Cover Story

As cybercrime grows faster than

companies can defend against, it’s

time for a serious discussion on

cybersecurity. Though many are calling

for federal standards and regulations —

which may be a matter of time — in their

absence, organizations should transform

how they think about cybersecurity.

R1_25351_CoverStory_eh_036_25351_CoverStory 2/7/13 11:28 AM Page 36

© 20

13 F

inanc

ial E

xecu

tives

Inter

natio

nal |

finan

cialex

ecuti

ves.o

rg

www.financialexecutives.org FinancialExecutive •MARCH 2013 37

Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), in a recent New York Times op-ed, called on

Congress to pass bipartisan cybersecurity legislation after two failed attempts. Likening the pending danger of cyberat-tacks to a looming Pearl Harbor, the senators maintain thatabsent mandatory cybersecurity requirements, “the day onwhich those cyberweapons strike will be another ‘date thatwill live in infamy,’ because we knew it was coming and didn’tcome together to stop it.”

The senators are correct. Cybercrimes — against govern-ment facilities, public utilities and private enterprises — are onthe rise at an alarming rate and represent a significant strategicthreat to the security of the nation, its economy and the wel-fare of its businesses.

According to the just-released 2012 Deloitte-National As-sociation of State Chief Information Officers (NASCIO) Cyber-security Study, significant cybersecurity threats against U.S.government systems alone rose more than 680 percentbetween 2006 and 2011. This past year smartphones becamethe preferred target for cybercriminals and the security firmKaspersky Lab identified more than 35,000 maliciousprograms in 2012, six times more than the year earlier.

Mounting threats like these are why federal standards andregulations are ever more likely, despite the fact that the pro-posed bill backed by Sens. Lieberman and Collins died at theend of the last congressional session. Nevertheless, thoughlegislation may be a matter of time, in its absence companiesshould transform how they think about cybersecurity.

The Growth of CybercrimeOver the past 10 years, the criminal cyberworld has experi-enced a large shift from an individual, independent focus toa virtual, coordinated, collaborative model that thrives oninnovation and data sharing. A malware ecosystem hasemerged that supports this wave of cybercrime. Any potentialhacker has an available network of resources from which tochoose, and many have specialties.

The cost of fraud tools available to cybercriminals contin-ues to fall. For example, Information Week reported that onepackage, SpyEyeTrojan, is now available free or at a fraction ofits original $10,000 price tag. Groups engaging in cybercrimeinclude a variety of nation-states, organized crime, individualhackers, corporate spies, foreign government agencies andothers. And they have been successful.

The personal information of 94 million Americans hasbeen exposed to potential identity theft through data breachesat government agencies since 2009. In 2011 alone, an esti-mated 71 million people in the United States were victims ofcyberattacks costing them about $21 billion in damages, re-ports CNET.com.

Though many companies have made considerable stridesto address cybersecurity issues in a strategic fashion, manyothers still do not have an adequate strategy or plan. Considerthese responses as detailed in the recently released 2013 De-loitte Touche Tohmatsu Limited (DTTL) Technology, Media andTelecommunications Global Security Study:

• Less than half of survey respondents reported having a re-

© ISTO

CK

PHO

TO / H

EMERA

/ THIN

KSTO

CK

By Kelly

Bissell

R1_25351_CoverStory_eh_036_25351_CoverStory 2/7/13 11:28 AM Page 37

© 20

13 F

inanc

ial E

xecu

tives

Inter

natio

nal |

finan

cialex

ecuti

ves.o

rg

sponse plan in place to address a security breach and only30 percent believe third-party suppliers are shoulderingenough responsibility for cybersecurity.

• Nearly three-quarters (74 percent) of the 121 executivessurveyed rate security breaches at third-party suppliersamong the top three threats followed by denial of serviceattacks and employee errors and omissions.

• Other major threats identified by respondents include ad-vanced persistent threats (64 percent) and hacktivism (63percent), new to this survey, which combines social or po-litical activism with hacking.

• While more than half of those surveyed gather general in-telligence information, only 39 percent gather informationabout targeted attacks specific to their organization, indus-try, brand or customers.

The risks of cyberattacks may deliver a serious blow to acompany’s brand and reputation, along with potentially signifi-cant consequences. Typically, they include:

• Increased cybersecurity protection costs for people,processes and technologies to increase information secu-rity in the organization;

• Lost revenues from unauthorized use of proprietary infor-mation or the failure to retain or attract customers;

• Litigation or pending litigation arising from a cyberattack;and

• Reputational damage and remediation costs that adverselyaffect customer and investor confidence.

The DTTL Technology, Media and TelecommunicationsGlobal Security Survey reported that the median annualizedcybercrime-related cost for a company is $5.9 million.

So what does this mean for the C-suite, boards and finan-cial executives and what do they need to do about it? First, theexecutives can become knowledgeable about what cyberat-tacks and cybersecurity are, as well as: n Evolving cybercrime trends and regulations;n Things to look for relative to cyberinsurance;n The role of the C-suite and board in advancing cybersecurity;n How to assess a specific company’s risk; andn Action steps worth considering.

What are Cyberattacks and Cybersecurity?Defined as attacks directed at a specific person or organizationrather than at random victims, targeted cyberattacks are con-sidered especially dangerous because they often spearheadadvanced persistent threats (APTs) — insidious, long-term elec-tronic “campaigns” that may be extremely difficult to uncoverand address.

For example, APTs may provide sustained access to thefinancial or other sensitive or confidential data of a target com-pany or its online customers. Typically, APTs target entry into asystem through mobile, social and cloud computing environ-ments, which are complicating cyberdefense because they canbe more open/venerable networks. The perpetrators of APTsare able to adjust behavior over time to adapt to changes in theenvironment and thereby get the desired result.

Cybersecurity has various related definitions, but withthe changing security market, cybersecurity tends to beused as synonym for information systems security encom-passing the range of information security technologies andservices, including identity and access management, breachincident response and the protection of information tech-nology infrastructure such as networks, routers, email andWeb servers.

Until recently, many organizations had not been taking abroad view of the security landscape. Since cyberthreats cancome from multiple vectors, the old standard approach of sim-ply implementing a software package may no longer be suffi-cient. Security strategies and defenses today require reviewingthe entire system and the interdependencies within it.

Moreover, firewalls, intrusion detection systems and anti-virus software may not be a complete solution to the problem.As sole deterrents, these often fall short of disarming manythreats, as they deal with technology processes and not thehuman element behind APTs.

Combined, the increased risks to American companiesand government agencies, growing cybercrime and the re-sulting effects on the citizens are driving the push forchanges in regulation.

Federal Standards and RegulationOver the years when there have been systemic or chronicissues that led to significant, corporate failures, it seems thattighter regulation almost inevitably follows. That has been thecase, for example, with most of the U.S. regulations dealingwith various state breach notification laws, the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the Federal InformationSecurity Management Act, The Dodd-Frank Wall Street Reformand Consumer Protection Act and many others.

With the dramatic increase in the number of breachesand the rapid spread of cybercrime, the pressures for cor-porate action and further regulation continue to mount.The catalyst for this change has been an environmentalone: we used to process all the information on our owncomputers, in our own building and within our own con-

38 MARCH 2013•FinancialExecutive www.financialexecutives.org

Cybercrimes — against government

facilities, public utilities and private

enterprises — are on the rise at an

alarming rate and represent a

significant strategic threat to the

security of the nation, its economy

and the welfare of its businesses.

F_25351_CoverStory_eh_036_25351_CoverStory 2/4/13 1:47 PM Page 38

© 20

13 F

inanc

ial E

xecu

tives

Inter

natio

nal |

finan

cialex

ecuti

ves.o

rg

www.financialexecutives.org FinancialExecutive •MARCH 2013 39

trolled information ecosystem. With the arrival of the Internet and the consequent changes

in the IT environments, companies and customers now havevery limited control over their IT ecosystems. We are now con-ducting business over the Internet with many third-party sup-pliers and business partners using cloud, mobile and evenBYOD (Bring Your Own Devices). With this new and rapidlyevolving ecosystem, cyber “bad guys” have many points ofattack and frequently aim for the weakest links — most oftenan organization’s own people with mobile devices.

There are two consequences to this reality: first, it is be-coming ever more difficult to control the corporate IT environ-ment; and second, the road to greater regulation is rapidlytaking shape.

At both the state and federal level, legislators are attempt-ing to establish guidelines to strengthen “the security and re-siliency of the cyber and communications infrastructure of theUnited States”— the main objective of the 2011 CybersecurityBill endorsed by Sens. Lieberman and Collins. Among manythings, the bill focuses on promoting the sharing of cybersecu-rity information through a public-private partnership that em-phasizes regular and meaningful collaboration.

The intent of the legislation was to enable both lawenforcement and companies to more easily share the evidenceof cybercrime and the electronic fingerprints and techniques ofcybercriminals (without any specifics about the company tar-geted) and thereby enable companies, government agenciesand individuals to protect themselves from a similar attack.

Clearly, collective action and information sharing aroundthese sophisticated cyberthreats may advance a level of cyber-security that is beyond the reach of any single organization.

The Growing Use of Cyberinsurance Although cyberinsurance may help protect a company’s assetsand reputation, it is not a silver bullet. A number of complexissues remain subject to discussion including liability, con-sumer protection and minimum cybersecurity standards for thepurchaser of the insurance, as well as how to determine insur-ance premiums. Already, some insurers are proactively litigat-ing to invalidate policies because of poor practices on the partof policyholders.

For their part, companies are trying to add cyberinsuranceto hedge against the inevitable data breach, address the con-tinued threats and revise their (often siloed) strategies in antici-pation of laws that will impact less regulated industries, suchas technology, media and telecommunications more signifi-cantly than their peers in industries with already tighter regula-tions, such as banking.

What is covered under a cyberinsurance policy varies de-pending on the carrier. It frequently includes the cost of foren-sics that help to identify the breach, its cause and what waslost, in addition to the costs of disclosing what happened, theexpenses related to lawsuits, as well as the cost of some of therepairs to the affected systems. Whether or not the cyberinsur-

ance covers potential losses associated with stolen intellectualproperty is a matter for debate. With all these variables, regula-tion will likely be necessary to address the basic issues, includ-ing matters related to insurance coverage and the basic “safetystandards” necessary for companies that are applying for cy-berinsurance.

Despite all these complexities and the evident benefits ofsome kind of cyberinsurance, according to a survey by theChubb Group, 65 percent of public companies do not havecyberinsurance — even though they identify cyberrisk as theirnumber one concern. Nevertheless, 25 percent of those sur-veyed expect a cyberattack or breach in the coming year, and71 percent have cyberbreach response plans.

Though one might surmise that high-profile and high-riskcompanies are at the greatest risk, small to medium-sized busi-nesses are not, by definition, safe. About 72 percent of the 855data breaches worldwide analyzed by one study last year wereat companies with 100 or fewer employees. That’s up from 63percent of the 761 data breaches it analyzed in 2010, reportedSarah E. Needleman in a Wall Street Journal article, “Cyber-criminals Sniff Out Vulnerable Firms.”

Role of the C-suite and Board in Promoting CybersecurityThe new, more wide-range approach to cybersecurity hastaken strategic IT issues in a new direction. Beyond focusingon preventing the catastrophic incident, it now uses a risk-based approach and aims to address a large array of threats —from the single attack to corporate sustained espionage —advanced persistent threats, which focus on stealing propri-etary data and information in a sustained way like an espi-onage mole. It also goes beyond just “defense strategies” toinclude cyberthreat intelligence, detection, enriched analysisand response.

The C-suite and board should consider taking a more ac-tive role in promoting an integrated approach to IT strategyand cybersecurity. Top-level security and privacy practitioners,along with third-party research, confirm that cybersecurity isincreasingly becoming a concern not only of IT organizations,but of senior corporate leadership including corporate boards.

Consider these facts:• According to a Carnegie Mellon University global study,

48 percent of the corporations surveyed have a board-level riskcommittee responsible for privacy and security risks, up from

Cybersecurity is not a compliance

issue. It’s a strategic issue. That’s

why it merits the proactive and

ongoing attention of the board

and C-suite.

F_25351_CoverStory_eh_036_25351_CoverStory 2/4/13 1:47 PM Page 39

© 20

13 F

inanc

ial E

xecu

tives

Inter

natio

nal |

finan

cialex

ecuti

ves.o

rg

just 8 percent in 2008. Some 40percent of the North Americanrespondents say their company’sboard deals with computer andinformation security issues.

• Boards across industriesrealize that information shar-ing is key to addressing cy-berthreats and vulnerabilitiesbetween the public and privatesectors — a goal of the proposedand twice-defeated federal leg-islation supported by Sens.Lieberman and Collins.

Consider, executive man-agement and directors havehistorically been well-seasonedfinancial and operations execu-tives. They have relied on theseskills to make sound businessdecisions around financial andoperational risk and on indus-try standard measurements togauge the health of operationaland financial risk. Some ofthese are balance sheets, cashflow statements and metricssuch as same store sales, rev-enue per person and other met-ric tools. Unfortunately, thereare no standard measurementsyet for cybersecurity.

A problem is that most ofexecutive management and di-rectors do not have the experi-ence or expertise to makeadequate judgments on howcybersecurity may affect theirbusiness and the efforts neededto manage the risks. Moreover,the need for a chief informationsecurity officer (CISO), —who isboth a business manager andstrategist like the chief informa-tion officer (CIO) — is not fullyappreciated in many companies.

In fact, the business acumen need for a CISO has emergedeven more quickly than did that for a CIO, and given the pres-sures and specifics of cyberissues most CIOs are not able toadequately handle both roles.

Finally, many companies are currently not organized,equipped, staffed or positioned to address broader cyberse-curity needs within their IT departments. This is evidenced

by the continued growth in cy-bersecurity breaches. This newerapproach begs the C-suite to askwhat parts of cybersecurity shouldthey manage versus outsource tospecialists.

Another important considera-tion is the danger that any stan-dards or regulations — eithermandated by the government orput in place by the C-suite orboard — may be seen as a matterof compliance. And compliancematters frequently do not receivethe dynamic and full-fledgedattention they merit. They areseen as a necessity — not astrategic asset or benefit.

Cybersecurity is not a com-pliance issue. It’s a strategicissue. That’s why it merits theproactive and ongoing attentionof the board and C-suite.

Assessing RisksHow can the board or C-suiteproactively protect the organiza-tion’s assets? What do they needto know? What does manage-ment need to be asked to ensurethey are doing the right thing?

An answer may begin withasking about the corporateecosystem and understanding itssignificance to management andstakeholders alike — an increas-ingly important role for the CIOand CISO.

There are several questionsand considerations to focus on:

• Start with the basics.Among the many questions toconsider are: Where is my cus-tomer data being stored? If thatdata is lost, what is the impact? Isthe information encrypted? Is the

data in production and test environments? How do we makesure only people in R&D or like groups have access to secretinformation? If we are breached, what are the steps we gothrough? When does the legal department get involved andhave we tested this?

• Understand which devices and systems support criticalbusiness processes. Any device that has an internal computerand is Internet Protocol (IP) enabled — such as cellphones and

40 MARCH 2013•FinancialExecutive www.financialexecutives.org

10 Action Steps For Near-Term Focus

Pending the creation of a detailed cybersecu-rity strategy, there are 10 things that the boardand financial executives — in conjunction withthe organization’s IT colleagues — might con-sider focusing on in the near term:n Learn and stay informed about cyberthreatsand their potential impact on the organization.

n Recognize that cyberthreat risk intelligence isas valuable as traditional business intelligence.

n Designate and hold a C-level executive accountable for cyberthreat risk management— not just the “security guy.”

n Provide sufficient resources for the organiza-tion’s cyberthreat risk management efforts.

n Require management to make regular (e.g.,quarterly), substantive reports on the organiza-tion’s top cyberthreat risk management priori-ties based on key risk indicators (KRIs) — evenwith an outside IT risk committee, much likean audit committee.

n Expect executives to establish continuousmonitoring methods that may help the organi-zation predict and prevent cyberthreat-relatedissues.

n Require internal audit to evaluate cyberthreatrisk management effectiveness as part of itsquarterly reviews.

n Expect executives to track and report metricsthat quantify the business impact of cyberthreatrisk management efforts with options.

n Monitor current and potential future cyber-security-related legislation and regulation andforecast the potential impact to the businessoperations.

n Recognize that effective cyberthreat risk management may give the company more confidence to take certain “rewarded” risks (e.g., adopting cloud computing) to pursuenew value.

F_25351_CoverStory_eh_036_25351_CoverStory 2/4/13 1:47 PM Page 40

© 20

13 F

inanc

ial E

xecu

tives

Inter

natio

nal |

finan

cialex

ecuti

ves.o

rg

www.financialexecutives.org FinancialExecutive •MARCH 2013 41

handheld devices — should be carefully scrutinized for vulner-abilities. Remember, as Bloomberg reports, humans are theweak link in the effort to secure networks against sophisticatedhackers. The ability of hackers to exploit people’s vulnerabili-ties has improved their odds of success.

In the absence of federal regulations and any existing inter-nal rules or guidelines, how can the C-suite and board begin toanalyze and implement a detailed approach to cybersecurity,once grounded in the notion that cybersecurity is a strategicinvestment to protect company assets?

A useful place to start may be to understand and agree tothe company’s risk tolerance. How much is the company will-ing to risk based on the cost to prevent? The U.S. Securitiesand Exchange Commission (SEC) October 2011 interpretiveguidance in CF Disclosure Guidance Topic No. 2 providesmany helpful suggestions. Among other things, the release de-tails recommended disclosure obligations relating to cyberse-curity risks and cyberincidents. Though it does not represent arule, regulation or statement of the SEC, boards may achieve apotential strategic advantage by realizing and addressing sev-eral distinct impacts that may arise out of this guidance.

Next Steps: Creating a RoadmapIt is not merely enough to employ the most common secu-rity controls and then get back to business. The Internet andInternet-based technologies have matured to the levelwhere they are now an enabler of a key portion of an orga-nization’s bottom line. The ability to secure this capability isan integral function of the business model. Through thedevelopment of a cybersecurity roadmap, an organizationmay grow through the maturity life cycle in a planned anddetailed fashion while demonstrating due diligence to itscustomers and investors.

With a cybersecurity roadmap, an organization has theopportunity to increase its understanding of the factors driv-ing the changes in cybersecurity and to proactively addressthese changes. The SEC’s reporting guidance is intrinsicallytied to many of the basic components of a solid cybersecu-rity framework and the growing trend is toward increasingfocus in this area.

By incorporating this reporting framework now, an organi-zation has the potential to reduce the impact of future andmore comprehensive regulatory requirements. By addressingthese guidelines proactively, it also provides an opportunity toaddress one of the more important questions within the cyber-security field: What don’t we know that we should know?

While discussing the impacts in a theoretical sense helpswith the formulation of longer-range strategies, of key concernfor many organizations is answering the question, “Where do Igo from here armed with this information?”

One approach is to consider creating a roadmap to addressnot only the SEC reporting guidelines but also one that pro-vides an opportunity to relook at the organization’s cybersecu-

rity methodology.To help shape the organization’s roadmap, determine

whether the following five questions can be answered with anappropriate level of confidence:

1. What don’t we know that we should know? Are the secu-rity and business teams incorporating ideas on what couldhappen?

2. Are we properly resourced (people, processes and tech-nologies) to address current and emerging cybersecurityconcerns?

3. Are we looking at the external as well as internal cyberse-curity environment?

4. Is the cybersecurity apparatus fully integrated with thebusiness processes?

5. Given that many companies implement only a portion ofcybersecurity controls, how extensive is and should thecybersecurity apparatus be? What is the plan to reach allplanned systems and processes?

Cybersecurity is a collective assimilation of an organiza-tion’s people, processes and technologies that combine to pro-vide mitigations to cybersecurity threats. By looking at theorganization’s overall cybersecurity state — not just the tech-nology portion — an organization may be able to develop amuch clearer picture of its current status and gain a better un-derstanding of its strengths and gaps.

Naturally, the general approach offered here provides onlya broad framework for understanding the cybersecurity issues.Designing an appropriate strategy requires industry and com-pany-specific information, analysis and implementation. But asSens. Lieberman and Collins have so aptly argued, the time foraction is now. For C-suites, boards and financial executives,the realities of cybercrime are such that waiting for federal reg-ulation and legislation is a risk that may carry unnecessary andvery costly repercussions.

Kelly Bissell (kbissell@deloitte.com) is a principal and secu-rity and privacy specialist who leads Deloitte & Touche LLP’sinformation & technology risk management and global inci-dent response practices in Atlanta.

By looking at the organization’s

overall cybersecurity state — not

just the technology portion — an

organization may be able to develop

a much clearer picture of its current

status and gain a better understand-

ing of its strengths and gaps.

F_25351_CoverStory_eh_036_25351_CoverStory 2/4/13 1:47 PM Page 41

© 20

13 F

inanc

ial E

xecu

tives

Inter

natio

nal |

finan

cialex

ecuti

ves.o

rg