Human management

Bringing people, processes and tools together for cyber risk management | NAVEX

[author: , Radical Compliance]

Last month I wrote an article for this blog on the Securities and Exchange Commission proposals for greater disclosure of cybersecurity issues. We’ve reviewed some of the governance disclosures that boards may need to make, as well as the practical challenges of assessing whether or not a cybersecurity incident is material.

Another important element of these proposals must also be considered: how management defines and exercises its oversight of cybersecurity on a day-to-day basis. For example, the SEC proposal would require companies to disclose in the annual report:

  • Whether certain management positions or committees are responsible for measuring and managing cybersecurity risks, including preventing and resolving specific incidents
  • How these people or committees are informed and monitor cybersecurity incidents
  • Whether and how often management reports to the board (or a committee of the board) on cybersecurity risks

We don’t yet know when the SEC might adopt final rules on cybersecurity oversight, or what those rules might look like. That said, it’s clear that the SEC wants senior corporate executives to think about how they handle cybersecurity threats and how they translate these technical issues into a business context that the board can understand. .

These are goals that every organization should pursue, regardless of any SEC requirements. So let’s look at how to achieve them and the role risk and compliance managers can play.

Start by bringing the right people together.

First, understand that cybersecurity threats come from many different directions. You might have excellent technical controls, but employees who are still falling victim to phishing attacks; you might have a security-conscious workforce, but misconfigured devices and software. You might have great tech checks and a savvy workforce, but no one has grasped the full extent of your regulatory obligations, so one in a million successful cyberattacks left you with massive enforcement and litigation costs.

To combat such a multi-headed threat, a sensible strategy (telegraphed by the SEC in the first point above) is an internal risk committee that talks about cybersecurity and how that might hit in your particular business.

The CISO is the logical candidate to chair this committee, but compliance, the legal team, and representatives from other important front-line and second-line functions should all be on this committee as well. So ask yourself:

  • What are our business plans? How do they evolve, if at all?
  • What security threats exist? What new threats or tactics are emerging?
  • What regulatory obligations do we have regarding privacy, security and incident response? Have these regulations changed at all?

The goal here is to understand how a cybersecurity threat could hit your business. This may be a new type of attack from outside your organization; perhaps internal operations have changed (an expansion, acquisition, downsizing) and controls or policies that worked before no longer work. Or perhaps the regulatory environment has changed and the costs of non-compliance have increased enough to warrant new policies or controls.

Whatever the circumstances, an internal risk committee can identify these cybersecurity challenges and decide on the solutions: new technical controls, new policies, more training or any other action. But without this internal committee, different parts of the business grapple with cybersecurity threats while operating in silos. It’s a surefire way for critical steps to get overlooked.

To do this, several risk management and compliance capabilities will become more important. Among them:

  • Planning a scenario
  • Business Continuity
  • Collection of documentation from third parties

These capabilities help your internal risk committee anticipate operational and compliance risks that arise from weak cybersecurity. Then you can set remediation priorities as needed and ensure that these remediation steps are completed in a timely manner.

Tell the board about business risks, not IT details.

Even after identifying your cybersecurity risks and developing a plan to address them, senior management should still inform the board of these issues – and you should inform the board in a way that helps administrators make decisionsrather than leaving them confused or unclear about the risks involved.

For example, the following two sentences deal with the same problem:

  • “We encrypt all personal data in our possession and require that of our third parties, although we strive to obtain security audits for our major technology providers.”
  • “We are confident that we are GDPR compliant in our own operations, but we are still working to ensure this with our IT supply chain; either we accept this regulatory risk or we bring certain IT operations in-house.

Which is more helpful to the board? The second, because it helps administrators understand the trade-offs between two objectives: lower costs in exchange for higher regulatory risk. Then the board and senior management can have a more productive conversation about what to do next.

Whether the CISO or compliance officer leads these briefings with the board, the goal should always be to explain how cybersecurity issues affect the company’s ability to achieve its goals. When you bring the right people together in your business and use technology to provide the risk analytics capabilities you need, compliance and risk management teams can deliver the insights that CEOs and the board directors need to guide the entire organization.

And really, who needs an SEC rule to see that it’s a good idea?

For more information on how to handle this in your organization, see some of the NAVEX resources related to cybersecurity, risk and compliance.

See the original article on Risk & Compliance Matters