1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

The Board and Cyber SecurityWHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Changing Roles, Changing Threat Landscape

The Board of Directors’

Perceptions

Cyber security risks are now commanding board level attention as businesses are transformed by digital technologies.

KPMG’s global CEO outlook survey shows that an increasing number of CEOs are concerned over cyber risk.

These findings are backed by the recent Allianz global risk barometer which shows that 28% of respondents rated cyber security in their top business risks.

Sources: KPMG, “Cyber Security: A Failure Of Imagination By CEOs”Allianz, “Risk Barometer, Top Business Risks 2016”

3Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Changing Roles, Changing Threat Landscape

Source: KPMG, “Cyber Security: A Failure Of Imagination By CEOs”

The Board of Directors’

Preparedness

While most US CEOs appear confident in their preparedness to deal with a cyber incident, many CEOs in Europe and ASPAC are more cautious than their US colleagues.

4Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Changing Roles, Changing Threat Landscape

The Board of Directors’

Auditor’s view

Audit committees are demanding more information – and spending more time on cyber security

Oversight of cyber security has now moved to the board or audit committee

Regulatory demands are growing and expectations of transparency increasing

Placed cyber security as one of their top 3

risks

16%Say audit committee should spend more

time on cyber

40%Say they need to

improve the quality of their information

41%Have assigned

oversight to the board or audit committee

50%

Source: KPMG, “Through A Cyber Security Lens – 2015 Global Audit Committee Survey”

5Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Changing Roles, Changing Threat Landscape

The Cost

As attacks become increasingly sophisticated, security breaches have a growing financial impact on victims.

$7.7 million 2% from 2014

THE AVERAGE ANNUAL COST OF A CYBER CRIME INCIDENT IN 2015

THE ESTIMATED COST OF CYBER CRIME TO THE GLOBAL ECONOMY

$400 billion

Sources: Ponemon Institute. “2015 Cost of Cyber Crime Study: Global.”McAfee/CSIS, “Net Losses: Estimating The Global Cost Of Cyber Crime”

6Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Changing Roles, Changing Threat Landscape

The Time

The escalating sophistication of attacks increases not just the cost of cyber crime but also the time to resolve an attack.

27 days

THE AVERAGE TIME IT TOOK TO CONTAIN A CYBER ATTACK WAS:

31 days

THE AVERAGE TIME IT TOOK TO CONTAIN A CYBER ATTACK WAS:

15%INCREASE

2013 2014

7Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Changing Roles, Changing Threat Landscape

The Other InvestmentsSecurity breaches impose indirect costs via: Company reputation Customer loyalty Customer credit card, financial and

personal information Increased board liability for how they act

or fail to act

Boards need to increase the standard of care by: Rethinking their governance structures Creating privacy and security committees Improving accountability Addressing the risks associated with cyber

attacks

TECHNOLOGIES THAT INCREASE SECURITY, IN ORDER FROM MOST TO LEAST EXPENSIVE:

Security incident and event management (SIEM) systems

Intrusion prevention systems (IPS)

Application security testing

Enterprise governance, risk management and compliance (GRC) tools

8Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

FIVE GUIDING PRINCIPLESThe National Association of Corporate Directors (NACD) recommends five guiding principles for boards and management to address in a response plan. 

11Cyber security is an enterprise-wide risk-management issue, not just an IT issue.

12Understand the legal implications of cyber risks to the company.

13Have adequate access to cyber security expertise and discuss risk management regularly in board meetings.

14

15

Ensure that management establishes an enterprise-wide risk management framework with adequate staffing and budget.

Identify and develop plans for which risks to avoid, accept, mitigate or transfer through insurance.

Source: Cyber-Risk Oversight Executive Summary, Director’s Handbook Series 2014 Edition

9Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Step 1: Preparing for a Breach

The NIST Cyber Security Framework A template for directors and executives to embrace Creation of a privacy and security committee Making the right investments in security technology

IdentifyDevelop the understanding to manage cyber security risk to systems, assets, data and capabilities

ProtectDevelop and implement safeguards to ensure delivery of services

DetectDevelop and implement systems to identify the occurrence of a cyber security event

RespondCarry out actions to take once a cyber security event is underway

RecoverCarry out activities to restore any capabilities or services impaired due to a cyber security event

10Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Step 2: Dealing with a Breach

The board plays a crucial role as overseer of the response and especially the communications strategy. Key responsibilities include: Information conduit between internal and external groups, including legal,

partners and customers Approval of disclosures based on:

- specific country laws- facts that can be validated or confirmed at each stage of the investigation- company profiles (for example, high profile with sizeable social media presence)

Despite sustained and responsible security investments, attackers will compromise companies

IN 69% of incidents in 2014, the targeted company learned about the breach from a third party, such as law enforcement

11Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Step 3: Regrouping After a Breach

The breach has been resolved and the attackers evictedThe board now moves to damage control by: Bolstering defenses, repairing and reinforcing the IT structure Engaging outside assessment of the company’s security program Reviewing the incident and response for areas of improvement

And communication by: Initiating repair of the company’s reputation with customers, partners, regulators and media Reassuring the public and shareholders Working with counsel and public relations to ensure consistent, accurate and timely public

statements

IN 2014, THE AVERAGE CUSTOMER CHURN RATE AFTER A BREACH ROSE

15% over 2013*10%

TO EARN BACK CUSTOMER TRUST, RETAILERS OFFER GESTURES OF GOOD WILL

discountON PURCHASE AFTER BREACH

 * Ponemon Instutute’s U.S. “2014 Cost of Cyber Crime Study”

12Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Conclusion. The Facts.

Cyber security has become a board-level issue. As companies get more connected to customers and partners, it creates

opportunities for attackers. Cyber security breaches threaten shareholder interests. There are reasonable steps that can be taken to protect companies and

their shareholders.

13Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

TO GAIN FURTHER INSIGHT LISTEN TO THE WEBINAR

‘THE BOARD AND CYBER SECURITY – WHAT’S REQUIRED IN THE PREPARATION FOR AND RESPONSE TO A BREACH?’OR DOWNLOAD

THE CYBERSECURITY PLAYBOOK