Time For A Wake-Up Call On IT Risk

by Laura J. Finn
Corporate Board Member
Third Quarter 2014

It’s no surprise—Cybercrime is on the rise. The State of the Internet Report says 95% of existing networks have already been compromised, and more and more companies are waking up to the fact that breaches occur all the time, even if they haven’t been detected yet. Once a quaint endeavor, hackers have gone from “ponytailed, tattooed, tie-dyed guys working out of their mom’s basement” to sophisticated professionals and nation-states that are disciplined, focused, and have plenty of resources, said Fred Rica, principal, KPMG, one of the speakers at NYSE Governance Services’ recent Cyber Risks in the Boardroom conference. Rica discussed the evolution of cybercrime from the days of stealing AOL CDs to today, when both the U.S. government and private businesses are under daily attack.

And yet, while statistics are growing on known breaches and attacks, the reality is likely worse, according to speakers at the conference. “The severity of real attacks is probably being underreported,” explained Sam Visner, vice president, Global Cybersecurity, CSC, an IT services company. Visner said it usually takes about 18 months until severe attacks are identified—if they are identified at all. As a result of these trends, cyber risk issues have become top of mind for boards, executives, and legal counsel (see related cover story, page 18). A 2014 NYSE Governance Services/ FTI Consulting research study found that 74% of directors said they are concerned or extremely concerned about data security.

To respond to this general uptick in awareness, the conference offered attendees sound advice on proactive protection as well as how to outline a threat awareness program. The conference also featured presentations on such topics as leveraging cloud solutions; responding to insider threats; managing a post-fraud investigation; identifying cyber threats in real time; and understanding security throughout the supply chain.

Rica pointed out that the genesis of most attacks isn’t a breach, but rather bad human behavior. Therefore, he said, training employees is extremely valuable and can go a long way in protecting a network. For the board specifically, he said, understanding which data assets are absolutely the most valuable is crucial.

Third-party risk was also covered. Cathy Allen, board member at Synovus Financial Corp. and Stewart Information Services, discussed the importance of knowing your primary, secondary, and tertiary vendors, since many breaches have their genesis through these types of outside parties.

Responding to the question of how board members should start to address these issues, Aaron Levie, CEO of Box Inc., an enterprise cloud company, said one way to go about it would be to step back and evaluate how the company’s business and strategies have changed in recent years.

“Try and identify how much the business has changed from a technological standpoint in a five- or ten-year period,” he suggested. “For example, many of our customers have noted that their first-use cases center on enabling mobile data technology to field workers, or remote offices, etc. That wasn’t something that the IT or compliance team managed even just three or five years ago.”

SEC Commissioner Luis A. Aguilar keynoted the event, telling the audience that board members need to assume greater responsibility for cyber risk. One way to accomplish that, he suggested, is by setting up a separate risk committee.

“Beyond the unacceptable damage to consumers, the secondary effects [of a breach] include reputational harm, which significantly impacts the company’s bottom line,” Aguilar stated. Therefore, he said, “it’s the board’s [responsibility] to keep the public’s interest in mind, as well as the [interest of the] company and the shareholders.”

Aguilar emphasized these issues must be dealt with at the board level to ensure shareholder assets are protected: “The capital markets are under a continuous and serious threat of cyber attack. This threat cannot be ignored.” He summed up his presentation by encouraging board members to remain active, informed, and independent; to stay involved in the interest of shareholders, to be able to adapt to new circumstances, and to remain serious about their obligations.

“Corporate governance, done properly, results in the protection of shareholder assets,” Aguilar concluded. “Fortunately, many boards take on this difficult and challenging role and perform it well.” For boards that haven’t yet stepped up their oversight, however, he cautioned “there is no substitution for proper preparation, proper deliberation, and properly engaging on cyber security issues.”