Calculating your security spending through digital risk management
Cyberattacks on businesses are now weekly news as breaches of data are announced regularly. However, until recently many corporate executives did not understand or share the view of its importance of addressing digital risk at the Board level. The Board’s role in understanding and monitoring digital and cyber risk has been highlighted by a multitude of lawsuits alleging Boards were asleep at the switch in the face of a known danger.
Executives and Boards at all companies, especially public companies, face mounting pressure to consider what a worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in? What will the legal fallout be, whether it is privacy litigation, shareholder suits or criminal investigations?
To fully grasp the magnitude of such risk, Boards must address specific questions and implement effective policies that protect their customers, their organisations and themselves. In some states and countries, Board members may be personally liable for cybersecurity gaps and experts foresee that personal liability will only accelerate.
Board of Director members are responsible for ensuring the corporation is managed in the shareholders’ best interest including:
# Fiduciary duties of directors and officers regarding digital risk and cybersecurity
Most officers and directors understand you are acting on an informed basis, in good faith, and in the company’s best interests. Proper preparedness and risk management are critical to insulating officers and directors from liability. Boards must hold frequent meetings to analyse cyber risks and implement potential plans of actions.
If appropriate, create a committee to review cyber issues and investigate data incidents and breaches. Boards must implement a risk management programme, a monitoring plan, test the programme to ensure compliance, and investigate possible violations.
# Officers and directors should discharge their digital risk fiduciary duties
Digital Risk management programmes must have the right technologies in place to identify where risks can have the most impact on the business and brand. Companies should have policies in place that detail the expected response to incidents and ensure that system controls are in place.
A prepared team is needed, equipped with the tools and ability to take immediate action when problems arise and have the authority to monitor and test, both internally and externally, potential threats. Cyber incidents impact multiple levels of an organisation and departments including legal, IT, risk, insurance, human resources, marketing, and public relations.
These departments should be tasked with providing input in addition to that of board members and management. The companies best prepared to prevent and respond to cyberattacks recognise that this multifaceted preparedness is an ongoing cycle, and not simply a one-time list of tasks to complete.
To demonstrate that a Board has properly discharged its duties, it must work with management to ensure proper teams have organised plans to prevent and respond to any breaches. Therefore, a company must constantly assess cyber risk trends and threats. Just because nothing appears to be happening on a daily, weekly, monthly or annual basis, does not mean an incident may not occur.
The business judgment rule is a legal principle protecting officers, directors, managers and other agents of a corporation from liability for loss incurred as a result of business decisions that are within their authority and power to make when sufficient evidence demonstrates that the transactions were made in good faith.
To ensure protection under the business judgment rule, it is wise to have regular presentations for pertinent committees to provide updates on trends and threats, and to ensure that your security IT practices are up to date.
# Investing in a digital risk framework
Companies struggle to determine how much to spend on IT security, an investment many liken to insurance — no one wants to pay more than they have to. If you are a public company, spend the money to protect the business. You no longer can afford to penny pinch. The liabilities, penalties and litigation impact are significant. Companies spend an average of 6-7% of their IT budget on security technology, outside services and staff.
How much an organisation invests in IT security stems from a range of criteria. Companies that are consumer facing, have a large attack surface, a recognised brand, highly guarded intellectual property, and compliance requirements to industry regulations and government legislation tend to outspend their peers.
The reality is organisations of all types have experienced security breaches. There remains a misplaced belief in security by obscurity among organisations with lesser known brands, smaller attack surface, and less stringent industry regulations. The situation in the last two to three years has changed substantially. With so many global state actors and well-funded cybercrime organisations, IT security costs are increasing rapidly.
The right answer does not start with a dollar figure, but companies should work through a digital risk management process. As a publicly listed company, you can no longer take an ad hoc approach, basing your budgeting decisions on trial and error, or reacting to problems as they arise instead of proactively approaching a security framework.
This process is monitored and repeated, both internal networks and the external environment where your assets may have leaked through malicious actions or unintentionally lying in the open, and shortcomings addressed over time.
This simple yet time-consuming process is undertaken by not only large public companies but also midmarket and small businesses who face the same cyber risks but typically with fewer IT security resources.
With cybercrime advancing at unprecedented levels, companies must proactively implement a security risk management framework, develop technology internally, hire or outsource security professionals commensurate with your risk, train all employees on security awareness, and have a real-time incident response playbook that balances digital threat intelligence and risk mitigation.
Board members can no longer avoid discussing their organisation’s security profile or risk being shown as negligent to future threats, says Rob Theis at Digital Shadows.