May 8, 2018
This article has been published in PLI Current: The Journal of PLI Press, Vol. 2, No. 2, Spring 2018 (© 2018 Practising Law Institute), www.pli.edu/PLICurrent.
This article is intended to demonstrate how enterprise risk management (ERM) can be used as an effective approach for addressing the intersection of the technical, risk management, compliance, and disclosure elements of modern cybersecurity programs. ERM provides a useful organizational and conceptual approach to effectively manage cybersecurity requirements, as ERM ties cybersecurity risks to their impact on organizational objectives, the tolerance each organization has for cyber risk, and how organizational culture defines the approach to risk and risk avoidance.
Seemingly every week, the media reports another material cyber incident: ransomware attacks, email hacks, attacks on critical infrastructure, credit information exfiltration, or malicious or inadvertent internal behavior. We each can see the evidence of this phenomenon in our own email, with phishing and social engineering solicitations piling up in our in-boxes every day. Data breaches affect every industry and are increasing as much as 45% year over year, according to ITRC & CyberScout. Lloyds reports that cybercrime costs businesses hundreds of billions of dollars and destroys trillions in market value every year. Because 90% of the market value of S&P 500 companies is related to intangible (digital) assets, the reality is that the frequency and impact of cyber-attacks will almost certainly continue to increase. In 2012, then-FBI Director Robert Mueller observed, “There are only two types of companies: those that have been hacked and those that will be.” A more accurate characterization today is probably that the two types of companies are those that know that they have been hacked and those that do not yet realize they have been hacked.
Distribution of Incidents by Industry
Companies, regulators, and individual stakeholders increasingly recognize that the threat of cybersecurity incidents is ubiquitous and that penetration is inevitable. Accordingly, companies are being compelled—through more aggressive compliance regimes, increasingly prescriptive notice and disclosure rules, and market pressure—to better assess, manage, and disclose their cybersecurity risks and to improve their ability to protect information assets and mitigate the impact of penetration. Cybersecurity and compliance are both an increasingly resource-intensive and a strategically critical dimension of a company’s success.
Problems with the Conventional Approach
Most organizations today, however, have a compartmentalized and suboptimal approach to the critical problems of cybersecurity risk management. In addition to the chief privacy officer (CPO)—typically part of the legal team—cybersecurity risk management is generally siloed among three separate functions: the chief risk officer (CRO), the chief information security officer (CISO), and the chief compliance officer (CCO). CROs manage the broad portfolio of risks to the enterprise, but not necessarily with any technical or compliance expertise. CISOs focus on technical cybersecurity risks and controls and support the CPO’s concern for data confidentiality and integrity, but often with a limited voice to the C-suite and board, and with limited perspective on compliance and enterprise impact. CCOs address compliance with industry, state, federal, and global regulations and standards, but not necessarily from a technical or risk to the organization perspective.
The three disciplines use different procedures, budgets, decision processes, and metrics, often resulting in poor integration and interaction. The company’s perspective of its cybersecurity risk and obligations is compartmentalized within the understanding of these three disciplines, with the CISO focused on technical problems, the CCO on compliance objectives, and the CRO possibly unaware of the totality of the risk presented by cyber issues to the company’s strategic goals.
This integration deficit can have significant governance consequences. Cyber risk is escalating as hackers’ capabilities and velocity evolve at a greater rate than the effectiveness of security measures and organizations’ internal security awareness training. The average cost per breach is escalating correspondingly (to $11.7 million each, according to Ponemon’s 2017 Cost of Cybercrime Study). The number and cost of potential cybersecurity enhancements are increasing in a corresponding trajectory.
In its January 12, 2018 article “Six Cybergovernance Trends to Watch in 2018,” Cybernance suggests that “the enterprise risk posed by cyberattacks now overshadows financial risk for many organizations. . . . How to engage directors and executive leadership in overseeing implementation of best practices has become a widespread concern.” Regulators, partners, and insurers expect organizations to know their data assets, protect them with effective controls, have response and recovery plans ready and rehearsed when their defenses fail, and have controls and processes in place to ensure they can make timely disclosures of material incidents to regulators and shareholders.
The ERM Approach
ERM provides an effective medium for identifying, assessing, and communicating a company’s total cyber risk in a format and language that enable leadership to understand, prioritize, and make decisions. Regulators’ increasing push for insight and action on cyber risks indicates the value of adopting an ERM approach to cybersecurity decision-making. For public companies, the Securities and Exchange Commission (SEC) issued new guidance that apparently uses its “disclosure lever” to reinterpret SOX-type requirements around disclosure and reporting of cybersecurity risk. The SEC now directly connects the adequacy of companies’ cybersecurity controls (the province of the CISO) to the cybersecurity risk disclosure requirements (a CRO-originated exercise with responsibility that ultimately sits with the CFO and CEO, as well as the board). Other regulations have escalated fiduciary responsibility (and thus potential liability) to senior management or the board by requiring a personally signed cybersecurity compliance certification. Understanding and communicating cyber risk in enterprise terms is now a necessary competency.
Center for Internet Security 20 Cybersecurity Controls
Insurance considerations argue for an ERM approach as well. Many cybersecurity risks and their resultant negative impacts are insurable through a cyber policy or an endorsement to a property, technical E&O, or liability policy. Given the scope of the potential liabilities described above, underwriters are increasingly stiffening the cybersecurity hygiene threshold they expect their insureds to demonstrate, because this impacts actuarial, underwriting, limits, and pricing decisions. For brokers and underwriters, a documented ERM approach to cybersecurity risks helps demonstrate the extent of a company’s commitment to risk control.
Customers, business partners, investors, and banks are also aggressively making credible and demonstrable cybersecurity a condition for doing business, extending loans, or making acquisitions. In regulated industries (for example, financial services, healthcare, defense), companies are required to essentially validate that their business partners and the third parties that touch their data assets in any way also meet the company’s cybersecurity thresholds and minimum standards. The cybersecurity requirements from these critical commercial relationships would also be well supported using an ERM framework.
The ERM Value Proposition
What is it about ERM that makes it such a good system for integrating the needs of organizations around the technical, risk management, compliance, and disclosure elements of cybersecurity programs? In short, an ERM approach relates cybersecurity event risks to corresponding impact on organizational objectives as part of an enterprise-wide process for identifying, assessing, and managing all types of risks facing the company. ERM enables companies to deliberately communicate, compare, and decide on a preferred strategy to prioritize and address risks based on the company’s objectives and risk tolerance. ERM provides a deliberate, strategy-based method for companies to accept, mitigate, transfer, or seek to exploit cyber risks.
The global ERM standard is defined in ISO 31000, and widely accepted guidance is provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” Applied to a cybersecurity context, ERM shifts the focus of enterprise discussion from the CISO’s technology procurement wish list or the compliance officer’s cybersecurity compliance measures checklist. Instead, ERM starts with a process of strategic identification, assessment, and decision based on the specific cyber risks facing the organization and how those risks can negatively impact company objectives.
COSO describes ERM as a continuous “process . . . applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity objectives.” The emphasis in ERM is thus on how to address the impact of the company’s unique cybersecurity risks on its ability to execute its strategy, from a frame of reference of the company’s risk-averse or risk-tolerant culture. ERM enables risk decisions to be more informed and effective because the process reflects the entire organization’s priorities and does not saddle the CISO or CCO, alone, with difficult tradeoffs.
The COSO ERM construct addresses cybersecurity as an enterprise risk management issue for the CRO to coordinate. ERM addresses the technical elements of cyber risk that the CISO cares about (operational risk); the cybersecurity compliance elements that the CCO and counsel focus on care about (compliance risk); the privacy risk concerns of the CPO; and the strategic, reporting and disclosure elements that the CFO, CEO, and board are responsible for. CISOs and CCOs should welcome this approach because it “shares the pain” of cyber risk more broadly; provides a platform and language for communicating this risk in terms that company leadership and stakeholders can understand; and provides the organization with a documented, strategic rationale for cybersecurity priorities and investment.
The ERM process, while coordinated by the CRO, brings every cybersecurity stakeholder into the process and shares responsibility equitably. By characterizing and quantifying cyber and other enterprise risks in a consistent way, ERM elegantly connects the company’s stakeholders in a collaborative conversation about the organization’s preferred approach to (and budgeting for) cybersecurity risk management in the context of all enterprise risk considerations. ERM identifies and prompts decisions regarding, for example, the company’s approach to addressing cyber regulatory requirements, why business considerations may require a cyber control even where regulations do not, or why the organization may decide to accept certain cyber risks that the CISO instinctively feels should be controlled.
Components of ERM
An ERM perspective prompted Ponemon’s 2017 Cost of Cyber Crime Study observation that “many organizations may be spending too much on the wrong (cyber defense) technologies. Five of the nine security technologies had a negative value gap where the percentage spending level is higher than the relative value to the business.” Clearly, the process requires organizational investment, but it is worth the effort. ERM forces the organization to consider cybersecurity and cyber risk holistically—based on an integrated perspective—making everyone with a stake in the process aware and responsible. And it enables the appropriate identification and elevation of critical cyber risk (or other risk type) decisions to a senior management level.
Implementing an ERM Process
The complete COSO ERM process has eight distinct steps:
In practice, however, implementation can frequently be tackled with a less detailed process. The first move, correlating to the first two steps of the COSO process, is to define the company’s strategic objectives and culture. Before proceeding to risk identification, assessment, and management, the company needs to articulate its own answers to the following questions:
- What are the organization’s mission and strategic priorities?
- What are the organization’s objectives and value proposition?
- How aggressive or conservative is the organization’s risk appetite?
- How can the organization’s culture be characterized?
Once the company’s strategic context is established, the next step (corresponding to COSO step 3) is to identify the risks inherent in the company’s operations in terms of risk events that may occur, and the impact each event would have if it did occur. To do this, the CISO and CCO should develop a list of all of the risk events that may credibly occur based on the company’s cyber-related activities. The CISO documents risks from the technical and operational perspective, and the CCO and CPO teams do so from the regulatory, privacy, and compliance perspective, in concert with the CISO and CRO. For example, a cybersecurity-specific risk might be that a hacking event shuts down the company’s mobile applications. In the cyber compliance context, a cyber event may have any of the impacts listed in the adjacent table. It is advisable (and sometimes required by regulations) to use an accepted cybersecurity framework to establish risk assessment criteria. The NIST Cyber Security Framework is a good example of such a framework.
Compliance Risk Impacts
The next step, corresponding to COSO step 4, is to assess the significance of each risk in terms of the likelihood the event will occur, the impact that the event will have on the company’s strategic objectives if it does occur, and the time immediacy of the event, given the company’s current controls. Typically, each of these parameters is assigned a value—a likelihood rating of “high, medium, or low”; an impact rating of “minimal, to moderate, to severe, or catastrophic”; and an event velocity rating of “slow, moderate, or fast.” The result of the risk assessment is often represented graphically with each risk banded within the organization’s risk tolerance. One effective approach is to give each risk a numeric score by assigning a calibrated number value to the likelihood, impact, and velocity ratings for each event. Assessed risks can also be charted on a risk heat map. The following example illustrates what such a risk matrix might look like for a factory, hospital, or transportation authority risk that could result in public safety impacts including single or multiple casualties, disabilities, or fatalities.
After assessing the relative significance of each identified risk, the company should determine its response to each risk (COSO step 5). The company’s risk response should be made at an appropriate level of responsibility within the organization, based on the assessment of the significance of each risk and accounting for the company’s strategic priorities, operating circumstances, and risk tolerance. There are five responses a company can have to each identified risk:
- Accept: A company can never eliminate all risk. In the mobile application hacking example, a company might conclude that it does not have critical information or operations at stake and its existing controls are sufficient to the extent of the residual risk. But companies need to be cautious anddeliberate regarding the optics of accepted risk. For public companies, accepting material cyber risks may require public disclosure so investors can make informed decisions.
- Avoid: A company may change its business practices to remove the risk. In the mobile application hacking example, the company may decide to discontinue the use of mobile applications because the risk to operations, finances, and reputation is too high.
- Transfer: A company can financially transfer risk via insurance, or operationally transfer risk to vendors or suppliers with carefully constructed cybersecurity contract language that spells out risk responsibility between the parties. In the mobile application hacking example, the company may direct its risk manager to buy a cybersecurity insurance policy that covers breaches to mobile applications and pays for first-party expenses like customer breach notification and forensic investigations. Or the company might decide to hire a vendor to host its mobile application activities and ensure that the contract assigns risk for breach prevention, response, and mitigation to the vendor.
- Address: A company can implement enhanced controls to close the residual risk gap, reducing it to a point where risk acceptance is an appropriate response. In the mobile application example, the company might hire a software security expert to implement additional technical controls and mitigation procedures to make the risk palatable, based on an ERM assessment of residual risk.
- Exploit: Finally, a company may recognize an opportunity in the risk that can be exploited to achieve a strategic or market advantage. In the mobile example, a company might “crowdsource” the risk by establishing a challenge and financial reward to the public to identify and report any security vulnerability in the company’s mobile applications, so it can be mediated.
After determining the relative significance and appropriate risk response to each risk, the company needs to implement control activities in a risk-prioritized and programmatic fashion, roughly corresponding to COSO steps 6 and 7. The following table represents a fragment of an ERM matrix for a hospital and illustrates how this process might play out.
- As a first step, the hospital’s CISO and CCO identify numerous risk events, including the three identified above.
- Then the ERM stakeholders assess the inherent risk associated with each exposure based on a numeric scoring of the likelihood of occurrence and impact on the hospital.
- The ERM stakeholders look at the initial controls already operating in the hospital and then reassess each risk based upon a scoring of each control.
- The hospital leadership then decides on a response approach to each risk based upon evaluation of the residual risk value and the hospital’s risk appetite. The sequence of implementing the response to each risk is prioritized accordingly.
- Finally, the ERM stakeholders agree upon, resource, and implement enhanced controls based on the documented decisions of the ERM process.
After initiating an ERM process, a smart company will continue to monitor implementation of enhancements and will make the entire process recurrent, in order to ensure that the relationship between the organization’s evolving objectives, operating environment, risks, and controls remains current, understood, and actively managed.
By engaging an ERM process to help address the ubiquity of cybersecurity technical, operational, and compliance risks, companies can better understand their risks in the context of organizational objectives, make strategically informed decisions, and prioritize and budget their investments on cybersecurity controls commensurate with their overall operating environment. Organizations that make it their business to address cybersecurity, privacy, and cybersecurity compliance in this thoughtful, programmatic way ensure that none of these risks is addressed in a vacuum. ERM-competent organizations create a deliberate, strategic process of assessment, decision, and action that engages the expertise and interests of each stakeholder; addresses the equities of company leadership, the board, and owners; and enables the organization’s success in its cyber risk environment.
- See Press Release, Identity Theft Resource Ctr., At Mid-Year, U.S. Data Breaches Increase at Record Pace (July 18, 2017), www.idtheftcenter.org/Press-Releases/2017-mid-year-data- breach-report-press-release.
- See lloYD’s, emerging risks report 2017: counting the cost: cYber exposure DecoDeD (2017), www.lloyds.com/~/media/files/news-and-insight/risk-insight/2017/cyence/ emerging-risk-report-2017—counting-the-cost.pdf.
- Bob Barker, Six Cybergovernance Trends to Watch in 2018, cYbernance (Jan. 12, 2018), www.cybernance.com/six-cybergovernance-trends-watch-2018/.
- Securities Act Release No. 10,459; Exchange Act Release No. 82,746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018) (17 C.F.R. pts. 229, 249), www.sec.gov/rules/interp/2018/33-10459.pdf.
- See, e.g., n.Y. comp. coDes r. & regs. tit. 23, pt. 500 (New York State Department of Financial Service’s cybersecurity regulation).
- Committee of sponsoring organizations, enterprise risk management—integrated framework (Sept. 2004) [hereinafter coso guidance], www.coso.org/Pages/erm. aspx (for purchase). COSO has also published a 2017 update to the 2004 guidance. See committee of sponsoring organizations, enterprise risk management—integrating w1ith strategy ana performance (June 2017).
- COSO Guidance, supra note 6 (N.B.: new edition COSO ERM 2017 is not mentioned, and the 2004 version is outdated).
- Ponemon Institute, 2017 cost of cyber crime study: insights on the security investments that make a Difference 4 (2017), www.accenture.com/t20171006T095146Z__w__/us- en/_acnmedia/PDF-62/Accenture-2017CostCybercrime-US-FINAL.pdf.
- See Cybersecurity Framework, nat’l inst. of stanDarDs & tech. [nist], www.nist.gov/ cyberframework (last visited Mar. 22, 2018).