommended mitigation actions for Thesis_Scientist Corporation. You too can significantly reduce your risk by accomplishing the following mitigation actions:
1. Ensure your cybersecurity policies are well documented, that all personnel is trained on them and that they are regularly tested.
2. Ensure your software configurations and patches are all up to date. This applies to your antimalware software, applications, and operating systems. Only use approved and tested secure software, especially operating systems. This hardens your network against attack.
3. Implement strong boundary connections and intrusion detection systems. Test them regularly through independent third-party penetration testing.
4. Implement a policy of “Deny All, Permit by Exception,” which filters all network traffic and denies all traffic not explicitly allowed. This can stop someone from “walking out the door” with your information.
5. Implement a policy of “least privilege” where users only get the privileges and access to information and services they need. This significantly reduces the risk of someone hijacking the identity of one of your employees and elevating their privileges to gain access to your most sensitive information.
6. Encrypt your data. All of it. Encrypt while it is at rest and while it is in transit. Encrypt your hard drives on your desktops, laptops, and other devices whenever possible. Make sure you have a key management system to assure you retain positive control of the keys to unlock your data.
7. Implement a robust vulnerability management program including internal and external scans. Install and use an intrusion detection system on your network.
This will provide the ability to deploy threat-specific detection signatures that will trigger immediate alarms for traffic of interest. Don’t you want to catch insider threats or external penetrations red-handed and stop them?
8. Make cybersecurity a corporate priority. Disable CD/DVD readers and USB drives by policy, and only provide that capability by the exception under controlled conditions. Make importing and exporting of data a conscious decision. Implement comply-to-connect policies to reduce threats of contamination. Tightly control remote access.
9. Invest in your IT staff commensurate with the value of the information you want to protect. Make sure you have the right team, properly trained and certified, and in the right amount to do the work you need them to do.
10. Disconnect Internet access to all critical and sensitive information that doesn’t need an outside connection. Segment your mission-critical business data from the outside world (who doesn’t need to see it) as well as from administrative functions.
This limits and/or contains the effects of compromises and also speeds recovery. Does your key intellectual property and trade secrets need to reside in the same place as your general correspondence? Generally, no. Prioritize, segment, and secure your information based on risk.
We recommend you investigate your options to ensure your business against loss from a cybersecurity incident. We recommend your discussions should include first- and third-party liability discussions.
Additionally, we believe you should have conversations with multiple insurance firms before you make any decisions on risk transference as the cyber risk insurance market is still developing and wide variances in coverage, premiums, deductibles, and other factors exist.
Be a discerning shopper when it comes to insurance. Ask for quotes. Ask for referrals. Ask a lot of questions and do your business case analysis before you sign up for anything.
Your network readiness rate is at a very high level, indicating your staff is effective at meeting business operation needs, but removing the vulnerabilities indicated by the internal scanning may best be addressed by temporary technically qualified reinforcements rather than hiring additional full-time staff.
Consider accepting the risk of temporary hires of certified professionals to bring your vulnerability posture to an acceptable baseline, look to lean processes to better utilize existing staff, and defer the request for additional manpower for two months after the posture meets objective and processes are controlled.
There is an avoidance option to consider for Thesis_Scientist. Does their production system need to be connected to the Internet? What happens if they pull the plug?
They still would have to address an insider threat and external attacks a la Stuxnet, but they can avoid the threat of hackers if they disconnect external connections.
They still can maintain a connection for their administrative functions but can keep their core intellectual property and business functions insulated from external cyber attack. This is an option worth exploring.
What about BigRX? What recommendations do we have for their CEO?
BigRX appears in pretty good shape. They have disciplined processes for managing risk, and the employees seem to be well trained. Nonetheless, software testing procedures appear to be lacking as the vulnerability analysis indicates the SQL vulnerability.
This should have been caught in the software testing process and fixed before it was put online. This is a significant problem that needs immediate remedial action.
Here are our recommendations to the BigRX CEO as he contemplates his risk decisions:
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Frankly, if BigRX had not already implemented the top ten recommendations we gave to Thesis_Scientist, we’d urge them to implement the same controls. We’d also recommend the additional following specific mitigation measures:
1. Fix the SQL injection vulnerability immediately. Test the fix before putting it on the production system.
2. Reinforce your defenses while the new code is being written. Be on the lookout for someone attempting access through a SQL injection technique.
3. Prevent further instances of putting the deficient code on your system by implementing disciplined software acceptance and testing protocols. Never let bad code get on your system again.
4. Implement regular external and internal vulnerability scans to better expose your risk.
We definitely recommend that BigRX consults with insurance brokers to discuss their options for risk transference through insurance.
Unlike Thesis_Scientist Corporation, who operates in a product-based environment, BigRX operates in what many consider a service-based environment. BigRX operates in a market sector where litigation is plentiful.
They likely have very robust insurance packages addressing risks like medical malpractice. They ought to investigate adding insurance for cyber malpractice as well. Clearly, there is a risk. They owe it to their stakeholders to protect the business.
We recommend BigRX fix their SQL injection issue immediately. Unfortunately, it isn’t like flipping a switch and the problem goes away. The code will have to be written, verified, and thoroughly tested before being loaded on to the active production system.
In the meantime, we recommend BigRX consider accepting the risk of keeping the existing configuration online until the new code can make its way through the appropriate repair, testing, and delivery process. Given the urgency to fix the code, we do not believe it would take an inordinate amount of time to receive the fix.
It may be possible to remove the flawed code from BigMIMS and still be able to maintain effective operations until the new code is ready for deployment.
This is an option that may be viable but would have to be explored in greater detail before making a recommendation to implement it. A business case analysis taking into account the technical and business operations considerations is warranted.
We also would recommend to both Plano Corporation and BigRX that they consider investing in a cybersecurity business intelligence capability. Back in the “old days” before computers, such services used to be provided by people who clipped articles from newspapers and magazines.
Now, many companies maintain technically enabled sophisticated in-house business intelligence functions to maintain situational awareness over key items of interest in their business sector, supply chain, and other areas that possibly could affect their business.
Others subscribe to services that provide them tailored information to heighten their awareness of key market trends, threat warnings, etc. Both companies need cybersecurity business intelligence as part of their “know your enemy” early warning capability.
cybersecurity has become a key business component, and both companies need to have the type of information a cybersecurity business intelligence function provides. It can provide information to let you know when you may be targeted for cyber attack, who is doing the targeting, and why.
Business intelligence professionals specializing in cybersecurity issues can provide you with an analysis of current threats that can prove to be invaluable in preparing your risk assessments.
Executives need solid actionable information to make operational and strategic decisions. We recommend both companies secure a cybersecurity business intelligence capability.
Risk must be communicated to be properly managed. Ask any manager whether they understand how to manage risk, and they will tell you they know how to manage what they understand.
If they understand the risk, they can manage it. Therefore, it is important to clearly communicate the risks and risk management strategies, policies, and procedures in a manner that is readily understood by key stakeholders throughout the organization.
It is easy to frighten people when it comes to cybersecurity risk. There are so many vulnerabilities and threats that it can quickly overwhelm even the stoutest heart.
Not everyone understands the lingo that has evolved in the cyber ecosystem, and some people are offended when they believe the technical community is deliberately trying to obfuscate by “speaking in technical tongues.”
Likewise, the technical community is offended when they try to communicate highly complex technical topics in the simplest terms only to be derided for “dumbing down” the conversation. Barriers to effective communication only increase your risk!
Risk needs to be communicated to several constituencies. First, it has to be communicated internally. Every employee has a stake in the business’s risk. It has been said that risk management is a team effort.
Therefore, the team needs to clearly communicate as a team. Second, there are some communications of risk based upon regulatory guidance that have to be considered.
While such communications make many executives uncomfortable, they have become a fact of life. Precision, honesty, and brevity are our three watchwords for this communication requirement. Finally, you have to communicate with your shareholders. They are the owners of your company and expect to know what risks their company faces.
Communicating Risk Internally
We submit that communicating cybersecurity risk is best done when everyone uses the same language. Communicating risk focuses on sharing information about threats, vulnerabilities, and impacts. Management can set the tone by establishing a risk management program that includes the following:
Establish a standardized risk management process:
A disciplined process yields rich dividends as you are more likely to identify threats, threat sources, and vulnerabilities and, thus, predict the likelihood of events with greater precision. Perhaps more importantly, you will have a common understanding of risk among all team members.
Define key terms and procedures on how you identify, characterize, and manage risk. Make it part of your culture and train personnel throughout the organization to follow the process.
Reinforce that while senior management owns the risk in the business, everyone has a stake in it:
This bears emphasis. As an executive, your leadership is essential to ensure that each employee understands their responsibilities in managing the risk your company faces. Everyone has a stake, if for no other reason than it will have an impact on their wallets and pocketbooks.
Ensure your team is well informed regarding the risk you face and your program to manage it:
Clearly communicate your “Five W’s”: (1) What risk you face, (2)Who has a responsibility to manage risk, (3) Where the risk is, (4) When to look for it, and (5) how to avoid it.
Establish and document a Critical Information Reporting process to maximize leadership’s risk visibility:
Key components of the process include: Identify your key information: It is essential for senior management let subordinates know what information they require. Don’t keep your information needs a secret.
Identify who needs the information:
If the right people don’t know, the right actions will not occur. Management needs to let subordinates know who needs the information.
You get bonus points when you tell them what decisions you make from the information from various sources because everyone wants to know “why.”
People who know why information is needed are more likely to act with greater vigor and precision that those who feel they are just “passing on another report.”
Define the timeline for reporting:
You need to define what is a wake me up in the middle of the night situation versus it can wait until morning event. Don’t torture your staff by making them guess what you want and when you need to know things. Tell them! Give them the leadership and clear direction they deserve!
Define the process for reporting: Does the key information go right to the top? Does it go to a central control center that filters and feeds it out? Does it make its way through the hierarchy to its destination? You need to define the flow of information from detection all the way through to receipt by the person who needs the information.
Define the reporting format: Clearly defining how the reporting message is conveyed beforehand will save time, money, and angst.
Your personnel often will detect threats and vulnerabilities that yield risk well before the C-suite even imagines it.
Empower your employees to sound the alarm and incorporate procedures in your risk management process that employees can use to identify risks.
Most companies already have safety programs to minimize the risk of industrial accidents where employees can identify threats and vulnerabilities to management.
They have been very successful in reducing accidents. Note that when employees identify safety risks and report such risks expeditiously, most employers make a big deal out of it and frequently give awards, sometimes in cash. Do you have a similar program to minimize cybersecurity risk? If not, why not?
Control and monitor your risk with metrics: Let your personnel know how they are doing in managing risk through visible metrics that are shared throughout the organization.
Celebrate risk management successes: Praise and award star performers and teams. “Success breeds success” and positive messages about risk management will encourage your team to perform at high levels.
We submit that your people are your most valued and treasured resource. Successful businesses have great processes. Great businesses have great people who manage great processes.
To make sure you have a great risk management process, ensure that you invest in your workforce and clearly communicate, communicate, communicate, and listen.
On October 13, 2011, the Securities and Exchange Commission (SEC) Division of Corporate Finance issued “CF Disclosure Guidance: cybersecurity” (CF DG 2), which substantively changed the way businesses communicate cybersecurity risks.
As an executive, you are well advised to be aware of the content of this guidance and understand how it affects you and your business.
The mission of the U.S. SEC is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.
Created in 1934 during the height of the Great Depression, the SEC has a long history of interaction with American business and those foreign firms who do business in the United States. The SEC seeks to foster a competitive climate that will prevent another Great Depression from occurring again.
The SEC is led by five commissioners, appointed by the president and approved by the Senate, who oversee the commission. Its responsibilities include:
Interpret and enforce federal security laws Issue new rules and amend existing rules
Oversee the inspection of security firms, brokers, investment advisers, and ratings agencies
Oversee private regulatory organizations in the security, accounting, and auditing fields
Coordinate U.S. security regulation with federal, state, and foreign authorities
The SEC interprets U. S. law and issues rules and regulations to implement those laws. These rules and regulations go through a deliberate process that often starts with the public release of a rule proposal with a 30–60-day comment period for the public to provide comments.
After the comment period, the commissioners consider the public comments and, after any requisite editing, vote on the proposed rule. Upon agreement of the commissioners, the rule goes into effect and has the force of law.
The SEC CF DG 2 guidance emerged during a period of great national debate regarding cybersecurity and the government’s role in developing a series of laws and policies to address the growing cybersecurity risk environment.
At the time of issuance of the SEC guidelines (and even though today’s writing), there were no national-level regulations backed by the force of law that applied to business reporting of cybersecurity risk to shareholders and potential investors.
While CF DG 2 explicitly states that “This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission…,” evidence points to it being applied as if it were.
CF DG 2 calls for public companies to disclose cybersecurity risks and cyber incidents in the following six areas:
If your company is registered with the SEC, the guidance calls for you to disclose “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” How do you determine whether these incidents are significant enough to disclose?
The SEC believes you should “consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.” You should also “consider the adequacy of preventative actions.”
This rhetoric is considered highly controversial. Couldn’t the public disclosure of such detailed information serve as an invitation to hackers to visit? We think so, and even the SEC acknowledges that.
They state in the guideline, “We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts…by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security…and we emphasize that disclosures of that nature are not required under federal securities laws” [emphasis added].
Nonetheless, the guideline calls for specific information to be disclosed. The guideline goes on further to state that your disclosure should “avoid generic risk factor disclosure” and you need to be prepared to discuss specific attacks and their “known and potential costs and other consequences.”
They conclude their discussion on risk factor disclosures by stating, “…registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”
While the SEC is noble in their objective of informing shareholders and potential investors through the disclosure process, we advise great caution when addressing these cyber-related disclosure guidelines.
Advertising your vulnerabilities to potential foes is dangerous and may invite bad actors to see just how vulnerable you are.
We believe the SEC recognizes this and is using its administrative leverage to spur businesses to invest prudently in cyber security so that they, in fact, do not have significant vulnerabilities that can be exploited.
Regardless of the underlying intent, public disclosures of your cybersecurity risk can have a profound influence on your brand reputation, consumer confidence, and (ultimately) your bottom line.
Craft your risk factor disclosure carefully when disclosing cybersecurity risk information. Make sure you have your best lawyers drafting it and have your technical staff review it to advise whether your disclosures present additional risk. Pay close attention to this disclosure!
Management’s Discussion and Analysis (MD&A) of the financial condition and results of operations:
The MD&A is an essential part of your annual report that allows you to provide a narrative explanation of your company’s financial statements. It often is referred to as telling the story “through the eyes of management.”
Your MD&A can improve your overall financial disclosure by providing context to the financial information presented in the rest of the report and presents a venue where you can provide information about your company’s earnings and cash flow (among other important financial disclosures).
Shareholders and potential investors alike use this information to make judgments about the likelihood that past performance is indicative of future performance.
The SEC recognizes the importance of the MD&A in the disclosure process and advises in the guidelines that registrants should address cybersecurity risks and cyber incidents if “the costs associated with one or more incidents.
The risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial conditions.”
Fear not, though, as, in your MD&A, you can use and take advantage of the narrative in this disclosure to inform shareholders and potential investors what bold and strong management controls you have taken to reduce your cybersecurity risk and eliminate vulnerabilities.
Remember, though, that you can only reduce your risk, not entirely eradicate it. We hope that investors recognize this fact of life.
Description of business:
CF DG 2 states, “If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s Description of Business.”
This is tricky and consultation with legal counsel is warranted when you discuss this during your disclosure deliberations.
What if you have a business partner who has a cyber incident and that incident is a consideration contributing to you not renewing your contract with that partner? One could make the argument that you should disclose that under this provision.
Yet, what if you want to leave the door open for a future relationship with that company? Disclosing that you dumped a business partner because of a cyber incident or risk can have positive and negative consequences. Be careful in how you characterize your business and its relationships.
This part of the guideline is fairly straightforward. If you are engaged in litigation due to a cyber incident, you are instructed to disclose it in your “legal proceedings” disclosure.
Financial statement disclosures:
cybersecurity risk management drives financial decisions, and SEC guidelines call for you to appropriately characterize your expenditures associated with cybersecurity in your financial statements. You make investments to prevent cyber incidents.
You may have a cyber incident that results in a loss, diminishes cash flows, or drives you to further investment in response. The guidelines call for you to ensure that your financial statements disclose “the nature of” cyber incidents and an estimate of their financial effects.
Further, registrants must explain any “risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements.”
As with all financial statements, precision and brevity are imperative, but you may find it difficult to accurately characterize all cyber-related costs. For example, how would you determine what loss of cash flow can be directly attributed to a cyber event? The inquisitive minds at the SEC want to know.
Disclosure controls and procedures:
In the aftermath of major corporate and accounting scandals such as at Enron and Tyco International, the U. S. Congress passed the Sarbanes–Oxley (SOX) Act of 2002.
The law was intended to provide greater accountability and oversight over corporate finances to better protect shareholders interests as well as the greater economic health and well-being of the market.
Other nations have adopted similar legislation, and executives have become abundantly familiar with the internal control processes and procedures the act promotes.
Internal control processes often are reliant on automated reporting mechanisms, information contained in computer databases, and other cyber-reliant sources.
Management is required under law to certify the integrity of their internal controls process. Yet, what do you do if a cyber incident affects one of your data sources or internal control processes?
CF DG 2 addresses that and reminds registrants that you must consider any effects of cyber incidents that may cause deficiencies in your disclosure controls and procedures and make appropriate disclosures.
This begs the question, “How do you issue a certification of your disclosure controls and procedures if you had a cyber incident that potentially tainted your information or processes?” While we recommend you consult with your general counsel, our visceral default response is “always be honest.”
Why Disclose? We believe the SEC’s Division of Corporation Finance is strongly encouraging cybersecurity disclosure to accomplish two objectives:
Bring cyber threats to light and prompt companies to invest in adequate cybersecurity controls.
Provide a mechanism to inform shareholders and potential investors about the cyber risk to which companies are exposed.
Are these objectives appropriate? Should government guidelines steer you to disclose your cybersecurity risk information or should you do so voluntarily?
Answers to these questions depend on who you are and where you sit.
Some people will argue that the objectives are appropriate based upon the SEC’s charter from Congress to act “as necessary or appropriate in the public interest or for the protection of investors.”
There certainly is a good case to be made that the public at large and potential investors would want to know whether a business has a significant cyber risk. After all, who wants to put their money into a bank that is likely to fall victim to cyber theft?
On the other hand, some argue that Congress has not enacted laws directing these actions, so the guidelines are presumptive and perhaps representative of government overreach. They argue that the commission is shaping public policy without a warrant from the people’s representatives in Congress.
They contend that if the people really want disclosure requirements, they will direct so through the law. In the meantime, these people believe the SEC should limit their actions to what the law explicitly dictates. Should you disclose in accordance with the guidelines? We leave that determination to you and your advisors.
Reasons to Not Disclose. There are three primary reasons why you may not disclose cybersecurity risk in accordance with the DG CF 2 guidelines:
First, you don’t know what your cybersecurity risks are.
Second, if you do disclose your cybersecurity risk, you may attract hostile bad actors who will try to exploit your vulnerabilities and damage your business.
Third, if you do disclose your cybersecurity risks, you may face multiple negative effects, which could include but are not limited to:
Loss of investor confidence
Increased risk of liability lawsuits
Loss of brand reputation
Loss of share value
These three are all legitimate reasons cited by companies as to why they are reticent to publicly disclose cybersecurity risks and incidents in great detail. Do you and your company share in these concerns?
How to Disclose. SEC regulations direct several reporting mechanisms that should be used to report cybersecurity risk:
Annual report, Form 10-K
Quarterly report, Form 10-Q
The current report, Form 8-K
Both the annual report and the quarterly report are well-established report formats with which companies and their staffs are very familiar. Under provisions of the CF DG 2 guidelines, specific information regarding cybersecurity risk and incidents is now expected to be included in the reports as spelled out in the CF DG 2.
The current report, Form 8-K, is used when any “material events” arise inside the timelines directed for the quarterly and annual reports. Examples include bankruptcies, “material definitive” agreements, amendments to articles of incorporation, and “other events.”
What are “material events”? Lawyers have argued over the definition and interpretation of those words for years and likely will do so for years to come. Let’s use the definition the Supreme Court used, a “…fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote.”
Given the Supreme Court definition of “material,” is it reasonable to assume the expectation of the shareholder is that they want to know if you have cybersecurity incidents and risk as key information as they consider their votes? We believe such an association indeed would be made by a reasonable person.
However, as we discussed earlier, incidents or events can have a broad range of impacts, some inconsequential and others devastating.
Notwithstanding the opinion of the Supreme Court, shareholders expect company management to exercise good judgment in assessing and reporting upon “material” occurrences. It does not appear that the SEC has considered or provided insightful guidance on that subject.
What would we do? We would convene our management and legal counselors and together decide what in our considered judgment serves the best interests of our shareholders. Readers should not lose sight of the fact that the management and the board frequently represent a substantial percentage of ownership.
What If You Don’t Disclose?
Given the reasons not to disclose cited earlier and the CF DG 2 statement that its guidance “is not a rule, regulation, or statement of the Securities and Exchange Commission”.
And that “the Commission has neither approved nor disapproved of its content,” there doesn’t appear to be any statutory or regulatory requirement that demands that you have to disclose your cybersecurity risk information through the annual, quarterly, or current reports.
So why do it? What’s the worst that can happen if you don’t include it in your reporting?
Preparing disclosure reports is not a trivial task and involves noteworthy analysis and production costs, including the use of high cost outside professional services.
As we’ve learned in our discussion of quantitative and qualitative risk assessments, determining cybersecurity risks can be difficult to quantify and characterize.
Moreover, communicating your cybersecurity risk to potentially hostile bad actors may invite further trouble as hackers and other threat sources attempt to exploit your vulnerabilities. At first, blush, withholding detailed cybersecurity risk information from public disclosure may be in your shareholder’s best interest.
The SEC doesn’t see it that way. While they officially maintain a voluntary disclosure program, their staff repeatedly has pushed companies to disclose cyber attacks. There are several reports of SEC using aggressive tactics to encourage companies to disclose cyber attack information. This is not surprising.
According to Peter Henning, a former SEC lawyer, the SEC can force disclosure without making rules because companies need to stay on good terms with the regulator, which reviews their financial filings and can “make things difficult.” Resisting a letter from the agency can be costly, amounting to the US $250,000 in legal fees, according to Henning, even if the company is found to be fully compliant.
“If it’s complex, your lawyers write drafts in response, you have conference calls with them,” he says. “The SEC knows that’s their power. If you want to litigate with them, it costs millions.”
What if you want to take on the SEC and their aggressive tactics? What is the worst that could happen?
According to the SEC, they are first and foremost a law enforcement agency. They investigate violations of securities and exchange laws and initiate civil and administrative actions to address them.
Common violations that may lead to SEC investigations include:
Misrepresentation or omission of important information about securities
Manipulating the market prices of securities
Stealing customers’ funds or securities
Violating broker-dealers’ responsibility to treat customers fairly
Insider trading (violating a trust relationship by trading on material, nonpublic information about security)
Selling unregistered securities
If the SEC initiates a civil action against your company, you face the possibility of:
An injunction that will prohibit you from taking further legal action
A monetary penalty
The return of any profits that were deemed to be acquired through illegal means
Barment or suspension of directors and officers of the corporation
In the event you violate the judgment of the court in the civil action, you face contempt charges, with accompanying fines and possible imprisonment.
If the SEC initiates an administrative action against your company, you face the possibility of:
Sanctions including a cease and desist order that freezes your activities
Suspensions or revocation of registrations
Barment from associations
Is “the juice worth the squeeze” to contest the SEC’s CF DG 2 cybersecurity disclosure guidelines? Major companies such as Google and Amazon concluded it wasn’t. After repeated volleys of requests for further cybersecurity information, Google and Amazon relented and edited their disclosures to satisfy SEC staff demands.
Sooner or later, you will need to make decisions on how and what cybersecurity information to publicly disclose. Choose wisely.
Communicating with Shareholders
While the mandatory SEC disclosure requirements mentioned previously arguably could suffice as a means of communicating cybersecurity risk and incidents to shareholder, we don’t believe SEC reports should be the primary means of communicating with your shareholders.
Your shareholders are increasingly sophisticated and appreciative of the risks presented in a cyber-enabled marketplace.
While they may not understand the technical underpinnings behind them, the vast majority of your shareholders understand that cybersecurity risks exist and they expect you, the executive, to properly set conditions to protect their investment by mitigating that risk.
The severity of a cybersecurity incident could range from a very minor event to an existential threat to your business. You need to have a plan on how to communicate regularly with your shareholders so they retain confidence in their business, that their investment is in good hands, and that you are in control.
Here are some suggestions on how to best communicate with your shareholders.
Ask them how they want to hear from you:
Surprisingly, many companies do not even ask their shareholders what their preferred means of communications are. I prefer to receive emails and electronic reports yet still get piles of paper-based prospectus information in the mail that ends up shredded and recycled.
Disposing of the paper products is time-consuming and just increases my frustration. Do you ask your shareholders how they want you to communicate with them? Do they prefer letters?
Email? Phone calls? Web chats? Videos on your website? There are many options. We suggest you let your shareholders pick their preference.
Ask your shareholders what kind of information they want:
Nobody looks forward to receiving spam, even when it is from your company. Don’t waste company resources sending out unsolicited and undesired information. Do shareholders want to know when you have cybersecurity risk?
Do they only want to know when you are attacked? Or do they not care to know at all as long as the company stays safe, under control, well managed, and profitable? You’ll never know unless you ask them!
Solicit communications from your shareholder to you:
Not every shareholder has the means of attending stockholder meetings where they can give you direct feedback. For most shareholders, sending an email or a letter is the primary means they use to communicate with you and your staff.
When you receive aletter or email from a shareholder, make sure you answer it completely and quickly, and by all means, make it warmer and more pertinent than the responses you get back from Congressmen and Senators!
Have a plan to communicate in crisis:
A cyber attack could pose an existential threat to your business, placing your shareholder’s equity at risk. You ought to have a plan on how to communicate during a crisis. Here are some best practices for communication during a crisis:
i.Get yourself a world-class Public Relations consultant:
Believe us, it’s no fun sitting in front of a bank of twelve microphones while TV cameras grind and facing questions from a bunch of hungry reporters who want you to tell their listeners and viewers why you were so damned stupid to let this mess happen to begin with.
Based upon hard experience, immediately consult with an accomplished public relations specialist. We did and defused a couple of situations that, although they were difficult, could have been terminal financially.
ii.Communicate early and often:
It is essential to have open lines of communication with your shareholders and to remember that communication goes both ways. When confronted by a crisis such as a cyber attack, the early hours after the event are critical and set the tone for the duration of the crisis. When communicating with your shareholders, be prepared to answer these questions:
Where did it happen?
When did you find out?
What are you going to do about it?
Who’s to blame?
Were there warning signs?
How will you prevent it from happening again?
What does this mean for us?
iii. Take responsibility:
Don’t beat around the bush. Take responsibility, express regret, apologize as appropriate, and decisively inform your shareholders what your next steps are to address the problem.
iv.Speak with one voice:
Ensure your message is consistent throughout the organization. Centralized control of information and talking points have proven to enhance the accuracy and timeliness of information.
v.Establish a crisis team:
Create and train a crisis team (including your PR specialist) as part of your business continuity planning effort. Operate a command post to coordinate and synchronize response efforts. Establish a scheduled rhythm to share information with your shareholders and other key stakeholders.
vi. Plan for the worst:
While you hope for the best, you need to plan for the worst. Anticipate having to deliver and respond to bad news. Have your script ready. Don’t “wing it” in delivering your message, and by all means, do not deviate from the central message or ad lib or try to be the least bit humorous. You must convey that this is a serious situation and you are acting accordingly.
vii. Get your message out:
Communicate, communicate, and communicate. These are the watchwords of crisis communications. There are plenty of ways to get your message out to your shareholders:
Television and radio commercials
Website postings (including video messages)
Your shareholders trust you to protect their investments. They expect you to professionally manage their company and deliver success. They also expect you to keep them informed. Do so in a manner that retains their trust and confidence in your abilities.
ORGANIZING FOR SUCCESS
Many companies have come to realize that they need disciplined processes and procedures to forecast, measure, and control risk. Great companies do something about it, and more often than not, they implement organizational structures specifically to address risk.
Risk Management Committee
An example of specific organizational structures to manage and control risk is found in the proliferation of risk management committees at the corporate level. It is not unusual for corporate boards of directors to establish committees to address auditing, compensation, and governance.
Now, many companies have added committees to focus on risk management. We believe this is a terrific concept, particularly in regard to improving cybersecurity risk management.
Committees are formally chartered by corporate boards of directors to provide oversight and governance over key functions of the business. Charters include direction regarding board purpose, membership, organization and operations, duties and responsibilities, reporting requirements, resources and authorities, meetings, and other needs of the board.
It is important that the board chart the course for the committee yet recognize that the charter should often be reviewed for any changes or improvements.
Risk management committees usually consist of nonmanagement directors. This is important as nonmanagement directors are more likely to be unfettered by the organizational bias that often accompanies management positions.
Likewise, because it is highly unlikely that the nonmanagement committee members were participants in the detailed decision-making that led up to an emerging risk, they are more likely to focus on the risk rather than the daily running of the business.
Many companies have discovered this alignment to be powerful and one that delivers excellent results.
Risk management committees monitor and control the “material enterprise risk” of the organization. Typically, they are the approval authority for and provide oversight of management proposals, leading to the creation and subsequent assessment of a risk management framework submitted for approval by the board.
The framework includes the definition of the categories of risk, standards in relation to each category, and an approach to risk tolerances adopted by the company.
These standards will be reviewed periodically (and at least annually) to take into account changes in the internal and external environment as well as reports and findings of the audit committee as it relates to the performance of controls.
cybersecurity is increasingly at the top of the agenda for risk management committees. Because it is, the risk management committee must have the resources it needs to posture itself to make informed decisions.
One of these resources is quality information and insight into the business. Quality information yields quality decisions, which yield quality results.
When it comes to cybersecurity risk, in addition to close communication with business unit directors and officers, the risk management committee should have very close communication with the CIO, who should provide the committee with information regarding architectures, performance and expenses, and other information regarding the information systems that drive the business.
Similarly, the committee should be in close communication with the chief information security officer (CISO) who should provide the committee with information on cyber vulnerabilities and threats.
Another critical resource the risk management committee needs is threat awareness. If the organization has a business intelligence function that focuses on external threats, they should be tightly coupled with the committee.
If the organization does not have a function such as this, the committee is urged to recommend that the company should contract or subscribe for such a service to aid in maintaining comprehensive threat awareness.
A third and critical resource for the board is the technical awareness to understand the challenging and complex cyber environment. While members of the risk management committee do not need to be certified technical experts, they need to have a basic understanding of both the business and the technology that supports it in order to make the best decisions.
We are familiar with many boards of directors that have invested in continuing education to ensure their directors, including members of the risk committee, have the requisite contemporary knowledge to stay “on top of their games.”
As an example, a colleague of ours who has been in corporate America for over 50 years and currently serves as a director on several boards says about his continuing education, “I may not be able to see or hear as well as I did, but I can still smell when crap is being shoveled my way!”
The takeaway for you regarding technical awareness is that the committee has to understand cybersecurity to understand its risks. You need to plan to invest in your committee’s continuing education to keep them current!
Corporate risk management committees largely have been very successful in helping to highlight, manage, and control risk.
Board-level oversight of management’s efforts to manage and control risk is appropriate and fosters more disciplined, professional, and complete risk identification, accounting, and control. If your business does not have a risk management committee, we highly recommend you consider creating one.
A closing thought is in order based upon the foregoing discussion of the risk management committee. It is the job of the board of directors to direct, and the job of managers to manage. To forget this aphorism is an invitation to trouble.
Chief Risk Officers
Many companies invest in chief risk officers who support directors and officers in the strategic management of the corporate risk program.
For some firms, the investiture of a senior executive designated with strategic responsibilities over the corporate risk pro-gram yields improvements in compliance, strategic planning, and governance.
Because the chief risk officer (CRO) is a relatively new position, many organizations who have appointed one haven’t yet mastered how to integrate them into their management structure. The successful (and satisfied) ones typically report to the CEO for their daily duties.
They oversee the strategic risk management program, its processes, and its metrics. The CRO ensures that processes are maintained and current and that personnel are trained in accordance with corporate objectives.
The CRO often also oversees compliance programs, working with the general counsel and across business units to ensure that compliance actions and reporting are accomplished. Frequently, the CRO interacts with outside professional, legal, accounting, and public relations (PR) consultants.
While corporate CROs are now emerging as powerful and important senior executives, some boards wisely are asking whether they need both a risk management committee and a CRO.
Many companies who have both reports they intend to keep them. An example is KeyCorp, a US $87 billion asset regional bank headquartered in Cleveland. They have had a board-level risk management committee and a CRO for several years.
According to the bank’s senior executive vice president and CRO, the risk committee’s primary role is to establish the “risk appetite level” for the bank’s various business lines, expressed in the form of measurable data like nonperforming loans or customer service complaints, and “it’s part of my job to translate that appetite into a risk control structure for the company.”
That control structure includes a risk reporting process where the CRO regularly provides the committee with a variety of forward-looking metrics that will not only tell the committee what the bank’s risk profile is today but also where it might be trending in the future.
KeyCorp’s risk committee meets six times a year, “so every other month we’re also having face time with the [committee members],” says the CRO.
How you organize to manage your risk successfully depends on your company, its goals, and the threats it faces. If you haven’t already done so, we strongly urge you to consider establishing a risk management committee as part of your corporate board structure.
The committee should be chartered to provide strategic oversight and governance over management’s risk management program and should determine a “risk appetite” measure for the board’s consideration and approval.
If your company is complex, faces significant risks across many business functions, and has the means, you may want to consider investing in a CRO to provide the strategic and operational management of your company’s formal risk management program. Those companies that have made that type of investment generally reap positive rewards.
Qualitative risk assessments are a popular method of calculating cybersecurity risk and present potentially preferable means of determining cybersecurity risk for businesses, in contrast with quantitative risk assessments.
Qualitative risk assessments do not utilize detailed calculations to assign monetary values to assets and losses like the quantitative method.
Rather, the qualitative risk assessment method recognizes the difficulty present in assigning realistic values to information and the likelihood of risk. As such, this qualitative method provides relative measures of risk and asset value based on ranking specific items into categories such as high, medium, or low or on a numeric scale.
While not as precise as the quantitative method, they generally are faster, easier, and less expensive to produce and give senior decision-makers actionable information in a timelier manner. Moreover, in most respects, results are easier to understand.
We recommend you consider investing in a cybersecurity business intelligence capability. Many companies maintain in-house business intelligence functions to maintain situational awareness over key items of interest in their business sector, supply chain, and other areas that possibly could affect their business.
Others subscribe to services that provide them tailored information to heighten their awareness of key market trends, threat warnings, etc. Your business needs cybersecurity business intelligence as part of your “know your enemy” early warning capability.
You can manage risk through mitigation, transference, acceptance, or avoidance. Whatever technique you decide to implement to manage risk ought to be influenced by a business case analysis. If you do your business case analysis well, the right decision should jump out to you!
Risk must be communicated to be properly managed. It is important to clearly communicate the risks and risk management strategies, policies, and procedures in a manner that is readily understood by key stakeholders throughout the organization.
You must communicate risk internally within the company to its employees and those who manage and control the risk. You must consider disclosing risk through channels identified by regulatory rules and guidelines. You also must regularly communicate risk to your shareholders, both in times of calm and times of crisis.
Organizing well can lead you to success when addressing cybersecurity risk. We recommend the charter of a risk management committee at the corporate board level to produce strategic governance and oversight over your corporate risk management program.
We believe it is imperative that your risk management committee establish the “risk appetite” level for your business and work with senior management to ensure that the requisite processes and controls are in place and used to minimize your corporate risk.
If your company is complex, faces significant risks across many business functions, and has the means, you also may want to consider investing in a CRO to provide the strategic and operational management of your company’s formal risk management program. Those companies that have made that type of investment generally reap positive rewards.