With Operational Resilience scoring high on the agenda of global regulators, boards need to consider regulatory expectations requiring the engagement of Chief Information Security Officers and CIOs in the the board room.
Why are CIOs/CISOs still struggling to get a seat at the table? Not because board CIOs/CISOs aren’t speaking ‘strategy’ language – as is often suggested; rather because many boards aren’t aware of the CIO/CISO’s capability to help board directors fulfil their fiduciary duty to “protect corporate assets from both internal and external loss and fraud”.
In most instances, obtaining or destroying valuable ‘information assets‘ is the goal of the internal or external cybercriminal, with the proceeds of money laundering, fraud, theft of intellectual property, blackmail, and ransomware emboldening global cyber criminals who continue to seek wealth at all costs.
Negligence that results in the theft or loss of information assets – including intellectual property, personal customer data, patents etc. – is an act that could render the Board in breach of their ‘fiduciary duty of care’.
With the GDPR and the Data Protection Act 2018 having come into force May 2018, the case for having a CIO/CISO on the board (who not only understands the fiduciary responsibilities of the Board s/he has been appointed to join, but who speaks both technical and business language), has never been stronger. The risk of cyber and information security breaches needs to be recorded as ‘high’ on the corporate risk register – rather than just on the IT or Cyber department’s risk register – with the Board having visibility into these risks, approving the controls needed to mitigate these, and retaining an ongoing oversight of these risks.
Quantifiable cybercrime attacks against organisations are becoming more prevalent, e.g. ‘CEO email fraud’ or whaling attacks, with the biggest reported victim, i.e. ‘Crelan Bank’ having lost $76 million to the fraud in 2016. Another victim, FACC, lost €52.8m to a similar fraud.
Last week, it was reported that the CEO of Barclays, Jes Staley, fell victim to a spoofed email sent from a disgruntled customer, which thankfully didn’t result in monetary loss to the bank.
By now, Board executives should be asking “is simply ‘sacking the CEO, CIO, CFO or CISO after a Cyber breach a prudent response to Cyber and Information Security breaches?”.
Instead of sacking the perceived ‘culprit’ after a breach has occurred – including cyber security breaches as a high risk on the corporate risk register, discussing these at board meetings, and gaining assurance from the CIO or CISO that adequate controls are in place to mitigate against the risk of such breaches actually taking place may be a better approach. Sacking executives after a breach, rather than seeking to prevent a breach in the first instance, is merely reactive; whereas the latter approach of prudent risk management is proactive and seeks to empower the board to fulfil its obligation to protect corporate information assets.
Many controls are available that could help to mitigate information and Cyber security risks and empower the Board to protect corporate information assets, including people, technology and operational controls.
Encourage staff to speak up without fear. Many ‘process, technical and human risks’ tend to be spotted by front-line employees who deal with customers each day (or who use information systems regularly), long before the risk materialises into an issue.
A seemingly ‘disgruntled’ junior Fintech employee who ‘grumbles’ among their peers about a manager ‘posting large remittances through the finance system to a Cleaning firm’ may be alerting their peers to ‘procurement fraud’ or ‘money laundering’. If there’s a culture of fear over raising concerns to leadership, the employee will continue to complain to peers who don’t have the power to protect the firm’s assets from fraud or loss; whereas the Board has both the power to do so – in addition to a legal obligation to do so.
Since the Board is responsible for setting the corporate culture it truly wants to see – employees must be encouraged to speak out in the interest of the firm and shareholders, without fear of victimisation or harassment for doing so; in particular as an employee speaking out against potential fraud is empowering board members to fulfil their fiduciary responsibility of care and protection of the firm’s assets – including non-financial assets.
A Board must ensure the separation of duties and conflict of interest rules are followed to the letter. If the CEO is only allowed to sign off on $50m transactions, then adequate workflow controls could be implemented to cap this limit, and to flag an alert each time the limit is reached (whether this limit is reached in one transaction – or over a series of transactions to a single firm in a short space of time). In addition, the CFO shouldn’t be fearful of asking questions of the CEO if asked to make financial remittances that seem amiss. The CFO could be saving both his and the CEO’s job, as well as helping the Board to protect the firm’s assets from cybercriminals.
CIOs/CISOs are well-placed to run cyber security awareness training for the Board and Senior Management team, including training in the risk of Phishing, Whaling, and Ransomware. The landscape for information security threats has changed drastically, with ‘Crime-as-a-Service’ raking in billions of dollars a year for Cybercriminals.
When Boards become as desperate to protect a firm’s information assets, as cybercriminals are to defraud companies of the same assets, the balance will cease to be tipped in the cybercriminals’ favor.
Countless technology tools exist to help protect against cybercriminals – including auditing, alerts, and network security tools; and a basic act of providing internal and external board members – i.e. including the Chair – with an internal email address and then configuring the email server to change all internal emails sent from each board member and each C-level exec. to each other to – say – ‘Brown font’ could help. If a spoofed email were to arrive with a different colour font, purportedly from the Chair to the CEO, the different colour font could flag a warning in the mind of the CEO to ring the Chair to double-check on the origin of the email.
For board members to successfully fulfil their fiduciary duties, discussions at Board meetings should include Cyber and information security risks, including the risk of C-level execs. falling prey to cybercriminals. Failing to do so could cause significant loss of financial assets, plus market value or share in a corporation, in some instances resulting in insolvency.
Essentially, any strategic risk that can cause a loss of assets, reputation or shareholder value to the firm must be discussed at the table by the board, and those discussions should be held with CIOs and CISOs present – many of whom are able and ready to contribute as a strategic board member, thereby empowering the board to fulfil its fiduciary duties to the company, its employees, and regulators.