Cybersecurity has been described as everything from a top-down corporate mission to a shopping list for software packages that monitor networks and systems for suspicious activity. Given the breadth and complexity of even identifying the risks, it’s no wonder that all sorts of management are discovering they’re now riding the cybersecurity bus.
Nowhere is this accumulation of corporate talent more apparent than in the C-suite, where according to industry experts, everyone is eventually involved. That means the chief executive officer, chief information officer, chief operations officer, chief technology officer, chief risk officer, chief compliance officer and let’s not forget the chief information security officer.
With regulators such as the US Securities and Exchange Commission and Financial Industry Regulatory Authority breathing down their necks, fund management shops, broker-dealers and banks need to figure out what to do, who’s in charge, and how much information to share. What was that last one? Are cybersecurity programs discussed on a need-to-know basis? Sometimes that’s the case, and that’s not the only sensitive internal issue at the top management level.
It has become a given that addressing cybersecurity risk isn’t only about spending money on technology. It is also about putting the right program in place. Defining that program can involve sorting out misunderstandings, conflicts of interest or simple ignorance. The result: a longer planning cycle than anyone expected, and in a worst case scenario an actual breach while those in charge are dithering. That breach typically means stolen investor or proprietary data, legal and public relations repercussions, and even a regulatory fine.
Who Knows What
It is logical to presume that the CEO should be the one steering the ship and barking orders at the CTO or CISO to get things done — that is, shoring up any holes before the ship sinks. Mistake One: the CEO thinking he or she understands what managing cybersecurity risk is all about. Mistake Two: the CTO imagines he or she is up to date on what cybersecurity is all about. Mistake Three: the CTO tells the CEO in detail everything that needs to be done. Mistake Four: the CEO comes out of the meeting thinking that cybersecurity risk management means checking off boxes.
In baseball, it’s three strikes and you’re out. In cybersecurity, all it takes is one. Too often, that first strike is the CEO presuming that the task of handling cybersecurity can he handed off to the CTO on the presumption he or she will do the right thing. “Surprisingly, CEOs will only ask blanket questions to CTOs or CIOs such as how is our cybersecurity risk management and do you have a handle on it,” says Eric Anderholm, chief executive of Sergeant Labs, a La Crosse, Wisconsin-headquartered firm specializing in monitoring cybersecurity risk. “Such a question could erroneously generate either a yes or no type of response and cybersecurity risk management can’t be handled with black or white answers. How about asking, what are we doing specifically to address cybersecurity risk and is it working?”
What is a bad answer? A vague response or laundry list of software that should be installed. “If the CIO or CTO can’t provide details or trends the CEO can understand, or if he or she believes that buying the right software eliminates the threat, there is a good chance the firm will have a cybersecurity problem,” says Anderholm.
Granted, buying the right technology is a good idea but understanding just what that technology does could require far more tech knowledge than a CEO would have. And it’s not even certain that every CTO would understand it either. “Most CTOs are more qualified in addressing which applications are necessary for running the operation, and what business continuity is necessary,” says Warren Finkel, chief executive of ACE IT Solutions, a New York-based cybersecurity technology firm. “The landscape of cybersecurity threats is constantly changing and the CTO can’t keep up with every scenario. ” Therefore, third-party experts should come into the equation to do a more thorough analysis of what is needed after the basic questions are asked.
Covering the Bases
What are those basic questions? Here is Finkel’s list: is anti-virus installed on every system; are computers and servers being updated with security patches and updates; which employees have access to which data; is data encrypted; are employees using Dropbox or other cloud applications, and have they been trained in cybersecurity risk and social-engineering con games such as phishing?
Once the answers are in, an analysis can be done of how well the firm’s current cybersecurity risk mitigation, or lack thereof, will hold up against each of three risks — technical, financial and regulatory. Case in point: is the right infrastructure in place to prevent a loss of data and which data is the most at risk for loss? Next up: if we lose the data how much will our financial loss come to? Last but not least: will the program pass muster in an exam by either the SEC or FINRA?
With so much information and analysis in play, the program can get bogged down unless communications are limited to what people need know to play their roles. This is true even at the highest level. Providing the CEO with too much information could short-circuit his or her ability to make any decisions. “CEOs could easily become enmeshed in the nitty-gritty of tackling individual applications or individual tasks,” says Daimon Geopfert, national leader for security and privacy services for consultancy McGladrey in Chicago.
That means he or she will be distracted from taking the broad view of the overall program, which should be flexible enough to accommodate changes in the level of risk, business lines or technology advancements. A better idea for briefing a CEO: present trends in security for the overall organization rather than daily issues. Enabling the CEO to focus on the firm’s current cybersecurity baseline and tracking consistent improvement over time offers a sense of progress or indicates where resources are needed at a high level. The only specific daily issue that should draw his or her attention are “big ticket” items that present oversized risk such as cybersecurity incidents.
Just how big are the financial risks? The larger question is who has the data and insight to figure that out. The CEO might unthinkingly look to technology staff for dollars-and-cents, since the data assets are under their control. But financial risk management isn’t their speciality. Chief information security officers might be a better bet, but only if the firm has one. Chances are it doesn’t. Only the largest banks, broker-dealers and asset managers have such dedicated professionals. Everyone else likely relies on the CTO or CIO.
So what’s left to do? How about pooling knowledge. “Have the CTO, CIO, and risk manager in the same room to come up with the right risk metrics and explain what is necessary,” says Bryan Seely, a cybersecurity consultant based in Seattle. “Those metrics also need to take into account information provided by the CTOs staffers, who will be able to filter out the noise from each business line, on what they want and what is realistic.”
Case in point: staff might want remote access or more access to information they shouldn’t have. The CTO can’t afford to buckle to these requests without thinking about the security risks involved, which is what some inexperienced ones do. In fact, CTOs may have a conflict of interest in monitoring cybersecurity risk for no other reason than their primary agenda being to provide access, availability and ease of use. Pursuing those goals may contradict best practices for cybersecurity. If the same person has dual roles of overseeing both availability and security, there is a risk that security will not be the winner when it comes to conflicts. “For many CTOs, the balance between availability and security is often over-weighted to the one that makes their users happy,” say Geopfert.
Of course, it will eventually all come to funding. Does the CEO want to spend the money to ensure the best cybersecurity risk mitigation program possible or will it just be the minimum? Not surprisingly, some CEOs want to save money and do the bare minimum. “What can we do to satisfy regulators, is the common question we hear, because they don’t view cybersecurity as offering a competitive advantage. They just look at the cost,” says Yigal Behar, chief executive of 2Secure, a New York-based cybersecurity technology provider.
Getting to Yes
So just what can be done to persuade a recalcitrant CEO? The fear factor, especially when the regulators are carrying a big stick, can be persuasive. But it can also backfire. Granted, explaining how the SEC or FINRA might fine a firm if it doesn’t have the correct program in place could generate some interest, but it is unlikely to move beyond the level of checking off the boxes. Even worse, the chief compliance officer might sell the CEO on the idea that earning a certification is the best way to move forward, but that will all depend on what the certification covers. “At best it is the bare minimum. It only means the firm has completed the basics and it could easily focus on only one aspect of cybersecurity or some small part of the environment, rather than the full monty,” says Geopfert.
He advises that firms think of compliance as the first mile in a marathon. It is a good start, but there is a lot left to do. Organizations need to move beyond compliance with a regulation or standard, into a process meant to improve the maturity and effectiveness of their cybersecurity program over time. A solid start is to compare the current cybersecurity governance and technical capabilities against a major standard such as ISO 27002 or NIST SP800-53, both of which have been specifically cited by the SEC to determine a firm’s strengths and weaknesses. Focus on getting an entire program on prevention, detection and correction at a basic level before trying to deploy highly advanced solutions in one area, recommends Geopfert.
One way to persuade a CEO of the need to spend on cybersecurity is to have the chief risk officer deliver the bad news alongside the chief technology director, suggests Seely. The bad news: just how expensive it can be if sensitive data is lost. Client data is often considered the most significant asset at risk, followed by trading strategy — the secret sauce of how a firm makes money. Financial forecasts of how well the firm is expected to perform are next in line. Last, but not least, bring out the numbers of how much each type of security breach will cost, with the firm’s preparedness just as it is now.
If the CEO has any doubt the firm is vulnerable, it’s time for a penetration test — an authorized hacking attempt to help illuminate security weaknesses. “Penetration testing offers the most effective way of rapidly identifying a network’s most serious security risks and prioritizing remediation efforts,” says Finkel. What’s more, it can be used to identify which current security protocols are effective, and to prove to regulators as well as investors that business systems have been tested and are secure.
Finkel recommends that penetration tests be conducted annually, and the results used to adjust investments in security personnel and technology. Naturally, technology spending will have to go alongside human engagement in the program. That translates to educating staffers on how to stay alert for any potential data breaches and what to do if one is suspected, so staff need to know who to alert and when. CEOs don’t have to be told of every attempted breach as it takes place, but they do need to know what was done to prevent any financial loss. Should an actual breach occur, staff should know what the escalation plan would be, who is to be notified and when, and what measures are in place to mitigate damage.
Not Whether but When
Given the sophistication of cybersecurity criminals, experts say that its not whether a breach will ultimately happen, but when. Taking preventive steps can go only so far. That’s where third-party cybersecurity liability insurance can fit into the equation. Much like health insurance, it can be used as a last resort to pay off unforeseen expenses such as claims from investors, costs of regulatory investigations, forensic investigations to locate the breach and identify how it occurred, privacy notification costs, public relations campaigns for crisis management, and business interruption.
Surprisingly, hedge funds can end up spending the least on cybersecurity liability insurance because they have less risk than their traditional fund peers or banks and brokerages, according to Richard Maloy, chief executive of Maloy Risk Services, a cybersecurity insurance broker in New York. The reason: they hold very little personally identifiable information in their systems because the data is held with fund administrators. By contrast, a registered investment advisor can have thousands of individual client accounts and family members’ social security numbers in its systems.
Having established cybersecurity insurance procedures offers the added benefit of keeping down the cost of insurance for fund managers. Policies can range from as little as US$5,000 for funds with up to US$250 million in assets under management to over US$13,500 a year for funds with over US$1 billion in assets under management, says Maloy, whose firm specializes in alternative investment funds. Insurance may be an expense a CEO would consider a bargain.
Still: word to the wise, insurance isn’t a complete panacea. Coverage may be capped at only US$1 million. Prevention is still king.