Cybersecurity risk is a critical enterprise concern. Cybersecurity incidents such as ransomware have the potential to bring an organization’s operations to a standstill. In the United States, the Securities and Exchange Commission (SEC) is proposing rule changes that will require prompt reporting of material cybersecurity incidents. In addition, the SEC is proposing requirements for public organizations to disclose if they have policies to manage cybersecurity risk, their management’s role in implementing cybersecurity policies and procedures, their boards of directors’ (BoDs’) oversight of cybersecurity risk, and the cybersecurity expertise of individual managers and board members.1
Similarly, the US Federal Trade Commission (FTC) recently revised its Standards for Safeguarding Customer Information, 2 effective 9 December 2022. The standards require an organization to designate a qualified individual to be responsible for the implementation of the organization’s security program. The qualified individual must provide a written report at least annually on the status of the information security program and the organization’s compliance with the safeguards. The qualified individual must present the report to the BoD or similar governing body.
These rule changes indicate a growing expectation that management is active in the implementation of cybersecurity and that the board and its members ware actively engaged in the oversight of cybersecurity. They also emphasize the need for cybersecurity management (e.g., the chief information security officer [CISO] or designated qualified individual) to provide usable and candid reports to the board, if the organization has one, or to an executive or ownership team. The SEC’s rule changes are still in the proposal stage, and there is controversy around the proposed requirements for breach notification. However, the increased focus on the board and management’s engagement with cybersecurity is reasonable and likely to increase. To help with this, the board and management team can use enterprise risk management (ERM) to gain insights and to organize their management of cybersecurity.
Understanding ERM
Examining an organization’s cybersecurity program using an ERM framework can be an effective way to assess how cybersecurity is managed by the organization as a whole. Two prominent ERM frameworks are the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework3 and the International Organization for Standardization (ISO) ISO 31000 Risk Management guidelines.4 Common fundamentals found in these standards provide a solid foundation for examining the management of cybersecurity risk and cybersecurity practices. At the highest level, the frameworks describe the capabilities an organization needs to effectively support ERM and the steps for managing risk. Both ERM frameworks share some common fundamentals. Capabilities needed for an enterprise to have effective ERM include:
- Support for ERM from the board and management team
- A management structure that supports ERM
- Sufficient resources, including qualified staff and sufficient funding for tools and training
- Consideration of both internal and external contexts
- A plan and commitment to improve the ERM program over time
Capabilities for an enterprise to assess and manage risk include:
- Organizational understanding of its risk appetite
- A process for risk analysis and management that includes:
- Identifying risk
- Determining risk severity and priority
- Defining risk responses and treatments
- Monitoring risk responses
- Tracking risk at the enterprise level
Cybersecurity Through the Lens of ERM
The capabilities an organization needs for effective support for ERM are essentially the same as the capabilities it must have to support cybersecurity at the enterprise level. The processes the enterprise creates to assess and manage enterprise risk can and should be applied to cybersecurity. Once the organization establishes an ERM program, it can leverage it to manage cybersecurity risk.
If COSO ERM and ISO risk management concepts are applied to cybersecurity, an organization needs to ensure that:
- Support of the board and management is established, including:
- The board understands its responsibility to oversee cybersecurity and cybersecurity risk.
- The board either has members with cybersecurity expertise or engages expert consultants.
- Management establishes and oversees the enforcement of the cybersecurity policy.
- Management defines and models the expected culture and values needed to support cybersecurity
The capabilities an organization needs for effective support for ERM are essentially the same as the capabilities it must have to support cybersecurity at the enterprise level.
- Effective organizational structure is in place, including:
- The CISO is high enough in the management structure to have the authority to effectively manage cybersecurity and has the requisite accountability to the organization.
- The reporting structure does not inhibit the CISO’s ability to provide accurate information to management and the board. If the CISO does not report directly to the board, the levels of management between the CISO and the board should not filter or distort the information the CISO provides.
- Sufficient cybersecurity staff is provided along with funding for tools and training.
- The impact of the organizational context on cybersecurity is considered:
- The impact of organizational strategy on cybersecurity is assessed and the CISO is informed.
- The impact of cybersecurity on operations, both positive and negative, is assessed.
- Cybersecurity risk and treatment are reported to the board and senior management
Formally including cybersecurity in the organization’s process for enterprise risk analysis and management requires managing cybersecurity risk as risk to the enterprise. There are considerable advantages to this approach including leadership's recognition that cybersecurity risk is not a separate and mysterious matter only for technologists.5 As the recent SEC and FTC rule changes confirm, cybersecurity risk is enterprise risk.
Another benefit of applying ERM to cybersecurity is that risk appetite and risk tolerance can be applied to cybersecurity risk. As with other types of risk, organizations set a target for how much risk is too much. They can also set targets for the range in which risk should be managed. That is, risk below a certain level can be accepted and risk above a threshold is acknowledged as requiring additional treatment to bring it within an acceptable range. Tracking cybersecurity risk by including it on a risk register allows organizations to monitor it and provides insight into whether a risk is increasing or decreasing over time. Key risk indicators (KRIs) can alert an organization if a risk is about to exceed a predetermined threshold. Risk treatment plans should be assigned an owner who is responsible to ensure the execution of measures to mitigate the risk and keep it within an acceptable range.
Consequences of Disengaged Leadership
The Conti ransomware attack on the Health Services Executive (HSE) of Ireland provides a clear example of the consequences for an organization that lacks enterprise management and oversight of cybersecurity. 6 Reports by the US Department of Health and Human Services (HHS) Office of Information Security and the HSE show that a lack of strategic governance and oversight (i.e., ERM) of IT and cybersecurity greatly impeded the implementation of technical controls and processes that could have detected and responded to the attack.7, 8 Significant findings of the HHS include:
- There was no qualified individual. “The HSE did not have a single responsible owner for cybersecurity, at senior executive or management level at the time of the incident.”
- There was no organizational structure to support cybersecurity, such as a “dedicated committee that provided direction and oversight of cybersecurity and the activities required to reduce the HSE’s cybersecurity risk exposure.”
- Internal and external contexts were not considered for cybersecurity risk and cybersecurity risk was not managed using ERM. “The lack of a cybersecurity forum in the HSE hindered the discussion and documentation of granular cybersecurity risk and the abilities to identify and deliver mitigating controls.”
- There was a lack of structure to support cybersecurity. “The HSE did not have a centralized cybersecurity function that managed cybersecurity risk and controls."
- The necessary resources were not provided. “It was a known issue that the teams with cybersecurity responsibilities were under resourced.”9
The findings can be related directly to the common fundamentals and capabilities in the COSO and ISO risk management guidance.
Any threat to this essential information (i.e., cybersecurity risk) is an enterprise risk that needs to be managed by the enterprise through teamwork, with leadership from both the board and senior management.
Conclusion
Because IT and the digitized information that it manages are essential to modern organizations, they must ensure the confidentiality, integrity and availability of information as an enterprise necessity. Any threat to this essential information (i.e., cybersecurity risk) is an enterprise risk that needs to be managed by the enterprise through teamwork, with leadership from both the board and senior management. Recent regulatory changes by the FTC and proposed changes by the SEC show that both agencies are drafting rules for cybersecurity that have similarities to ERM concepts, including board oversight of cybersecurity and the responsibility of senior management to implement cybersecurity policies and procedures and provide training for information security staff that is sufficient for them to address relevant security risk. Regardless of whether an organization is subject to them, these regulations indicate a growing focus on the effective management of cybersecurity by the enterprise and its management team. Organizations can use ERM as a tool to help carry out this critical task.
Endnotes
1 US Securities and Exchange Commission (SEC), Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, USA, February 2022, http://www.sec.gov/rules/proposed/2022/33-11038.pdf
2 US Federal Trade Commission (FTC), 16 CFR Part 314:- Standards for Safeguarding Customer Information, USA, December 2021, http://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314
3 US Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Guidance on Enterprise Risk Management (ERM),” April 2022, http://www.coso.org/SitePages/Guidance-on-Enterprise-Risk-Management.aspx?web=1
4 International Standards Organization (ISO), ISO 31000 Risk Management, Switzerland, May 2022, http://www.iso.org/iso-31000-risk-management.html
5 National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education Working Group, Cybersecurity Is Everyone’s Job, USA, October 2018, http://www.nist.gov/system/files/documents/2018/10/15/cybersecurity_is_everyones_job_v1.0.pdf
6 Greig, J.; “Conti Ransomware Attack on Irish Healthcare System May Cost Over $100 Million,” ZDNet, 24 February 2022, http://www.zdnet.com/ article/cost-of-conti-ransomware-attack-on-irish-healthcare-system-may-reach-over-100-million/
7 US Department of Health and Human Services (HHS) Office of Information Security, Lessons Learned from the HSE Cyber Attack, USA, 3 February 2022, http://www.hhs.gov/sites/default/files/lessons-learned-hse-attack.pdf
8 PricewaterhouseCoopers (PwC), Health Services Executive (HSE) Board, Conti Cyber Attack on the HSE, December 2021, http://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf
9 Op cit HHS
Tom Schneider, CISA, CISSP
Is a manager of cybersecurity advisory services at Cyber Defense Labs, where his current focus includes cybersecurity program assessments. He has extensive experience in IT tech support, cybersecurity and governance. Currently, his focus is on helping clients see cybersecurity as an organizational issue, not just a technical one, and helping them build effective cybersecurity programs.