The growing need for cyber resilience
Friday, January 12, 2018
All things cyber, whether risk, attack, crime or resilience are never far from the headlines with companies of all shapes and sizes around the world vulnerable to attack in the online world. In terms of cyber resilience, cyber risk, cyber crime as well as headline grabbing cyber attacks (Equifax being just one recent example) it is perhaps stating the obvious that businesses and livelihoods will be under threat in the event of a failure of cyber resilience.
What had previously often been seen as simply an IT issue has become a key issue for all control functions in firms. Accountants and auditors are not expected to become technological experts overnight but they do need to ensure that cyber risks are effectively identified, managed, mitigated, monitored and reported on within their firm’s corporate governance framework. For some cyber risk may be well outside their comfort zone but not only does it need to be considered but also there is evidence that simple steps implemented rigorously can go a long way towards protecting a firm and its customers.
The 2016 Verizon Data Breach Investigations Report provided an analysis of 2,260 data breaches and 64,199 security incidents from 61 countries. It found that ten vulnerabilities accounted for 85 percent of successful breaches. As part of the analysis it was found that the vast majority of the vulnerabilities exploited in the attacks were not only well known but had fixes available at the time of attack. Furthermore, some of the attacks used vulnerabilities for which a fix had been available for over a decade.
In October 2017 the Financial Stability Board (which operates under the aegis of the G20) reported on a workshop on cybersecurity held between public and private sector participants which noted that 'effective cybersecurity requires a strategic, forward looking, fluid and proactive approach. They noted that it is not sufficient to simply look to past incidents and known risks, but that one must evaluate potential future threats. At the same time, participants stated that up to 90 percent of threats can be mitigated by basic cybersecurity hygiene.'
There are some basic measures for firms to consider, and indeed can expect increasing levels of regulatory and senior management interest in:
- What information needs protecting? Risk, compliance and IT control infrastructures can only be designed to protect the processes and assets that are known. Everything from customer data to operational networks, the use of the cloud, systems (outsourced as well as in-house), links to payment infrastructures and exchanges to levels of user access to information need to be mapped and included in the governance infrastructure. Care should be taken to ensure that manual workarounds, often a legacy of as yet un-integrated businesses acquired, are included. The process may be manual and therefore not cyber but the human factor may well be the entry point into the firm’s wider systems.
- What are the risks to your information and how much risk are you willing to accept? Many firms are used to the concept of risk appetites which should, as a matter of course, be extended to all information assets. It is key that all assessments keep pace with technological advances
- What measures are needed? Governance, management information and reporting are not a one-size-fits-all and must reflect the precise nature and activities of the relevant firm. A number of bodies have produced lists of precautionary measures which could be considered as follows:
- Information risk management regime – establish an effective governance structure and determine your risk appetite, maintain the board’s engagement with cyber risk and produce supporting information risk management policies
- Home and mobile working – develop a mobile working policy and train staff to adhere to it, apply the secure baseline build to all devices and protect data both in transit and at rest
- User education and awareness – produce user security policies covering the acceptable and secure use of the firm’s systems, establish a staff training program and maintain use awareness of cyber risks
- Incident management – establish an incident response and disaster recovery capability, produce and critically test incident management plans and where needed include them in recovery and resolution planning or living wills
- Managing user privileges – establish account management processes, monitor user activity, control access to activity and audit logs and ensure a robust removal of access as part of any leaving process
- Removable media controls – develop and implement a policy to control all access to removable media
- Monitoring – establish a robust monitoring program using external expertise where needed by for example employing hackers to test system firewalls and other access controls.
- Secure configuration – ensure that security patches are applied in a timely manner and that the secure configuration of all relevant systems is maintained and evidenced
- Malware protection – establish and maintain robust anti-malware defenses and ensure continuous scanning for malware across the firm
- Network security – protect networks against external and internal attack, manage the network perimeter and regularly monitor and test all security controls
- Do security measures work? A fundamental part of cyber resilience is testing that the measures in place work. Whilst it is not necessarily for one for the accountants, they do need to ensure that the effectiveness and adherence to the control infrastructure is robustly tested and any gaps or issues followed up. As has been shown numerous times with physical disaster recovery plans they look fine on paper but do not work as designed in practice. Firms also need to consider what they would do if the worst occurred and they became the victim of a full-blown cyber attack. Carefully thought through and tested incident management and contingency plans need to be agreed, pre-emptively, at the highest levels of the firm including communication protocols (to media, regulators and customers as well as other stakeholders) and the authority levels needed to invoke disaster or recovery plans (such as say the switching of operating systems to a secure back-up location). An inherent part of testing whether planned security measures work is the follow up investigation to assess any attack and the lessons to be learned.
Cyber security has hit the headlines around the world with numerous big name firms being targeted with literally millions of customers potentially impacted. In the UK the need to ensure that cyber risks are managed has already been heightened by the European General Data Protection Regulation (GDPR) which will come into effect in May 2018. Any lack of cyber resilience which compromises personal data may well be a breach of the GDPR.
"Those organizations which thrive in the changing environment will be the ones that look at the handling of personal information with a mindset that appreciates what citizens and consumers want and expect. That means moving away from looking at data protection as a tick box compliance exercise, to making a commitment to manage data sensitively and ethically. When you commit, compliance will follow."
Speech by Elizabeth Denham, the UK Information Commissioner, at the Institute of Directors Digital Summit on October 17, 2017.
The implementation of the GDPR has myriad ramifications not least of which is the reinforced recognition of the importance of safeguarding personal data. The GDPR applies to all online interactions with EU citizens no matter where in the world the business is taking place and it also has enhanced requirements regarding consent, enshrines a 'right be forgotten' and introduces substantially higher penalties for breaches with fines up to the higher of 20 million euros or 4 percent of a firm's global annual turnover. GDPR is one of the few pieces of EU legislation which will be unaffected by Brexit with the UK already stating its commitment to the new approach to data protection.
As expectations focus on the need for consistently good customer outcomes delivered by firms who have strong compliance cultures and a robust approach to conduct risk, cyber risks have rapidly arrived on firm’s risk radars. All the control functions need to ensure that cyber risks are expressly included in the range of risks considered by firms and that the board is prepared to discuss the actions taken to ensure that all reasonable steps have been taken to embed cyber resilience throughout the firm.
Susannah Hammond is senior regulatory intelligence expert for Thomson Reuters with more than 25 years of wide-ranging compliance, regulatory and risk experience in international and UK financial services.
For further information on Thomson Reuters Risk Management Solutions please visit: https://risk.thomsonreuters.com/en.html