In our article “Top Risks Your Business will Face in 2022”, we warned boards to be sure that their management’s corporate risk registers reflected survey results denoting Cyber risk as the #1 threat to business worldwide.1 The latest research adds more urgency to the need to protect mission critical assets. In an article posted by Corporate Compliance Insights (CCI)2, Protiviti’s Jim DeLoach notes that in a survey of 280 technology leaders from U.S based organizations suffering a ransomware attack in 2021, 76% of organizations paid the ransom.2 The war launched by cyber criminals has created so much chaos, that several U.S. state legislatures are considering banning ransomware payments, while the FBI is advising the U.S. Congress against such bans.
Predications are that the Cyber War will escalate significantly in 2023.
So what role should boards play and what actions should be taken management. We’ve summarized some key statistics, some updates from IBM, and we share Protiviti’s advice to boards and management.
2,650 businesses in 89 countries ranked Cyber the #1 risk world-wide
As reported by Allianz Global Risks in their 2022 Risk Barometer, 2,650 businesses in 89 countries ranked Cyber as the #1 risk on risk registers world-wide. Fear of ransomware, cyber breaches and other disruptive forms of cyber attack has escalated cyber risks to be the most concerning risk globally, wherein this risk ranked third in 2021. According to the Allianz report, most organizations now have industry peers or competitors who have been shut down or severely impacted by this threat. Other challenges such as risks from the shift to digitalization and to remote working are also key concerns.1
IBM and the Ponemon institute report the average cost of a 2022 data breach has reached a record high of US$9.44M
In their report “The cost of a data breach, A million-dollar race to detect and respond”3,IBM and the Ponemon institute report the average cost of a 2022 data breach has reached a record high of US$9.44M in the USA (US$4.35 million outside US), according to the 2022 cost of a data breach based on 550 breaches across 17 countries and 17 industries. 3 . The statistics are grim:
- 83% of organizations studied have had more than one data breach
- 60% of organizations’ breaches led to increases in prices passed on to customers
- 79% of critical infrastructure organizations didn’t deploy a zero-trust architecture
- 19% of breaches occurred because of a compromise at a business partner
- 45% of the breaches were cloud-based
24% paid the ransom but still could not recover their data
Jim DeLoach advises the following other statistics. From the above referenced survey of 280 technology leaders from organizations that suffered a ransomware attack in 2021, the following was also underlined:
- 97% of such attacks attempted to infect backup repositories
- 53% of data was encrypted by the attacks
- 52% of organizations paid the ransom and were able to recover their data
- 24% paid the ransom but still could not recover their data
- 19% recovered their data without paying ransom.
Per LeLoach “to top it off, 52% of the survey respondents believe, as a key takeaway from the attack experience, that a significant improvement or complete overhaul is needed in the collaboration between cybersecurity and IT backup teams”2
US Government issues NIST Guidance including for Boards and Management on Governance of Cybersecurity
Meanwhile, in 2022 the US Government through NIST (National Institute of Standards and Technology) issued its “Cybersecurity Framework Version 2.0”, including the corresponding “Staging Cybersecurity Risks for ERM and Governance Oversight” (September 2022) in an effort to help organizations to better understand and improve their management of cybersecurity risk. The Oversight guidance, provides a framework to allow “Governance” entities such as boards to leverage their Enterprise Risk Management Programs to obtain detailed information on risk governance elements such as enterprise risk strategy, appetite, tolerance, and capacity direct risk performance.4
So what needs to be done to effect significant improvements in cybersecurity so that the chances of a material impact to mission critical systems are reduced?
Third party audits of IT security are no longer a wish-list item- they are a “must-have”
First and foremost, Boards and their executive teams should seek expert, outside advice on preparation and on response plans from the best authorities available. Third party audits of IT security are no longer a wish-list item- they are a “must-have”. Along with responsive actions by internal experts, second opinions from objective third party specialists provide much comfort to shareholders and other stakeholders who are all anxious on this matter. Such audits should benchmark where the organization compares to industry and other peers on the various elements needed to protect the organization and its mission critical systems, including on the preparation status of its IT security business continuity plan.
As well, Protiviti suggests that the board undertake a formal initiative with executive management. The following are some suggested questions that senior management and boards of directors may consider, based on the cyber threat landscape inherent in the company’s operations:
Cyber Security Preparation Questions for the Board and Management- (Protivity)2
- Do we have effective security controls in place designed to prevent or limit the impact of ransomware?
- Are cyber controls in place to protect our privileged access accounts?
- How often are these controls tested? Are tabletop exercises of likely attack activity, given the increasing sophistication of likely threat actors, performed periodically to ensure defenses can detect a breach and respond timely?
- What is our backup strategy to mitigate ransomware? For example, do we have a consistent backup cadence? Are backups stored in off-site locations?
- Should we be impacted by a ransomware attack, what is our incident response plan? How broadly is the plan shared within our organization? Do we have a provider on retainer in the event we are a victim of ransomware?
- Do we know where our critical systems and data reside, the critical assets that we simply cannot afford to lose or have taken away, and/or systems for which unplanned shutdowns cannot be tolerated? Do we have the processes in place for operational resilience? Do we have 24/7 defense and monitoring against a ransomware event?
- Does the company have cyber insurance with provisions for extortion coverage, including investigatory costs, negotiations costs, ransom payments and other incidental losses?
- Have we defined expectations for the CISO and operational management in the cyber space and established clear accountabilities for performance?
- If the organization has a risk appetite statement, are the board’s expectations for cybersecurity and ransomware attacks incorporated therein?
- Do the metrics reported to senior management and the board provide supporting key performance and risk indicators as to how the top priority cyber risks are being managed? Do the metrics address areas that inform the CISO’s communications with the C-suite and in the boardroom?
- Can we effectively quantify the impact of a ransomware event?
- Does the transition to remote or hybrid work arrangements and reliance on virtual B2C experiences increase the risk of targeted criminal ransomware attacks and advanced persistent threats? Are we addressing the risk of criminals exploiting remote workers? Does our third-party risk management program consider potential exposure to ransomware attacks?
Protection of mission critical systems, and being prepared to respond to an attack, must be a priority now for all organizations (along with protecting people) and requires expert consultation. Many boards now have a qualified cyber/IT expert on their slaight of directors and have a head start in expediting action.
Reach out to Director’s Global for more information on this topic and on Enterprise Risk Management in general.
- Allianz Global Risk, Allianz 2022 Risk Barometer, https://www.agcs.allianz.com/news-and-insights/news/allianz-risk-barometer-2022-press.html
- 2022 Corporate Compliance Insights, Ransomware Threats Are Growing: How Can Boards Protect Mission-Critical Assets, Author Jim DeLoach- Protiviti, December 2022, https://www.corporatecomplianceinsights.com/risk-ransomware-board/
- IBM and the Ponemon institute, The Cost of a data breach 2022: A million-dollar race to detect and respond, https://www.ibm.com/reports/data-breach
- NIST, Cybersecurity Framework Version 2.0, and “Staging Cybersecurity Risks for ERM and Governance Oversight” (September 2022) https://www.nist.gov/cyberframework