There’s an interesting article in the Harvard Law School Forum on Corporate Governance and Financial Regulation. What the Capital One Hack Means for Boards of Directors has some interesting insights that merit the attention of risk, cyber, audit, and governance practitioners.
Much of the article is useful background information for board members, in particular the discussion on how hackers penetrate third parties (or fourth parties) as a way of gaining access to your network and its systems and data.
Here are some other interesting comments:
- …vendors, partners, business associates, and other third parties whose outsourced operations become integrated within a company, can pose a challenging and existential cybersecurity threat to operations. Yet despite increased regulatory scrutiny; growing virtual threats at a global, national and state level; and a riskier business environment, most experts would attest that the relative maturity level of vendor risk management programs is still lacking.
- …digital interconnectivity between vendor and customer creates an inherent risk as cybersecurity shortcomings of third-party vendors have become the go-to-attack vector for cybercriminals. In fact, PWC reports that 63% of all cyber-attacks could be traced either directly or indirectly to third parties.
- Given the explosive growth of outsourced technology services and the increasingly intimate cyber-integration and relationship of companies and third party vendors, boards need to monitor and challenge their third-party exposure and insure the proper implementation of safeguards and processes to reduce their vulnerability.
- …cybersecurity engagement for boards does not mean that board members must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts.
The article focuses almost exclusively on breaches that result from weakness outside the enterprise network and its defenses. That is a limitation that should not be overlooked. There is much more to cyber risk.
But my main problem with the piece is that it asks too much of directors.
The board should not be asking all these (excellent) questions. It should be demanding that management have the answers.
It is not the role of the board to run the organization, understand, and then address all its business risks – including cyber.
It is the role of the board to ensure management is doing all of that well.
- The board should obtain assurance that management is capable of running the organization to achieve its objectives. That includes addressing cyber and other sources of risk.
- Management should ensure it has the answers to the questions in the article.
- The CISO, Risk Management, and Internal Audit can use the questions in the article for their own practices.
- Internal Audit should consider cyber risk in its planning and, where it is a serious source of risk, provide an objective assessment of the maturity of cyber prevention, detection, and response processes and controls.
I welcome your comments.