It has taken a while for companies to realize the value of digital assets, and it is also taking a while for companies to digest the significance of digital risks. In the digital economy, virtually all aspects of business rely to some degree on computer technology, records, networks, and service providers.
In the reality of business today, cyber risk goes to the heart of things and is much more than just the concern of Information Technology or Compliance. As stated in the Cybersecurity Questions for CEOs document published by the Department of Homeland Security’s United States Computer Emergency Readiness Team (“US-CERT”):
Cyber threats constantly evolve with increasing intensity and complexity. The ability to achieve mission objectives and deliver business functions is increasingly reliant on information systems and the Internet, resulting in increased cyber risks that could cause severe disruption to a company’s business functions or operational supply chain, impact reputation, or compromise sensitive customer data and intellectual property.
Cyber risks cover the full spectrum, including litigation, regulatory, reputational, business interruption, financial, intellectual property, and tangible and intangible asset protection concerns. Moreover, cyber attacks are pervasive and cannot realistically be avoided entirely, so it is as important for companies to be ready as it is for companies to be secure. Indeed, three of the five core threat-addressing functions as set forth in the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity – Identify, Protect, Detect, Respond, Recover – are applicable because cyber attacks are expected to occur.
Cyber risk governance involves meaningful engagement of the Board and executive leadership within a framework that facilitates relevant input, strategy formulation, and decision making. Relevant input includes risk identification and assessment, but must also include reports from an appropriate oversight team, which, again, should consist of more than IT. As the US-CERT guidance for CEOs aptly states further:
Cybersecurity is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cybersecurity risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cybersecurity risk throughout the enterprise.
Primary areas of concern will vary for different organizations. Resource constraints will almost always require that initiatives be prioritized and undertaken in sequence over a period of time. For almost any business, “hot” topics are likely to include business continuity, oversight of service providers, cyber insurance, incident response preparedness, and information sharing.
Although much more remains to be said and done in this area, it seems inevitable that prudent cyber risk governance and management will eventually be taken as seriously as prudent governance and management of fiscal affairs.