This conversation examined why the current approach to managing cyber risks by boards is no longer sufficient. It highlighted the key questions boards should be asking executives: What are our top cyber risks and how much exposure do they represent; where are we allocating resources and dollars; and how effective are our investments in risk reduction.
This is an edited transcript of a presentation by Paul O’Rourke, Global Cyber Security and Privacy Impact Centre Leader at PwC.
Increased role of boards and the CEO in cyber risk oversight is driving demand for better methods to measure and articulate business and economic impacts of cyber risks
Cyber security breaches erode companies' share prices permanently and have resulted in billions of dollars in market valuation being erased since 2013 − as new regulations require better breach reporting financial markets will respond
Companies are becoming digital and current approaches to cyber risk management must evolve from subjective, checklist and compliance driven methods to data-driven risk models
This session is not about cyber security; it is fundamentally about cyber risk. For the last 15-20 years we have been very focused on the fundamental issues of cyber, security and controls. But if you truly want to address cyber at an enterprise level and a board level, it has to be managed as an enterprise risk. And no matter what information you pick up today, cyber risk is always one of the top three enterprise risks.
One comment that we often hear from boards is, ‘yes, this is a major issue. We understand it's a risk issue and it's the one risk that we are the least comfortable with’. Part of the problem is that for too long cyber has been approached as a security issue. But if we flip it around, risk is the problem. Cyber security is the answer. Cyber security is a control we put in to address the risk. If we approach it as a security issue we will be forever chasing our tail on budgets. That's where a lot of boards are today and the expression we hear most often is ‘We have fatigue around cyber, we've heard the story for years, we put a lot of money into it, but we don't seem to be getting anywhere’.
Three fundamental questions that board directors should be asking:
Am I spending the right amount of money on cyber?
Am I spending it in the right areas?
And most importantly, is my expenditure reducing my risk position?
These all sound fairly intuitive and logical. But they are rarely asked at board level. More importantly, the board packs that are being put up, are rarely sufficient to allow boards to execute their governance role. That's part of the problem we have today around cyber.
At a lot of organisations, cyber risk is not being managed as an enterprise risk and the information being reported up to boards through board packs and meetings is not contextual to the problem. A lot of it is latent and by the time it gets there, out of date. It's not balanced in terms of both lag and leading and doesn't provide the risk contextual information to allow board members to execute their roles. If we are to truly move the needle on cyber on both understanding the risk issue and managing it going forward, we need to get better at this.
A lot of board members ask if this is fundamentally a Financial Services issue. Five to ten years ago it was, but today, every sector is just as much at risk. financial services are probably more mature but mainly the banks. Insurance companies are just as exposed as other industries because they haven't invested as much as banks. They’ve just moved their risk profile and where they target to the areas of easiest exploitation. We are now seeing exploits across all sectors. Last year we saw some major hospitals brought down in Victoria. This year we've seen a major logistics carrier in the market targeted and the CEO being very open about the damage it’s done to the business.
Cyber hackers are very egalitarian. They target all businesses of all sizes in all sectors. This surprises a lot of people outside of core regulated industries or Financial Services where they think it's not as relevant for them. However, in the last two to three years, cyber hackers have become very aggressive with the use of ransomware. This entails an attack that basically freezes all your systems and prevents them from being recovered unless a ransom is paid. There are other ways to recover, but they entail risks and time. Ransomware is easily deployed across any organisation in any sector and is more easily targeted to those organisations that haven't invested as much in controls, probably outside of core financial services.
People often think only in terms of direct losses as being the major impact of cyber threats. However, far and away, the biggest impact is reputational. This is probably also the most difficult for organisations to manage, particularly as we start to look at cyber in a risk context.
Financial losses are both direct and indirect. Direct loss is the amount of money lost as part of the breach or impact. But with nearly all the big cyber breaches, the biggest losses are indirect, that is the cost to recover from the breach as well as the time consumed from the impact on the organisation and work involved with clients and recovery.
One thing we’re seeing much more of, and likely to for the next few years is lawsuits by shareholders. Particularly out of the US, large shareholder lawsuits are being launched against organisations for not sufficiently investing in cyber. Some of the big breaches have caused CEOs, CFOs, CISOs and others to lose their jobs as well as board directors. The looming issue around this is pending legislation in a number of jurisdictions globally. This is why we must manage cyber as a risk context and get a much better handle on risk exposure. Boards need to do everything they can in an oversight or review capacity to effectively execute their governance role because that is something regulators will look closely at, if and when there is a breach or exposure within their organisations.
The reality of the situation today is that nearly every organisation will go through breaches, and those in Financial Services see potential attacks every single day. These are not what you traditionally think of in terms of people sitting in a garage launching attacks. They are organised crime. They're automated attacks, scanning networks and very sophisticated industrialised organised crime elements looking for opportunities to launch ransomware and other attacks on broad based organisations.
Are we on top of this issue or is the situation getting worse? At best we’re maintaining the position, but it's not clear that we're on top of the issue. Organisations that are managing it from a risk context are much better informed around cyber. This means they have a cyber risk appetite - they’re using traditional risk management techniques in terms of frameworks, assessment criteria, black swan analysis and applying those to cyber. We should be managing cyber as just another risk. It’s an important risk but it's just another risk. If we get better handle on how we’re assessing the risk, how we're governing the risks, frameworks, standards, methods and protocols that we’re governing from a board perspective, you will get a much better handle on how the exposure is being assessed and managed. Most particularly, if you’ve defined a risk appetite and cyber is outside the risk appetite, what actions and role are the executive taking to bring cyber back into the risk appetite.
Cyber is different to other risk categories. It moves more and once you close a certain amount of exposures, others will open up. That's the nature of cyber and what the criminal element is playing into. It’s a constant battle, and you have to have the right frameworks in place, to manage and govern it effectively.
One of the issues making it more complex, is if something is digitally connected, it is hackable. This includes interconnected supply chains in organisations, deploying or digitising networks, the Internet of Things and deploying various technology upgrades. All of these have a business impact but also have a risk element as well around cyber. We’re not saying don’t do these things because of the cyber risk. Instead, they need to be approached knowing the cyber risks involved. Are the appropriate protocols and controls to manage that risk in place? How do we know when that risk or exposure is outside of the risk appetite? A lot of organisations today are still very much driven by digital enablement, in terms of getting functionality out there, as we’ve seen in a big way in the response to COVID-19. We’ve seen distributed workforce enabled very quickly, in some ways at the risk of cyber exposure.
Other issues that are driving cyber in the market relate to critical infrastructure sectors, particularly essential services such as, water, gas, electricity, everything that runs on SCADA systems (i.e Operational Technology Critical Systems). . Traditionally these organisations have separated their IT and operational technology (OT) environments.However, these two functions have converged .. You've probably seen this play out in the press, but we're seeing automated factories compromised globally, electricity grids brought down, gas, water, essential services and transport networks being compromised. This is a very big complex emerging issue and not only has regulatory and financial impacts, but societal as well. For board directors in these sectors, it's even more important you have a very strong handle on cyber exposure and how well you are positioned in managing that risk as well.
Regulators are also becoming more cognisant and aware of the cyber exposure of all organisations. Having spent a lot of time with regulators around the world, they say cyber is the one risk that they're most worried about. One regulator in London last year said what they were expecting the next major global impact to be a cyber impact. That's where the regulators are focused, particularly at a country level and on what impact that could have.
One of the questions the market has been asking in the last few years is how do we get a better handle on managing cyber. The past 20 years have focused on qualitative risk analysis or qualitative assessment. In other words, consultants or internal functions have looked at how well cyber is being managed, what are the exposures and where should you invest. It has all been qualitative and based on the experience of those doing the assessment. But if we look at the other risk disciplines, both qualitative and quantitative measures are used to manage risk. That combination will give directors much more contextual and rich data sets to actually make their governance role more effective by providing an empirical assessment.
So what does this mean? In the past, as we said before, it's all qualitative assessment. But if you had it, and this is going to slide 10/11/12 for those of you who have the deck in front of you, your organisation can turn the information from the cyber quantification outputs into actionable insights.
You’re all directors of large, complex and a lot of you multi-jurisdictional organisations and cyber is everywhere. How do you know you're investing in the right areas, and going back to those three questions at the start: Am I investing the right amount of money? Am I investing in the right areas? And is my investment reducing my risk?
The most valuable development in the market in the last 12 months is the ability to start assessing cyber from a quantitative assessment. It provides a much richer data set and moves beyond some of the loosely esoteric and motherhood statements that we see go up to boards. For example, if you have a request for an extra $30million for cyber triage over the next 12 months, you can challenge the executive around have they effectively looked at the risk mitigation strategies of that investment, are they investing in the right areas, and how does the investment demonstrate a material reduction in risk?
It’s a very different dialogue to what happens in a lot of board meetings. If you're talking at board meetings around identity technologies or data protection technologies, it's probably the wrong discussion. It needs to be more around the risk position, exposure, allocation of capital - both investment and regulatory for those in financial services. Using these tools and inputs can help you do two things: being much more informed on the position around cyber and giving you the inputs to allow you to effectively challenge.
And that’s lacking in nearly every board pack. They are rarely fit for purpose. They are not giving the directors the inputs and tools needed to effectively challenge the executive. We hear a lot from directors ‘We get that cyber is a problem. We hear it day in, day out. We just don't know what to do.’ This is firstly because the problem statement is not being effectively defined in organisations. But just as important, directors are not getting the right tools, reporting and metrics. So it's very difficult for them to execute their governance function easily, if they’re not given the right inputs in the first place.
The other question that we hear a lot from boards is ‘what is our benchmark? How exposed are we relative to other organisations?’ It’s very difficult to benchmark exactly, but when it comes to cyber you don't want to be the best in cyber in any way, shape, or form. You do not want to be the most secure organisation and you certainly don't want to be the worst. If you’re 100% secure in all areas, you would be an incredibly difficult organisation to engage with, you’d be uncompetitive in the market. For example a bank could make its internet banking 100% secure, but would have no clients because to be so difficult to log on, people wouldn't want to bank with them. Cyber is not about being 100% secure; it’s knowing where risk is, where your exposure is and being benchmarked to the market. The only organisations that would aim for 100% security would be government and defence functions, not organisations that are concerned with customer engagement.
Organisations often claim they want to be the best in cyber. But in addition to customer enablement and competitiveness it is also incredibly expensive to get there. The three key considerations are: where you are today; where should you be; and where are your peers? As a board director it’s worth asking for an empirical benchmark every 12 months. Cyber moves more than any other risk discipline. You need to stay on top of it to ensure your organisation is moving with the risk elements in the market and maintaining a security posture that's at least commensurate with your peers.
There are not a lot of new elements of cyber under COVID-19, however there have been a lot of re-badged or re-sprayed attacks and a few other contextual challenges have arisen in the market.
First and foremost, we have a distributed workforce at a scale we’ve never seen before and a lot of people hungry for information. We have employees looking at and reviewing information about COVID-19 and a lot of the attackers hide the attacks in COVID-19 updates. For example in regional maps showing the spread of the disease in suburbs and geographies. They're not new attacks, they’re just using COVID-19 as a distribution platform to distribute and re-badge the attacks. In response to these attacks, we need to get much better at informing our distributed workforce, to be hyper vigilant in this environment. Employees need to be very clear on what they're clicking on, what they're opening and what to do if they open something that looks like an attack.
One of the other challenges is the use of personal devices and home Wi-Fi. They do not have the same security in terms of what the enterprise would normally have, and this is increasingly being exploited by attackers..
Organisations need to take it back to basics for employees. Make sure you have proper passwords, your Wi-Fi network has passwords and security and be hyper vigilant around what you click on or open up. These are very simplistic controls but very effective if deployed at scale.
Some of the sophisticated ransomware attacks we've seen through COVID-19 have been phishing attacks where employees click on an email or open attachments, that launches a ransomware attack on the organisation demanding a ransom to unlock the systems and data. We are regularly seeing boards trying to decide whether to pay the ransom or seek comfort in our back-up systems to recover the data. There are two important considerations here: one is you have to be 100% comfortable around your ability to recover; the second is paying a ransom is often illegal. It's a very difficult decision and some boards are simply not comfortable with the efficacy of their recovery processes or data so have no choice but to pay the ransom. Ransoms at the moment are anywhere between the low millions going up to around US$15 million.
By far and away, the biggest trend we’re seeing is the accelerated adoption of cloud. It was going fast pre-COVID-19, but has accelerated at pace and will continue to do so. Regulators are particularly focused on resilience: how resilient is your organisation to a cyber attack or pandemic. Cyber threats should not prevent the adoption of new technologies such as cloud. But it needs to be done in the context of appropriately assessing the risk, knowing what data is in the cloud, embedding those controls. And most importantly, if and when there is a breach, how you’re made aware and recover from the breach are also critical.
The other key element we're seeing play out is expansion of the ecosystem business model. We are seeing more and more interconnection of supply chains with broader sectors to drive efficiency and competitiveness, but a huge risk is cyber. We’ve talked a lot around the complexity of assessing, managing and governing cyber all within the bounds of the organisation that we sit in today. Think of the complexity then that you have interconnected supply chains and people that are connected real-time to your systems, but potentially passing cyber impacts and cyber threats through your network. You have no management control over those other organisations and no governance oversight in most cases. If we look at cyber breaches in a market today, over 50% come through the third-party supply chain. Even if your organisation has done a very good job on cyber, the modus operandi of the attacker is to go for the weakest link. If the weakest link is one of your suppliers, it can embed the attack with them and deploy that attack within your networks. So I encourage directors to challenge your executive on how they’re managing, governing and reporting on third-party supply chain risk.
Insider attacks are those from employees or contractors. History says in every major downturn or where we have reduced staff, there is an increase in employee insider attacks and we have seen it play out globally. We haven't seen it play out in Australia in terms of actual exploits yet, but we do expect it to happen.
The number of insider attacks are far fewer than external. But the impact is greater because internal employees or contractors know where the crown jewels are, they know where to go and most importantly, they know how to cover it up. The one area of cyber that a lot of organisations do a very poor job on is identity and access management, what we call privileged access management. Organisations need to be aware of the controls and embed the controls. And the fraud and internal audit functions need to be hyper-vigilant towards any exposures in this area.
A lot of organisations have had to reduce their security controls to enable a remote workforce. Few organisations we're ready to go to a broad base COVID-19 scale remote workforce so that required licenses to be bought, systems to be stood up and processes to be stepped around. That means exposure has gone up and so the key focus is getting back to the basics. Wherever we’ve stepped down, step it back up. The reality is few organisations are ready to do it and their security posture around the way they manage cyber will be compromised A lot of security functions are aware of this, in fact, worried about it. They’ve just been chasing their tail for the last eight weeks, trying to actually facilitate the remote workforce and hoping they don’t have breaches.
There are some standards out of the US that cover both IT and OT. Part of the problem is there's different standards and different directions in which these benchmarks and standards are going. I encourage people to look at NIST more than anything. It's becoming almost the de facto standard globally. It started out as a US standard, but it's been picked up globally and rolled out across all sectors. It allows you to both assess your IT exposure and your relative OT exposure, but also allows you to do empirical measurement across your industry and geographies as well.
Being prepared for a cyber breach is probably the area of least cost that will have the most impact on your organisation. That involves being very clear around your response model, who’s in charge and who reports. People think this is just a technology issue, but it’s regulatory, media relations, investor relations and legal as well.
Boards have been trying to take a position on ransomware, but they struggle with the issue because each ransomware attack is different and the disclosure is dependent on the data breach notification regulations. It also depends on how confident the board is on the organisation being able to recover without paying a ransom. They actually have to make the decision there and then with the organisation under attack. Do you pay the ransom?
I would encourage boards to go through a cyber scenario, look at the whole issue around ransom and challenge management to give the board comfort that the ability to recover without paying a ransom is in place and you have the ability to do appropriate testing and recovery of the backup processes. This gives the board a clearer position that if they do have an attack, they don’t have to take that decision to pay ransom.
We've seen state-based actors, primarily from North Asia, Eastern Europe, not looking for financial gains, but looking to data mine organisations. They're looking at IP, R&D, geotechnical plans, competitiveness and opportunities to compromise your market position. These attacks are the most mature in the market. Most often, when we go into an organisation to assess, the attackers are already in the organisations. These are not the sort of exploits that are quickly exposed and end up in the press. They will often sit there for months and years. We've seen it publicly play out with the Australian Parliament and with the ANU in terms of the Chinese government threat. China probably represents the biggest risk in this area, in terms of both compromise and maturity around state-based compromises. It's not nearly as prevalent. It's not nearly as seen and definitely not nearly as spoken about, but the intelligence agencies are very active in this area.
Part of the problem is they are approached as a security exploit rather than a risk area. If you look at it from a broad based security potential vulnerability, it is too big, complex and wide, and you end up with unwieldy information. Some organisations look at it from a crown jewels approach. What are those critical assets that if compromised will cause the most reputational, financial, or regulatory impact? Look at the vulnerability within those assets rather than trying to boil the whole ocean.
The last part of that is around the third party supply chain. In the past, people have been sent out to do site audits and reviews once a year or every six months. If you’re going to do it at that personnel level by sending people onsite, you'll never manage it appropriately. There's some very good emerging technologies, particularly in the US now, that does real time, ongoing assessment at a data level. If you’re managing it real time and ingesting that data and doing proper data analytics, you will get a much better vulnerability position.
Most boards we talk to have taken cyber insurance in part because they see it as part of their protection but there are a few points to consider. Insurance companies are not stupid, they’re not going to sign up to an open checkbook in terms of paying out premiums, so know what you’re buying. Those companies that do good due diligence up front and assess the risk properly and have a very cooperative agreement with the insurance company tend to manage it very well. Those that just sign up loosely to it and think they've got cyber insurance, but the insurance company just turns around and says no, it's not covered. There is an interesting case in the US courts at the moment over a $100 million claim for a cyber breach. The insurance company declined the claim because it was deemed to be an act of war, because it was a nation-state attack. I still think it can be very valuable, but I wouldn’t buy an enterprise insurance policy. I’d look at those areas of greatest risk and make sure they are protected the most rather than just trying to buy everything, because it's too expensive and you probably won't be covered.
In terms of claims in Australia, they tend to pay out just the cost of the actual breach. But the bigger expense is the cost of recovery, the cost of getting consultants, legal firms, PR firms going through the whole customer management process as well, that can go for years. And if you look at Equifax out of the US, their breach so far as publicly stated has cost US$2.2 billion, the initial breach only cost them US$200 million. Target was a US$600 million breach in the US. Their insurance policy was capped at $100 million. You might say up front, $100 million sounds pretty good but again it comes back to knowing what you’re buying. Make sure any policy covers regulatory sanctions, recovery of breach as well as direct costs incurred by the breach.
It gets bumped around the risk committee and the tech committee for those boards that have one, and we are seeing those increasingly. It's become more important in the last two years as organisations have looked at Agile. From a security perspective, Agile means makes penetration testing and other controls less effective because they simply can't be done as much as they were in the past. There are some good tools now in terms of DevSecOps.
So how do organisations build in the whole security and control function from a life cycle view of development, rather than do it just before the new application or product is released? How do they embed it from the start and train people to instil those controls? That's where a lot of organisations are focused today. This has represented a new risk for a lot of organisations which have spent a lot of money on penetration testing and other controls that don't do a good job of fixing the problems that they have identified. They just move onto the next one. The inherent and basic controls and fixing the basics just doesn't get done.
There are always new technologies with Silicon Valley, Israel and other spots putting a lot of money into developing new tools and capabilities. But that’s just part of the solution and sometimes the more tools we deploy, the more complex the environment becomes. And sometimes when we're trying to manage more technologies, hackers find a way through the gaps. So sometimes simplicity is better.
The one emerging capability that's probably the most interesting is ‘fusion’. It’s been driven by financial and puts data, cyber, fraud, intelligence, physical security, logical security altogether, and just managing it as one dataset. In most organisations, all these areas are managed separately, but at the end of the day, they’re still looking at the same data and just asking different questions. So the more mature organisations are managing cyber from a data angle and doing proper analytics which allows them to be more predictive. Cyber is half art and half science. The more we can get to predictive analytics and behavioral based analytics the more successful we will be in managing cyber. It's not so much around tools, it's more about data.
We nearly always see Financial Services lead the market from a standards base. I think 234 is actually driving adoption. One of the critical areas of 234 is around third-party supply chain risks, which we spoke around before. It’s putting the onus on financial services organisations to both know their supply chain and manage it much better. And we expect that to be rolled out broader, initially, across other regulated industries and then broader across the market from there.