Cyber Risk Management: No More Quiet Backrooms


By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice




Last month, in New York City, Protiviti hosted a gathering of scores of financial service industry representatives to discuss the recently enacted New York Department of Financial Services’ (DFS) Part 500, Cybersecurity Requirements For Financial Services Companies. Similar in design to the previously enacted DFS Part 504, Transaction Monitoring and Filtering Program Requirements and Certifications, Part 500 requires DFS-regulated covered entities (including banking organizations, insurance companies, money services businesses and others) to develop and maintain effective cybersecurity programs and to certify annually to the DFS that they are meeting the requirements of the regulation.

The attendees – chief information security officers, chief compliance officers, chief counsels, internal auditors and other senior executives of banks and insurance companies – engaged in a lively discussion with a panel of cyber experts about the challenges of managing cyber risk and were especially honored to hear directly from DFS Superintendent of Banking Maria Vullo, who shared the reasons her agency felt it necessary to adopt this regulation, as well as her compliance expectations.

Superintendent Vullo said that “as cyber-attacks are increasing across the globe, laws and regulations are not just appropriate, they are necessary. Government must be in the game, looking ahead to help prevent misconduct.” The need for a proactive partnership between government and industry to do more to prevent and learn from cyber attacks was a strong theme throughout the Superintendent’s comments. While she recognized that many covered entities have multiple regulators all of whom may have different expectations regarding cyber risk management, the Superintendent stated her firmly-held belief that to do nothing, in the hopes of achieving a uniform regulatory approach in the U.S., was simply not an option for the DFS, and she encouraged other regulators to adopt the DFS model. From a governance perspective, the Superintendent was very clear that industry responsibility for cyber risk management rests squarely at the feet of boards of directors and senior management.

In designing Part 500, the Superintendent said that DFS’s goal was to develop “a roadmap – minimum safeguards for cybersecurity – which leave room for innovation.”  The agency’s focus will be on the outcome, recognizing that different risk profiles will require different responses. Superintendent Vullo signaled a willingness to work with the industry and share leading practices toward the common goal of strengthening the industry’s cyber resilience and said that “where we see clear cooperation and good faith effort, our response will be tempered even where there is need for improvement.”

While the DFS is still developing its cyber framework and examination program, comments from the Superintendent and from the expert panel suggested that, in addition to support from the top of the organization, several other key takeaways from the session should be noted:

  • Until there is a uniform regulatory standard, organizations – especially large, complex multinational organizations – will still need to address varying expectations and different areas of focus as they develop or enhance their cyber programs.
  • A rigorous, customized risk assessment should be the cornerstone of the cybersecurity program, and it will be important for covered institutions to step back and revisit their risk assessment process and output to ensure that it is providing the appropriate foundation for building the program.
  • While many organizations would immediately turn to IT to build the cyber program, it is very important to involve the business – e.g., materiality should be designed at the business level since IT may see the risk differently. To be effective, cyber professionals must understand the business.
  • Third-party risk management issues, which are a very complex challenge for many organizations, are critically important to the cyber compliance effort.
  • While some of the control requirements (multifactor authentication and encryption or reasonable substitutes for these) are not required immediately, the time to start thinking about them is now since implementation will take time.
  • Communication across the organization will be critical to the success of the program.

One of our expert panelists likely summed up the feeling in the room when he reflected that in the beginning of his career IT people sat in a backroom and no one much cared what they did so long as things kept working, but as technology gradually became a business enabler, the attendant risks to the business could not be ignored. Cyber is one of those risks on which every institution and every regulator is now focused.  No more quiet backrooms for the IT, business and risk professionals charged with protecting their organizations against cyber attacks; they are now front and center in the battle to protect their organizations, their customers, and the market against the growing cyber threats.





Undetected Breaches and Ransomware Change How We Think About Cybersecurity

By Adam Brand, Director
IT Security and Privacy




As new possibilities in information technology continue to transform organizations, they may outpace any cybersecurity protections already in place. Controls that seemed adequate yesterday might not be equal to the challenges presented by new technology and ever-evolving threats today. Our recently-published issue of Board Perspectives: Risk Oversight (Issue 90) discusses eight of today’s business realities directors should consider as they oversee cybersecurity risk, and it is worth a read. We’d like to comment further on two of these realities here.

  • The first reality represents a change in thinking: Whereas the adage of yesterday was “It’s not a matter of if a cyber risk event will occur, but a matter of when,” we now know that it’s better to acknowledge that cyber risk events are already occurring, whether we’re aware of them or not.
  • The second reality revises the familiar advice to identify and protect the critical data assets and information systems, aka “crown jewels,” extending that advice to include being aware of the adverse business outcomes that result from the unavailability or compromise of business-critical but non-sensitive data.

Both of these realities have one thing in common: Boards must remain open to new ways of thinking about cybersecurity, because organizations’ information technology assets — and the ways criminals exploit them — keep evolving. Or to paraphrase the Greek philosopher Heraclitus, the only constant in cyber threats is change.

Hunting for Hackers

Thinking “cyber risk events are not a matter of if, but a matter of when” is no longer sufficient — unless you think of “when” as having happened already. Breach statistics show that the vast majority of breaches are not self-detected. In one example from our own incident response practice, a firm that had several threat detection measures in place was blissfully unaware of a credit card breach until they were informed about it by the Secret Service. The attacker had been in the environment for over one year! This example is not uncommon, as breach statistics also show that the average time between an attack and its detection is over six months.

In hindsight, the proper response to this kind of threat would have been a proactive one — a technique known as “breach assessment” or “threat hunting.” Rather than using in-place technologies and processes as a check on prospective cyber risk events, threat hunting searches proactively for attacks already in progress by asking, “Are we already breached, but unaware of it?” More organizations are now augmenting their cyber defenses with the creation of internal “threat hunting” teams or engaging third parties for periodic breach assessments. Support of ongoing threat hunting and regular third-party breach assessments are two ways for boards to ward off the possibility of a long-term, undetected breach.

More Than Crown Jewels

Just a short time ago, “identifying and protecting critical data and systems” — aka, crown jewels — was the standard measure of adequate cyber risk management. However, a narrow focus on sensitive data, rather than an outcome-driven approach to cyber risk management, could cause an organization to overlook real threats elsewhere — like those presented by ransomware, for example. In the past few years, ransomware has changed the risk equation for companies by targeting operational rather than sensitive data. Encrypting non-sensitive information for ransom may not be the exact high-risk data loss we’ve all been warned about but it will cripple business operations nevertheless until the ransom is paid.

Until recently, firms who possessed only non-sensitive data could rest easy knowing they had no “crown jewels” to protect. They should rest no longer, as all firms are vulnerable to ransomware. Boards should be vigilant about this risk, and ensure that safeguards are in place — as well as continuity plans. Shifting focus from warding off a specific data breach — like the loss of sensitive data via a specific application — to considering all adverse business outcomes leads to more comprehensive cybersecurity solutions.

While all eight new business realities discussed in our latest Board Perspectives warrant attention, these two in particular highlight the need for evolving an organization’s approach to cyber risk oversight, now and in the future. You can read our latest Board Perspectives issue here, and we’d love to hear from you in the comment section below.

Building Cyber Resiliency Is the Path to Better Brand Protection for Consumer Products and Services Companies

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader




Last week, I wrote about customer loyalty, and how a strong cybersecurity program can help ensure the trust of consumers. Here are some fresh stats about the business impact of cyber threats that consumer products and services executives should know about: In 2016, one in five businesses lost customers due to a cyber attack. Nearly 30 percent lost revenue. About one-quarter lost business opportunities. And when a breach occurred, brand reputation was one of the top areas of the organization to be affected, right behind operations and finance.

These unsettling findings are from the Cisco 2017 Security Capabilities Benchmark Study, featured in Cisco’s latest cybersecurity report. Combine these data points with all the news about recent hacks and breaches involving major retailers, restaurants, hotels, and other consumer products and services companies, and it becomes crystal clear why industry executives are extremely concerned about cyber threats.

In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, which I referenced in my recent post, respondents from consumer products and services businesses also cited the following risk among the top five for their industry group in 2017:

Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage our brand.

The research also shows that the risk score for this concern increased significantly from the 2016 survey.

Consumer respect and trust are at stake

For consumer products and services companies that spend millions of dollars annually to cultivate and promote their brand image, a hack or a data breach can be devastating to their reputation — and their bottom line. These events can lead not only to long-term brand damage, but also the loss of the public’s respect and trust. This is especially true if customer data is compromised or stolen, leaving people at risk for financial loss and identity theft. Even if a company can recover quickly from such an event and make things right with its customers, its image will likely remain tarnished for some time to come.

Unfortunately, cyber threats (and privacy concerns) will become only more severe as businesses and consumers increase their reliance on technology in all aspects of their lives; digital commerce and mobile payments continue to grow; and the emerging Internet of Things (IoT) expands. Over time, consumer products and services companies will need to significantly increase the data they collect to provide highly customized products, services and experiences to their customers.

These trends underscore why consumer products and services businesses must make improving cybersecurity and building cyber resiliency even higher priorities — starting now.

Developing a world-class response to a high-profile crisis

Most executives today understand that a cyberattack is not a matter of if, but when, for their organization. Taking steps to prevent hacks or breaches should always be a high priority for any business, of course. But what is even more important is creating a well-thought out and tested action plan that will allow the company to respond swiftly to a cyber incident, mitigate the impact of that event on the business and its customers, and protect the brand.

A recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some insight that can help consumer products and services companies better protect their brand reputation in an increasingly treacherous cyber threat landscape. One of the “10 essential keys” to risk management outlined in the document —developing a “world-class response to a high-profile crisis”— is particularly relevant to the cyber threat discussion.

Creating a world-class response requires that the board of directors and executives ensure, long before a crisis hits, that:

  • The risk assessment process has been designed to identify areas where preparedness is needed.
  • A crisis management team is in place and prepared to address a specific sudden crisis scenario; otherwise, a rapid response will be virtually impossible.
  • Response teams are supported with robust communications plans that emphasize the importance of transparency, straight talk and effective use of social media.
  • Response teams update and test their rapid response plans periodically.

These actions can strengthen organizational resiliency. When developed with cyber threats specifically in mind, they help to build cyber resiliency. Preparing to reduce the impact and proliferation of a cyber event is paramount for any modern business. For consumer products and services companies, it can make all the difference in maintaining their customers’ trust, preserving the long-term health of their brands, and being able to confidently face the future.