Cybersecurity isn’t a static outcome or a product you can buy. It’s an ongoing process. Establishing this process within an organisation requires a paradigm shift at board level. These days, cyber risks are an integral component of business risks, and can’t just be delegated to IT. This means having a holistic sense of responsibility even for threats, Unknown, you see not coming or you may not understand. For this to happen, it’s good to have the mediating skills of a chief information security officer, CISO for short, to translate technical cyber risks and threats into the language of money, impact and reputation – the language of business.
Cybersecurity is one of the arising key issues facing businesses. In PwC’s Global Economic Crime and Fraud Survey 2018, 44 per cent of Swiss companies polled said they had already been victims of crime in cyberspace. Given that there’s no duty to report such incidents in Switzerland, the real figure is much higher. Incidents of this sort can lead to enormous direct and indirect costs, and even jeopardise a company’s existence.
Strategically relevant for many reasons
Security risks related to IT and electronic data can assume business-critical proportions. This means cybersecurity belongs on the board and management agenda, no ifs or buts. There are various reasons for the urgency:
- Swiss Code of Obligations (CO): In Switzerland, the board of directors’ control and oversight duties are laid down in the Code of Obligations, according to which the board’s non-transferable and inalienable duties include the overall management of the company, determining the company’s organisation and appointing the people who manage the company.
- Swiss Code of Best Practice for Corporate Governance: The code of practice issued by economiesuisse contains recommendations to the board as to how to set up its corporate governance. This encompasses all the principles aimed at safeguarding the company’s interests on a sustainable basis, and guaranteeing transparency and a healthy balance of management and control.
- EU’s General Data Protection Regulation (GDPR): The newly revised data protection rules stipulate a requirement to report infringements and fines of up to EUR 20 million or 4% of annual global sales in the event of violation.
- Swiss Data Protection Act (FADP): The revision of the FADP is being done in stages, and is not yet complete. We expect the new law to adopt most of the provisions of the GDPR.
- Industry-specific regulation: Most industries, including pharma, healthcare, financial services and insurance, are subject to additional regulations of their own. These regulatory frameworks are also designed to ensure adequate protection for corporate data and IT security. Added to this, various professional groups such as doctors, lawyers and pharmacists have their own confidentiality requirements (art. 321 of the Swiss Criminal Code), meaning that everyone, including technical and auxiliary staff, has to keep data entrusted by customers secret.
- Financial necessity: The direct and indirect financial consequences of cyberattacks can hit a company hard, and range from stolen trade secrets and customer data to heavy fines, the loss of the licence to operate, or even bankruptcy. Prominent examples, both nationally and internationally, have been making headlines for some time.
- Protecting reputation: Damage to a company’s image as a result of a cyberattack can have lasting repercussions, with disappointed stakeholder expectations and broken customer trust posing an existential threat.
Regulated industries such as banking and insurance have to meet tighter compliance requirements and treat IT and data security as a matter of strategic priority. Any retail bank without a functioning, secure e-banking platform, for example, would have to close down. Industries such as manufacturing and healthcare, by contrast, lag far behind in terms of the seriousness attached to cybersecurity. Not only that, but companies have been getting gradually more dependent on IT and electronic data without a corresponding increase in their awareness of this dependence. In many organisations, cybersecurity is still located within IT and not sufficiently rooted in the board or management, who have no clear view of the sheer costs involved.
Demands of a new dimension
Cybersecurity confronts managers with a whole new kind of challenge. First of all,, it’s incredibly complex because technological change is so rapid and interconnected. Secondly, conventional ways of thinking and acting simply aren’t up to dealing with cyber risks. They pose a threat that neither appears on the radar of traditional strategic planning tools nor develops according to the familiar rules. A technical problem once used to bring a whole production facility to a standstill. Now everything appears to carry on as usual, even if an attacker is busy invading systems, hacking identities or trawling the company’s network for precious data. Thirdly, the board of directors often lacks the necessary vision to grasp the full magnitude of cyber risks. Fourthly, most IT security budgets are geared to the steadily declining costs of IT rather than to the growing value of the electronic data that is supposed to be protected.
The board and management can no longer rely on their experience of dealing with risks, their nose for a crisis or their industry knowledge. So, they need a trustworthy intermediary who understands the different perspectives of IT, cybersecurity and the business, and can serve as their go-between. Usually this is the job of the CISO. The chief information security officer regularly appears before the board of directors to report on security-relevant issues and the current situation. They must demand the corresponding measures and priorities at the highest level – to protect data, not IT hardware and software.
Responsibility with an all-round view
The board of directors can neither abdicate nor delegate its strategic responsibility for the all-round security of the company. So, there’s only one alternative: to act far-sightedly. There are different facets to this approach:
- Enterprise risk management: In its regular review of the risks, the board must take in threats from cyberspace as well as market and financial risks. Cyber threats have to be identified, translated and understood in terms of their business-relevant, financial impact. This requires a heightened awareness of issues related to cyber risk. What happens, for example, if your R&D data are hacked and another company is first to market with the innovation? What happens if customer data are compromised?
- Knowledge of compliance requirements: The board of directors must be familiar with all the laws and industry-specific regulations that apply to the company. This is the only way of knowing the minimum requirements that have to be met and what kinds of risks and consequences legal infringements can entail. Clarity on these matters helps give a realistic picture of the threat landscape and an idea of where internal rules are needed to ensure compliance with the regulatory requirements within the organisation.
- Security strategy: Organisations need a uniform approach to dealing with security risks that can be applied to all the material risks. This can be formulated from the top down on the basis of strategy and translated into a system of controls. A security strategy defines how cyber risks are identified and mitigated in line with the board’s risk appetite. Cybersecurity is also embedded in the security strategy, with definitions of the relevant roles and responsibilities and an approach to protecting IT and electronic data both proactively and reactively. Cybersecurity is never an end in itself. It must protect and support the business as a whole thrive innovation and expansion to new fields of business.
- Security architecture: A company’s system of internal controls contains technical and organisational rules designed to ensure compliance with guidelines and prevent damage brought about by the company’s own staff or attackers from outside. Quality management systems, for their part, assure the quality of processes and services, for example in healthcare. There are numerous frameworks defining how to handle business risks. The board of directors must see to it that these rules and control mechanisms complement each other, are harmonised, and are enhanced with the dimension of cybersecurity within a uniform framework.
Any board of directors that hasn’t yet engaged sufficiently with the issue of cybersecurity had better do so soon. It’s a good idea to proceed systematically:
1. Make aware
It used to be widely believed that you could build walls to protect yourself from threats. In the cyberworld that means firewalls, encryption and perimeter security. Nowadays, we’ve realised that these measures alone aren’t enough. A board has to accept the fact that you – and not just your competitors – can be attacked and hacked from cyberspace. This means defining your risk appetite and making arrangements for detecting and responding to attacks as well as remedying potential damage. To do so, you have to create transparency on what electronic data within the organisation require enhanced protection, and what the impact would be if these data were stolen, falsified or no longer accessible.
2. Clarify governance and a control framework is in place
It’s a good idea for the board of directors to ask the following questions and assign the management the responsibility for defining the corresponding measures:
- What type of data do we have, and what protection do they require?
- What legal and regulatory requirements apply?
- What risks exist, and what’s the likelihood that they will occur and the impact to your organisation?
- How do we mitigate these risks and protect ourselves from them?
- How do we identify cyberattacks in a timely manner and respond when they occur?
- How do we go about remedying any damage systematically and continue our business in case of a severe incident?
3. Integrate management and control functions
The following checklist will help the board work out whether cybersecurity is sufficiently established in the system of internal controls.
1. IT security and data governance
- Key roles such as CISO, compliance officer, data owner and enterprise risk manager are defined
- Process descriptions and guidelines for IT users include instructions for adequately protecting data
- A security policy exists with the relevant organisational and technical measures
- The effectiveness of technical and organisational controls is regularly assessed
2. Sensitive electronic data
- Electronic (e.g. personal and company) data are categorised and classified in terms of their need for protection (confidentiality, integrity and availability)
- A minimum standard has been established for the protection of electronic data
3. Significant cyber risks
- Threat scenarios (around 10 to 15) for electronic data and IT infrastructure have been developed
- Cyber risks have been identified and evaluated
- An interface has been established to enterprise risk management
4. Protective measures
- Security guidelines (Internet use policy, email use policy, etc.) have been introduced and are monitored
- Technical protective measures have been defined to ensure that identified risks are limited to an acceptable level and electronic data are processed in compliance with the rules
- An IT security organisation has been set up to run and monitor the technical controls or oversee an outside provider
- A decision has been made on what security services will be built in-house and what will be sourced from an external provider
5. Unauthorised data leakage and cyberattacks
- Attacks and unauthorised data leakage are recognised and responded to rapidly
- Security incidents are responded to, escalated when necessary and crises managed
- Business continuity planning is in place and resilience to cyberattacks has been built up
- The board of directors is regularly informed about matters related to cybersecurity
External audit: beware a false sense of security
Companies and stakeholders generally assume that an audit without negative findings is tantamount to 100% security. The fact is, however, that the auditor only gives an opinion on whether the financial statements are correct, complete and legally compliant – not on the level of security that has been achieved or the company’s resilience to cyber threats. This means that financial reports are not an adequate basis for decisions on cybersecurity. There’s also the question of whether the company makes sufficient provisions for cyber risks in its financial statements.
The fact that IT now penetrates and connects practically all the areas of an organisation creates new potential, but increasing digitalisation also gives rise to new threats that have to be identified, responded to rapidly and systematically.
The particular risk of concerted cyberattacks on the IT landscape and electronic data means that companies have to broaden the way they think about security and adopt new measures that include the entire lifecycle of valuable electronic data – wherever they are, at rest, in motion and in use.
Security is a matter for the board: digital transformation and the role of cybersecurity have to be initiated and supported by the management and be made an integral part of strategy and decision-making.