Corporate boards, C-suite finally prioritize cyber after years of business risk
After what many consider a historic year, the threat of cybersecurity risk has finally moved out of the security operations center and become a priority topic of discussion inside corporate boardrooms and the C-suite of major global enterprises.
The widespread impact of the nation-state attack on SolarWinds followed by the record-setting ransomware attacks on critical industrial sites like Colonial Pipeline and meat processing firm JBS USA, has raised tough conversations for global business leaders. Discussions range from how companies can protect their intellectual property and customer data to, in some extreme cases, how they can maintain business operations amid a rising threat of criminal and state-sponsored attacks.
Cybersecurity is a critical part of a board’s overall responsibility for risk management, according to Lucia Milica, global resident CISO at Proofpoint.
“While in the past, cyber risk was considered an ‘IT problem,’ that view has gradually changed and cybersecurity is starting to be integrated as part of the overall enterprise risk management,” Milica said. “Additionally we have begun seeing an increase in regulatory attention, like the SEC’s recent advisory to include strategy and oversight for cybersecurity and resilience.”
A report released this week from Deloitte shows just how widespread cyber risk is among U.S. corporations. In a survey of more than 500 C-level executives, 98% said their organization experienced at least one cybersecurity event in the past year, compared with 84% among non-U.S. organizations.
Disruption from COVID-19 led to an increase in cyberthreats at 86% of organizations in the U.S., compared with only 63% of non-U.S. entities. Despite those stark differences, 14% of U.S. executives said their organization has no defense plan against cyberthreats, compared with only 6% of non-U.S. executives.
“What this indicates to me is that a siloed approach to cyber will not serve organizations well in the future — and integrated risk management approach paired with interdisciplinary cyber capabilities is the approach I’d suggest in tackling these wide-ranging challenges,” Deborah Golden, U.S. cyber and strategic risk leader at Deloitte Risk & Financial Advisory.
The bottom line
A cybersecurity incident can disrupt businesses, drop share prices, and spark leadership turnover, Deloitte research found. The report is based on a survey of 577 C-suite executives by Deloitte Touche Tohmatsu Ltd., including 159 executives based in the U.S. Participants in the study included CEOs, CISOs, CFOs, CIOs and CMOs.
In a somewhat surprising result, 28% of U.S. executives say their biggest concern is the unintended actions of a well-meaning employee, compared to 27% of those concerned with malicious attacks via phishing, malware or ransomware.
Companies in 44% of the cases are still relying on company leadership to monitor employee behavior and indicators of cyber risk, while 41% use automated behavior analytics tools to help monitor employee risk.
“Corporations are definitely increasing their awareness of cybersecurity risks and looking to manage those risks just as they would other business risk,” John Donovan, CISO at Malwarebytes told Cybersecurity Dive.
Malwarebytes experienced the business effects of a cyber incident first hand.The Santa Clara, California-based company has an enterprise risk management (ERM) process that incorporates cybersecurity into financial, market and risk assessment, according to Donovan.
In December 2020, Malwarebytes became a target of the same Russia-based threat actors that attacked SolarWinds. The company, which provides anti-malware software to consumers and businesses, was targeted by an attack that abused applications with privileged access to Microsoft Office 365 and Azure, in order to attack users. The attackers gained access to a limited number of internal company emails at Malwarebytes.
Malwarebytes activated its incident response group and worked closely with Microsoft’s Detection and Response team in order to investigate its cloud and on-premises environment. They found that the attackers leveraged a product within their Microsoft 365 tenant to access the emails.
An investigation of Malwarebytes’ source code, build and delivery processes confirmed that the company’s software was safe. After that incident, Malwarebytes thanked Microsoft and FireEye publicly and urged security companies to work together to share information.
CISO rises
At the C-suite level the voice of the CISO has grown in importance and other top executives have important roles to play in managing risk, according to Vishal Gupta, SVP and chief information and technology officer at Lexmark.
“We are experiencing more involvement from other board members in shaping the direction of a company’s cyber posture,” Gupta said. “We see a blending of roles because a cyberattack can impact everyone.”
For example, when it comes to cyber risk, Gupta points out that the CFO has to deal with issues like revenue loss and human resources has to deal with issues like employee security.
“In my role as CITO, I hold a broad view of the landscape that positions me to address problems better,” Gupta said.
How corporate leadership manages cyber risk can vary greatly depending on the particular industry, according to attorney Bob Cattanach, a partner at Dorsey & Whitney and an expert on cybersecurity and privacy law.
“The ones that are truly more introspective about it are asking much tougher questions,” Cattanach said.
Companies in more highly regulated industries, like financial services and to a lesser extent healthcare, tend to be ahead of other companies in terms of how they oversee cybersecurity issues, Cattanach said.
Banks, insurance companies and other financial services firms are subject to a great deal of regulatory scrutiny from a variety of agencies, including the New York State Department of Financial Services. The regulator requires covered entities to have a cybersecurity policy in place that is approved by a board of directors, a CISO in place to protect company systems and data and proper controls, including encryption and multifactor authentication.
In June, the regulator issued new guidance for financial services firms to protect against ransomware attacks.
This was due to a surge in ransomware attacks, with data from the FBI Internet Crime Complaint Center showing an 83% increase in annual ransomware complaints to 2,474, across the country between 2019 and 2020. Total losses more than tripled from $8.9 million in 2019 to $29.1 million in 2020.
Business impact
A severe data breach or cyberattack can impose lasting damage on a company’s brand or reputational image, according to analysts. A major attack could shake the confidence of customers in relation to the security of their data, or even raise questions about whether a company adheres to best practices in terms of protecting intellectual property, cyber hygiene or privacy rights.
Shortly after the SolarWinds attack, Moody’s warned that cybersecurity risk would continue to grow as a risk factor for debt issuers, noting that supply chain attacks would likely continue to impact software developers. The agency also warned that attacks on healthcare companies and the vaccine supply chain would likely continue and the rise of ransomware would spur cyber insurance providers to reconsider coverage levels.
Moody’s put the ratings for SolarWinds on credit review downgrade, raising questions about whether the attack would impact the company’s brand reputation with existing and potential new customers.
“For SolarWinds, potential reputational damage will be a key risk resulting from the attack,” Moody’s officials wrote at the time. “In our view, reputational risks from cyber events are higher for ‘confidence sensitive’ stakeholders for whom trust is a competitive differentiator. Companies such as SolarWinds that provide critical, network level products are extreme examples of confidence sensitive organizations, and maintaining a good reputation is often key to their viability.”
SolarWinds took a slight blow after Mimecast announced it was moving on from using SolarWinds Orion to work with NetFlow, which is a monitoring system from Cisco. Mimecast, a specialist in email security, was attacked by the SolarWinds threat actor, which downloaded a limited number of source code repositories from the company.
Despite the loss of the Mimecast business, SolarWinds was able to hold onto the vast majority of customers and during the company’s recent quarterly earnings call, reported a retention rate of 86%, which was better than it had previously forecast.
“As [customers] engage with us, understand what happened, as well as understand the initiatives that we have taken, that I call secure by design, they seem to appreciate not only the value that our product brings to them but also the commitment we have to the safety and security of the customer environment at large,” Sudhakar Ramakrishna, president and CEO of SolarWinds told analysts during the company’s second quarter earnings call.
Despite the increased engagement on cyber issues by the C-suite, there appears to remain a perception gap between how CEOs think they are engaging the issue of cyber risk and how security leaders within the company see the support they are getting.
PwC released its 24th Annual Global CEO Survey, which showed that CEOs see cyber risk as the second-biggest risk to their businesses next to the pandemic. The survey, which involved almost 700 CEOs and 2,900 other C-level executives, showed that 37% of CEOs say they provide significant support for ensuring “adequate resources, funding and sufficient priority” for cyber issues, however only 30% of other executives agree.
In addition, 36% of CEOs say they empower their cyber leadership to interact with customers and business partners, however only 30% of non-CEOs agree that such empowerment is provided.