the board and cyber security
TRANSCRIPT
1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
The Board and Cyber SecurityWHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK
2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Changing Roles, Changing Threat Landscape
The Board of Directors’
Perceptions
Cyber security risks are now commanding board level attention as businesses are transformed by digital technologies.
KPMG’s global CEO outlook survey shows that an increasing number of CEOs are concerned over cyber risk.
These findings are backed by the recent Allianz global risk barometer which shows that 28% of respondents rated cyber security in their top business risks.
Sources: KPMG, “Cyber Security: A Failure Of Imagination By CEOs”Allianz, “Risk Barometer, Top Business Risks 2016”
3Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Changing Roles, Changing Threat Landscape
Source: KPMG, “Cyber Security: A Failure Of Imagination By CEOs”
The Board of Directors’
Preparedness
While most US CEOs appear confident in their preparedness to deal with a cyber incident, many CEOs in Europe and ASPAC are more cautious than their US colleagues.
4Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Changing Roles, Changing Threat Landscape
The Board of Directors’
Auditor’s view
Audit committees are demanding more information – and spending more time on cyber security
Oversight of cyber security has now moved to the board or audit committee
Regulatory demands are growing and expectations of transparency increasing
Placed cyber security as one of their top 3
risks
16%Say audit committee should spend more
time on cyber
40%Say they need to
improve the quality of their information
41%Have assigned
oversight to the board or audit committee
50%
Source: KPMG, “Through A Cyber Security Lens – 2015 Global Audit Committee Survey”
5Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Changing Roles, Changing Threat Landscape
The Cost
As attacks become increasingly sophisticated, security breaches have a growing financial impact on victims.
$7.7 million 2% from 2014
THE AVERAGE ANNUAL COST OF A CYBER CRIME INCIDENT IN 2015
THE ESTIMATED COST OF CYBER CRIME TO THE GLOBAL ECONOMY
$400 billion
Sources: Ponemon Institute. “2015 Cost of Cyber Crime Study: Global.”McAfee/CSIS, “Net Losses: Estimating The Global Cost Of Cyber Crime”
6Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Changing Roles, Changing Threat Landscape
The Time
The escalating sophistication of attacks increases not just the cost of cyber crime but also the time to resolve an attack.
27 days
THE AVERAGE TIME IT TOOK TO CONTAIN A CYBER ATTACK WAS:
31 days
THE AVERAGE TIME IT TOOK TO CONTAIN A CYBER ATTACK WAS:
15%INCREASE
2013 2014
7Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Changing Roles, Changing Threat Landscape
The Other InvestmentsSecurity breaches impose indirect costs via: Company reputation Customer loyalty Customer credit card, financial and
personal information Increased board liability for how they act
or fail to act
Boards need to increase the standard of care by: Rethinking their governance structures Creating privacy and security committees Improving accountability Addressing the risks associated with cyber
attacks
TECHNOLOGIES THAT INCREASE SECURITY, IN ORDER FROM MOST TO LEAST EXPENSIVE:
Security incident and event management (SIEM) systems
Intrusion prevention systems (IPS)
Application security testing
Enterprise governance, risk management and compliance (GRC) tools
8Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
FIVE GUIDING PRINCIPLESThe National Association of Corporate Directors (NACD) recommends five guiding principles for boards and management to address in a response plan.
11Cyber security is an enterprise-wide risk-management issue, not just an IT issue.
12Understand the legal implications of cyber risks to the company.
13Have adequate access to cyber security expertise and discuss risk management regularly in board meetings.
14
15
Ensure that management establishes an enterprise-wide risk management framework with adequate staffing and budget.
Identify and develop plans for which risks to avoid, accept, mitigate or transfer through insurance.
Source: Cyber-Risk Oversight Executive Summary, Director’s Handbook Series 2014 Edition
9Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Step 1: Preparing for a Breach
The NIST Cyber Security Framework A template for directors and executives to embrace Creation of a privacy and security committee Making the right investments in security technology
IdentifyDevelop the understanding to manage cyber security risk to systems, assets, data and capabilities
ProtectDevelop and implement safeguards to ensure delivery of services
DetectDevelop and implement systems to identify the occurrence of a cyber security event
RespondCarry out actions to take once a cyber security event is underway
RecoverCarry out activities to restore any capabilities or services impaired due to a cyber security event
10Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Step 2: Dealing with a Breach
The board plays a crucial role as overseer of the response and especially the communications strategy. Key responsibilities include: Information conduit between internal and external groups, including legal,
partners and customers Approval of disclosures based on:
- specific country laws- facts that can be validated or confirmed at each stage of the investigation- company profiles (for example, high profile with sizeable social media presence)
Despite sustained and responsible security investments, attackers will compromise companies
IN 69% of incidents in 2014, the targeted company learned about the breach from a third party, such as law enforcement
11Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Step 3: Regrouping After a Breach
The breach has been resolved and the attackers evictedThe board now moves to damage control by: Bolstering defenses, repairing and reinforcing the IT structure Engaging outside assessment of the company’s security program Reviewing the incident and response for areas of improvement
And communication by: Initiating repair of the company’s reputation with customers, partners, regulators and media Reassuring the public and shareholders Working with counsel and public relations to ensure consistent, accurate and timely public
statements
IN 2014, THE AVERAGE CUSTOMER CHURN RATE AFTER A BREACH ROSE
15% over 2013*10%
TO EARN BACK CUSTOMER TRUST, RETAILERS OFFER GESTURES OF GOOD WILL
discountON PURCHASE AFTER BREACH
* Ponemon Instutute’s U.S. “2014 Cost of Cyber Crime Study”
12Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Conclusion. The Facts.
Cyber security has become a board-level issue. As companies get more connected to customers and partners, it creates
opportunities for attackers. Cyber security breaches threaten shareholder interests. There are reasonable steps that can be taken to protect companies and
their shareholders.
13Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
TO GAIN FURTHER INSIGHT LISTEN TO THE WEBINAR
‘THE BOARD AND CYBER SECURITY – WHAT’S REQUIRED IN THE PREPARATION FOR AND RESPONSE TO A BREACH?’OR DOWNLOAD
THE CYBERSECURITY PLAYBOOK