Despite years of effort and billions of dollars spent annually to protect digital assets, hardly a week goes by without news of a major cyber security breach. And the consequences of a major breach can be devastating in terms of lost revenue, stock price decline, negative press, damage to reputation, lawsuits, internal investigations, and -- often the most impactful -- the distraction the breach causes the business.
It's not surprising that cyber risk is now near the top of board and audit committee agendas. According to KPMG's 2014 Global Audit Committee Survey, nearly 45 percent of U.S. audit committee members surveyed say their audit committee has primary oversight responsibility for cyber security risk; yet, only 25 percent say the quality of the information they receive about cyber security is good.
What information is key to assessing whether management has its arms around cyber risk? Certainly, the audit committee needs to hear from a Chief Information Security Officer or Chief Information Officer who is knowledgeable and can help them see the big picture. But what should be the key areas of focus? While the answer will vary depending on the situation, we suggest four areas of focus:
Periodically review management's cyber security risk assessment. Every company should be conducting cyber security risk assessments as a matter of course. What are the company's highest value digital assets, and what are the greatest threats and risks to those assets? How quickly will the company know if a security breach occurs? In a robust cyber security risk assessment, key areas of focus will include: cyber security leadership and governance, human factors or "people risks", legal and regulatory compliance, business continuity, operations and technology, and information risk. If the company has the right internal resources, the cyber security risk assessment can be conducted internally; however, as the cyber threat becomes more sophisticated, the company may need to call on recognized security specialists for support.
Understand the company's cyber security strategy and governance structure and how it fits into the company's ERM program. Once viewed as a stand-alone program, cyber security is increasingly a multi-disciplinary process that is integrated into the company's ERM processes and overall governance structure. Does the cyber security strategy and governance structure reflect an understanding of the company's data security priorities and security gaps? How are we deploying our financial and human capital to protect these assets against the greatest threats? Management needs to demonstrate that it is "skating to where the puck is going" -- i.e., our cyber security efforts must continuously improve to protect the company as our businesses and technologies evolve and cyber threats become more sophisticated. Does leadership understand our cyber security priorities and risks?
Insist on a cyber security scorecard. As a matter of routine at each meeting, many audit committees and boards review with management a cyber security scorecard, which typically shows (for the most recent period): the volume of identified cyber incidents; the materiality and nature of cyber incidents and how they are being managed; key trends and what is happening in the external environment (e.g., in the private and public sector and on the legislative front). A good cyber security scorecard -- which develops and evolves over time -- helps to improve both the quality of cyber information and the quality of director dialogue regarding cyber security.
Understand the company's cyber-incident response plan. As one leading CIO recently told us, it's challenging to define a precise process or a set of concrete steps for managing a cyber incident because cyber incidents don't all have the same attributes and implications for the company or its customers. That said, incident management is a critical component of an overall cyber risk program, and the effectiveness of the incident response plan will depend on several factors. First, scenario planning is critical, and all the key players -- including the communications, legal, and policy teams -- need to be involved. Second, it's important to establish clear accountability -- if you have a breach, who is responsible for doing what? The final piece involves decision making -- particularly if an incident has external implications, as most do. When third parties or customers might need to be notified, it's important to have a framework for making those decisions -- sometimes very quickly.
Greg Bell, KPMG's U.S. National Practice Leader, Information Protection & Business Resilience, contributed to this Board Perspective.