Embed Size (px)
Citation preview
RRRADP Lunch & Learn
Course Materials
Cyber Terror and Cyber Risk: What You Need To Know
NASBA INFORMATION
SmartPros Ltd, producer of this CPE program, is registered with the National Association of State Boards of
Accountancy (NASBA) as a Quality Assurance Service (QAS) sponsor of continuing professional education, (QAS
Sponsor #009). State boards of accountancy have final authority on the acceptance of individual courses for CPE
credit. Complaints regarding QAS program sponsors may be submitted to NASBA through its website:
www.learningmarket.org.
ADP has partnered with SmartPros to provide
this program and SmartPros has prepared the
material within. www.smartpros.com
101512
1
segm
ent t
wo
segm
ent t
wo
segm
ent t
wo 2. Cyber Terror and Cyber Risk: What You
Need To Know
LearningObjectives:
SegmentOverview:
Field of Study:
RecommendedAccreditation:
Required Reading(Self-Study):
Running Time:
Course Level:
CoursePrerequisites:
Advance Preparation:
Management Advisory Services
Work experience in a corporate staff position, or an introductory course in management
None
1 hour group study2 hours self-study
Update
“Disclosure Guidance: Cybersecurity Risks and Cyber Incidents”Division of Corporation Finance, U.S. Securities and Exchange CommissionFor info, go to:http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htmSee page 8.
31 minutes
By increasingly relying on digital technologies and networks toconduct their operations, at a time when cyber attacks are morefrequent and more severe, companies are subject to a heightenedlevel of risk. Kroll’s Alan Brill examines recently released SECguidance on your disclosure obligations related to cybersecurityrisks and cyber incidents.
Upon successful completion of this segment, you should be able to:
• explain cybersecurity risks;
• describe the objectives of cyber attacks;
• comply with the SEC’s cyber risk guidance;
• manage third-party breaches.
A. Cybersecurity Risks and CyberIncidents
1. Disclosure guidance on 10/13/2011
2. From the SEC’s Division ofCorporation Finance
B. Cyber Attacks to Gain Digital SystemsAccess to
1. Misappropriate assets or sensitiveinformation
2. Corrupt data
3. Cause operational disruption
C. Objective of Cyber Attacks Is Theft of
1. Property – such as financial assets,intellectual property and sensitiveinformation – belonging to
a. companies
b. customers
c. business partners
D. Costs of Cyber Attacks
1. Remediation
2. Liability for stolenassets/information
3. Increased future protection costs
4. Lost revenues
5. Litigation
6. Reputational damage
2
outli
neou
tline
outli
neou
tline
outli
neOutline
I. Cybersecurity Risks
A. Cyber Crime – The Old Days: BadGuys
1. Get into your organization
2. Steal data
3. Hide their tracks
4. Leave
B. Cyber Crime Now: Bad Guys Want to
1. Get into your organization
2. Stay in
3. Stay out of sight
4. Steal data
5. Do in way you’ll never knowthey’re there
C. Alan Brill’s Perspective on Hackers:They
1. Have gotten increasinglysophisticated in their targeting
2. Are hacking small- to medium-sizeorganizations
D. What Hackers Can Do
1. Get data
2. Destroy data
3. Change data
4. Get money without authorization
II. Cyber Criminals
3
outli
neou
tline
outli
neou
tline
outli
ne Outline (continued)
A. Cyber Risk Affects Company’s Abilityto
1. Exist
2. Be successful
B. SEC’s Cyber Risk Guidance:Companies Must
1. Evaluate what risks are
2. Assess how risks have changed
3. Assess how your reaction haschanged
4. Determine if protection is reasonable
5. Fix and disclose if not
C. Alan Brill’s Advice to Companies onData
1. Understand it
2. Don’t collect what you don’t need
3. If you don’t use it, get rid of it
4. Keep if needed for legal orregulatory requirements
5. Get rid of out-of-date data
6. Manage it
III. The Impact on Companies
A. Cloud Computing’s Characteristics
1. Inexpensive
2. Flexible
B. Cloud Computing: Questions
1. Who is using it?
2. How are they using it?
3. Where are they using it?
4. Is data safe?
5. Are we comfortable with itslocation?
6. Who can gain access?
7. Can you get access if there is adispute?
C. What Is a Stealth Cloud?
1. When someone in the organizationdirectly obtains cloud-basedservices
2. It may place the company’s data atrisk
D. The ISAPI Filter: How It Works
1. Sits between internet and application
2. Looks at traffic coming in
3. Kills “strange code”
E. Systems Security: Questions
1. Are we still secure?
2. Have we reviewed them?
3. Have risks changed?
4. Have kinds of attacks changed?
5. Should we make changes to makethem more secure?
IV. Cloud Computing
4
outli
neou
tline
outli
neou
tline
outli
ne Outline (continued)
A. Managing Third-Party Breaches
1. Ask the right questions
2. Make sure answers are reasonable
3. Consider whether independentreviews have been done
4. Obtain SAS 70 certificate whereappropriate
5. Make sure your contract gives youthe right to ask questions
6. Make sure you are informed ofchanges
B. Managing Third-Party Breaches:Summary
1. Manage
2. Control
3. Understand
4. Ask the right questions
5. Make sure the right people ask thequestions
C. Alan Brill’s Recommendation Relatedto Conference Calls
1. Change the call-in number whensomeone with access leaves
V. Other Issues
5
disc
ussi
on q
uest
ions
disc
ussi
on q
uest
ions
1. What are the objectives of cyberattacks? What is your experience withcyber attacks?
2. What are the costs to a company thatfalls victim to a cyber attack?
3. How does cyber crime today differ fromthe past?
4. What guidance did the SEC provide inits recent document outlining disclosurepractices for public companies?
5. What is Mr. Brill’s advice when itcomes to data? What are our company’spolicies and procedures relating to data?
6. What are the steps a company shouldtake to manage third-party breaches?What does our organization do?
7. What does Mr. Brill recommend when itcomes to sensitive conference call-innumbers? What are our organization’spolicies and procedures relating toconference call-in numbers?
Discussion Questions
Group Discussion
You may want to assign these discussion questions to individual participants before viewingthe video segment.
• As the Discussion Leader, you shouldintroduce this video segment with wordssimilar to the following:
“In this segment, Alan Brill examinesrecently released SEC guidance on yourdisclosure obligations related tocybersecurity risks.”
• Show Segment 2.
• After playing the video, use thequestions provided or ones you havedeveloped to generate discussion. Theanswers to our discussion questions areon pages 6 and 7.
Instructions for Segment
2. Cyber Terror and Cyber Risk: What You Need To Know
6
1. What are the objectives of cyber attacks?What is your experience with cyberattacks?
• The theft of property such as financialasserts, intellectual property andsensitive information belonging to
– companies
– customers
– business partners
• To corrupt data
• To cause operational disruption
2. What are the costs to a company thatfalls victim to a cyber attack?
• Remediation
• Liability for stolen assets/information
• Increased future protection costs
• Lost revenues
• Litigation
• Reputational damage
3. How does cyber crime today differ fromthe past?
• Cyber crime – the old days: bad guys
– get into your organization
– steal data
– hide their tracks
– leave
• Cyber crime now: bad guys want to
– get into your organization
– stay in
– stay out of sight
– steal data
– do in way you’ll never knowthey’re there
4. What guidance did the SEC provide inits recent document outlining disclosurepractices for public companies?
• SEC’s cyber risk guidance: companiesmust
– evaluate what risks are
– assess how risks have changed
– assess how your reaction haschanged
– determine if protection isreasonable
– fix and disclose if not
5. What is Mr. Brill’s advice when it comesto data? What are our company’s policiesand procedures relating to data?
• Alan Brill’s advice to companies ondata
– understand it
– don’t collect what you don’t need
– if you don’t use it, get rid of it
– keep if needed for legal orregulatory requirements
– get rid of out-of-date data
– manage it
• Response is based on yourorganization
6. What are the steps a company shouldtake to manage third-party breaches?What does our organization do?
• Managing third-party breaches
– ask the right questions
– make sure answers are reasonable
– consider whether independentreviews have been done
– obtain SAS 70 certificate whereappropriate
– make sure your contract gives youthe right to ask questions
– make sure you are informed ofchanges
• Managing third-party breaches:summary
– manage
– control
– understand
– ask the right questions
– make sure the right people ask thequestions
2. Cyber Terror and Cyber Risk: What You Need To Knowsu
gges
ted
answ
ers t
o di
scus
sion
que
stio
ns Suggested Answers to Discussion Questions
7
sugg
este
d an
swer
s to
disc
ussi
on q
uest
ions
7. What does Mr. Brill recommend when itcomes to sensitive conference call-innumbers? What are our organization’spolicies and procedures relating toconference call-in numbers?
• Alan Brill’s recommendation
– change the call-in number whensomeone with access leaves
• Response is based on yourorganization
Suggested Answers to Discussion Questions (continued)
8
requ
ired
read
ing
requ
ired
read
ing
Required Reading (Self-Study)
Self-Study Option
1. Viewing the video (approximately 25 minutes).
2. Completing the Required Reading (approximately 20 minutes). The Required Reading article for this segment start below.
3. Completing the online steps(approximately 55 minutes).
When taking a segment on a self-study basis, an individual earns CPE credit by doing thefollowing:
Instructions for Segment
DISCLOSURE GUIDANCE: CYBERSECURITY RISKS AND CYBER INCIDENTS
Division of Corporation Finance, U.S. Securities and Exchange CommissionFor info, go to: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
SummaryThis guidance provides the Division ofCorporation Finance’s views regardingdisclosure obligations relating tocybersecurity risks and cyber incidents.
Supplementary InformationThe statements in this CF DisclosureGuidance represent the views of the Divisionof Corporation Finance. This guidance is nota rule, regulation, or statement of theSecurities and Exchange Commission.Further, the Commission has neitherapproved nor disapproved its content.
IntroductionFor a number of years, registrants havemigrated toward increasing dependence ondigital technologies to conduct theiroperations. As this dependence has increased,the risks to registrants associated withcybersecurity have also increased, resultingin more frequent and severe cyber incidents.Recently, there has been increased focus byregistrants and members of the legal andaccounting professions on how these risksand their related impact on the operations ofa registrant should be described within theframework of the disclosure obligationsimposed by the federal securities laws. As aresult, we determined that it would bebeneficial to provide guidance that assistsregistrants in assessing what, if any,disclosures should be provided aboutcybersecurity matters in light of eachregistrant’s specific facts and circumstances.
9
requ
ired
read
ing
requ
ired
read
ing
We prepared this guidance to be consistentwith the relevant disclosure considerationsthat arise in connection with any businessrisk. We are mindful of potential concernsthat detailed disclosures could compromisecybersecurity efforts – for example, byproviding a “roadmap” for those who seek toinfiltrate a registrant’s network security – andwe emphasize that disclosures of that natureare not required under the federal securitieslaws.
In general, cyber incidents can result fromdeliberate attacks or unintentional events. Wehave observed an increased level of attentionfocused on cyber attacks that include, but arenot limited to, gaining unauthorized access todigital systems for purposes ofmisappropriating assets or sensitiveinformation, corrupting data, or causingoperational disruption. Cyber attacks mayalso be carried out in a manner that does notrequire gaining unauthorized access, such asby causing denial-of-service attacks onwebsites. Cyber attacks may be carried outby third parties or insiders using techniquesthat range from highly sophisticated effortsto electronically circumvent network securityor overwhelm websites to more traditionalintelligence gathering and social engineeringaimed at obtaining information necessary togain access.
The objectives of cyber attacks vary widelyand may include theft of financial assets,intellectual property, or other sensitiveinformation belonging to registrants, theircustomers, or other business partners. Cyberattacks may also be directed at disrupting theoperations of registrants or their businesspartners. Registrants that fall victim tosuccessful cyber attacks may incursubstantial costs and suffer other negativeconsequences, which may include, but arenot limited to:
• Remediation costs that may includeliability for stolen assets or informationand repairing system damage that mayhave been caused. Remediation costsmay also include incentives offered tocustomers or other business partners inan effort to maintain the businessrelationships after an attack;
• Increased cybersecurity protection coststhat may include organizational changes,deploying additional personnel andprotection technologies, trainingemployees, and engaging third partyexperts and consultants;
• Lost revenues resulting fromunauthorized use of proprietaryinformation or the failure to retain orattract customers following an attack;
• Litigation; and
• Reputational damage adversely affectingcustomer or investor confidence.
Disclosure by PublicCompanies RegardingCybersecurity Risks and CyberIncidentsThe federal securities laws, in part, aredesigned to elicit disclosure of timely,comprehensive, and accurate informationabout risks and events that a reasonableinvestor would consider important to aninvestment decision. Although no existingdisclosure requirement explicitly refers tocybersecurity risks and cyber incidents, anumber of disclosure requirements mayimpose an obligation on registrants todisclose such risks and incidents. In addition,material information regarding cybersecurityrisks and cyber incidents is required to bedisclosed when necessary in order to makeother required disclosures, in light of thecircumstances under which they are made,not misleading. Therefore, as with otheroperational and financial risks, registrantsshould review, on an ongoing basis, theadequacy of their disclosure relating tocybersecurity risks and cyber incidents.
The following sections provide an overviewof specific disclosure obligations that mayrequire a discussion of cybersecurity risksand cyber incidents.
– Risk Factors
Registrants should disclose the risk of cyberincidents if these issues are among the mostsignificant factors that make an investment inthe company speculative or risky. In
10
requ
ired
read
ing
requ
ired
read
ing
determining whether risk factor disclosure isrequired, we expect registrants to evaluatetheir cybersecurity risks and take intoaccount all available relevant information,including prior cyber incidents and theseverity and frequency of those incidents. Aspart of this evaluation, registrants shouldconsider the probability of cyber incidentsoccurring and the quantitative and qualitativemagnitude of those risks, including thepotential costs and other consequencesresulting from misappropriation of assets orsensitive information, corruption of data oroperational disruption. In evaluating whetherrisk factor disclosure should be provided,registrants should also consider the adequacyof preventative actions taken to reducecybersecurity risks in the context of theindustry in which they operate and risks tothat security, including threatened attacks ofwhich they are aware.
Consistent with the Regulation S-K Item503(c) requirements for risk factordisclosures generally, cybersecurity riskdisclosure provided must adequately describethe nature of the material risks and specifyhow each risk affects the registrant.Registrants should not present risks thatcould apply to any issuer or any offering andshould avoid generic risk factor disclosure.Depending on the registrant’s particular factsand circumstances, and to the extentmaterial, appropriate disclosures mayinclude:
• Discussion of aspects of the registrant’sbusiness or operations that give rise tomaterial cybersecurity risks and thepotential costs and consequences;
• To the extent the registrant outsourcesfunctions that have materialcybersecurity risks, description of thosefunctions and how the registrantaddresses those risks;
• Description of cyber incidentsexperienced by the registrant that areindividually, or in the aggregate,material, including a description of thecosts and other consequences;
• Risks related to cyber incidents that mayremain undetected for an extendedperiod; and
• Description of relevant insurancecoverage.
A registrant may need to disclose known orthreatened cyber incidents to place thediscussion of cybersecurity risks in context.For example, if a registrant experienced amaterial cyber attack in which malware wasembedded in its systems and customer datawas compromised, it likely would not besufficient for the registrant to disclose thatthere is a risk that such an attack may occur.Instead, as part of a broader discussion ofmalware or other similar attacks that pose aparticular risk, the registrant may need todiscuss the occurrence of the specific attackand its known and potential costs and otherconsequences.
While registrants should provide disclosuretailored to their particular circumstances andavoid generic “boilerplate” disclosure, wereiterate that the federal securities laws donot require disclosure that itself wouldcompromise a registrant’s cybersecurity.Instead, registrants should provide sufficientdisclosure to allow investors to appreciatethe nature of the risks faced by the particularregistrant in a manner that would not havethat consequence.
– Management’s Discussion andAnalysis of Financial Conditionand Results of Operations (MD&A)
Registrants should address cybersecurityrisks and cyber incidents in their MD&A ifthe costs or other consequences associatedwith one or more known incidents or the riskof potential incidents represent a materialevent, trend, or uncertainty that is reasonablylikely to have a material effect on theregistrant’s results of operations, liquidity, orfinancial condition or would cause reportedfinancial information not to be necessarilyindicative of future operating results orfinancial condition.
For example, if material intellectual propertyis stolen in a cyber attack, and the effects ofthe theft are reasonably likely to be material,the registrant should describe the propertythat was stolen and the effect of the attack onits results of operations, liquidity, andfinancial condition and whether the attackwould cause reported financial information
11
not to be indicative of future operating resultsor financial condition. If it is reasonablylikely that the attack will lead to reducedrevenues, an increase in cybersecurityprotection costs, including related tolitigation, the registrant should discuss thesepossible outcomes, including the amount andduration of the expected costs, if material.Alternatively, if the attack did not result inthe loss of intellectual property, but itprompted the registrant to materially increaseits cybersecurity protection expenditures, theregistrant should note those increasedexpenditures.
– Description of Business
If one or more cyber incidents materiallyaffect a registrant’s products, services,relationships with customers or suppliers, orcompetitive conditions, the registrant shouldprovide disclosure in the registrant’s“Description of Business.” In determiningwhether to include disclosure, registrantsshould consider the impact on each of theirreportable segments. As an example, if aregistrant has a new product in developmentand learns of a cyber incident that couldmaterially impair its future viability, theregistrant should discuss the incident and thepotential impact to the extent material.
– Legal Proceedings
If a material pending legal proceeding towhich a registrant or any of its subsidiaries isa party involves a cyber incident, theregistrant may need to disclose informationregarding this litigation in its “LegalProceedings” disclosure. For example, if asignificant amount of customer informationis stolen, resulting in material litigation, theregistrant should disclose the name of thecourt in which the proceedings are pending,the date instituted, the principal partiesthereto, a description of the factual basisalleged to underlie the litigation, and therelief sought.
– Financial Statement Disclosures
Cybersecurity risks and cyber incidents mayhave a broad impact on a registrant’sfinancial statements, depending on the natureand severity of the potential or actualincident.
Prior to a Cyber Incident
Registrants may incur substantial costs toprevent cyber incidents. Accounting for thecapitalization of these costs is addressed byAccounting Standards Codification (ASC)350-40, Internal-Use Software, to the extentthat such costs are related to internal usesoftware.
During and After a CyberIncident
Registrants may seek to mitigate damagesfrom a cyber incident by providing customerswith incentives to maintain the businessrelationship. Registrants should considerASC 605-50, Customer Payments andIncentives, to ensure appropriate recognition,measurement, and classification of theseincentives.
Cyber incidents may result in losses fromasserted and unasserted claims, includingthose related to warranties, breach ofcontract, product recall and replacement, andindemnification of counterparty losses fromtheir remediation efforts. Registrants shouldrefer to ASC 450-20, Loss Contingencies, todetermine when to recognize a liability ifthose losses are probable and reasonablyestimable. In addition, registrants mustprovide certain disclosures of losses that areat least reasonably possible.
Cyber incidents may also result in diminishedfuture cash flows, thereby requiringconsideration of impairment of certain assetsincluding goodwill, customer-relatedintangible assets, trademarks, patents,capitalized software or other long-lived assetsassociated with hardware or software, andinventory. Registrants may not immediatelyknow the impact of a cyber incident and maybe required to develop estimates to accountfor the various financial implications.Registrants should subsequently reassess theassumptions that underlie the estimates madein preparing the financial statements. Aregistrant must explain any risk oruncertainty of a reasonably possible changein its estimates in the near-term that would bematerial to the financial statements.Examples of estimates that may be affectedby cyber incidents include estimates of
requ
ired
read
ing
requ
ired
read
ing
12
requ
ired
read
ing
requ
ired
read
ing
warranty liability, allowances for productreturns, capitalized software costs, inventory,litigation, and deferred revenue.
To the extent a cyber incident is discoveredafter the balance sheet date but before theissuance of financial statements, registrantsshould consider whether disclosure of arecognized or nonrecognized subsequentevent is necessary. If the incident constitutesa material nonrecognized subsequent event,the financial statements should disclose thenature of the incident and an estimate of itsfinancial effect, or a statement that such anestimate cannot be made.
Disclosure Controls andProcedures
Registrants are required to discloseconclusions on the effectiveness ofdisclosure controls and procedures. To theextent cyber incidents pose a risk to aregistrant’s ability to record, process,summarize, and report information that isrequired to be disclosed in Commissionfilings, management should also considerwhether there are any deficiencies in itsdisclosure controls and procedures thatwould render them ineffective. For example,if it is reasonably possible that informationwould not be recorded properly due to acyber incident affecting a registrant’sinformation systems, a registrant mayconclude that its disclosure controls andprocedures are ineffective.
1
VIDEO SCRIPT Cyber Terror and Cyber Risk: What You Need To Know QUINLAN: As companies increasingly rely on digital technologies and networks to conduct their operations, financial executives are increasingly aware that there is an increased risk to their organization associated with cybersecurity, resulting from more frequent – and more severe – cyber incidents. As a result, the SEC’s Division of Corporation Finance recently addressed this trend, by issuing guidance regarding the disclosure obligations of public companies relating to cybersecurity risks and cyber incidents. Mindful that detailed disclosures could compromise cybersecurity efforts, by providing a "roadmap" for outsiders to infiltrate a public company's network, the Commission emphasized that these disclosure obligations are beneficial, but not required. Cyber attacks include gaining unauthorized access to digital systems to misappropriate assets or sensitive information, to corrupt data, or to cause operational disruption. Cyber attacks may also be carried out in ways that do not require gaining unauthorized access, such as by causing denial-of-service attacks on websites. The objectives of cyber attacks vary and may include: theft of financial assets, intellectual property, or other sensitive information belonging to companies, their customers, or business partners. Companies that fall victim to successful cyber attacks may incur substantial costs and suffer significant consequences, such as remediation costs, liability for stolen assets or information, increased future cybersecurity protection costs, lost revenues, litigation, and reputational damage. Viewers will recall that the federal securities laws are designed to elicit disclosure of information about risks and events that a reasonable investor would consider important when making an investment decision. SURRAN: Joining us once again is Alan Brill, senior managing director in the cybersecurity and information assurance practice of Kroll. It’s great to see you again, Alan. BRILL: It’s great to see you again, Becky. SURRAN: Over the past few months, the news headlines have increasingly used the phrases: “cyber crime,” “cyber terror,” and “cyber risk.” Tell me, Alan: is this a cyclical occurrence or are these threats really on the rise? BRILL: Becky, it really is a change. It used to be, in the old days, which you can define as a couple of years ago in cyber terms, the bad guys would try to get into your organization, steal the data, get out, hide their tracks, and they’re gone. That’s changed. The new term of art is persistency. They want to get in. They want to stay in. They want to stay out of sight, and they want to be able to steal data. We call it exfiltration of data over a long time period. They want to do it in a way that you’ll never even know that they were there. So now the evolution has occurred in such a way that you can no longer assume that the castle walls are going to guard you. You have to assume that the bad guys may already be inside the castle and you have to have defense in depth. So we’ve gone from defending the perimeter to defend the perimeter and assume the worst.
2
SURRAN: In the past month, hackers accessed the control system of a water utility in Springfield, Illinois. By using a Russian IP address, they allegedly could have caused a water pump to malfunction and, eventually, fail. Is this more evidence that the threat for organizations in the United States is real? BRILL: There is no question of that. A recent study published by the U.S. Executive for Counterterrorism has shown that we are being targeted more than ever. You cannot assume that you are not going to be targeted next. It used to be that you would be targeted if you were a money center bank, if you were a very large organization. But the hackers have gotten increasingly sophisticated in their targeting. They know that a small- to medium-size organization, they know that an organization that’s not in a major money center, may not have done as much to defend their systems as the larger organization. Now, maybe they can’t steal as much. Maybe if they went to a very large organization they could steal $10 million worth of information or money. Maybe from a smaller firm they can only steal a half a million. But, you know, a half a million here and a half a million there pretty soon it adds up to the same number. And it’s easier. So all of these evolutionary trends point in the same direction, and that is that you have to assume that either you’re going to be the next victim, or that you’ve already been hit and just don’t know it yet. SURRAN: Whether the hackers are motivated by money or by hacktivism, the bottom line – from our viewers’ perspective – is that it’s a threat to their bottom line, right? BRILL: It doesn’t really matter what the motivation of the attacker is. Whether they’re trying to steal information or money for some political purpose or for some cause that they believe in, from your point of view, it’s an intrusion into your systems to get information, to get data, to destroy data, to change data, or to get money without authorization. The computer doesn’t really know why it’s being attacked, nor should you or it care. The attack is a technical and people kind of issue that we have to address on its face, and not worry quite as much about whether something is ultimately going to be very big cyber terrorism, cyber crime, cyber hacktivism, it’s the same underlying act. SURRAN: You know our viewers. They – and their organizations – deal with data. In fact, information has become an important – maybe, the most significant – asset of their organization. I suppose, if financial executives are supposed to be a steward for their organization’s assets, they really have to be able to protect that data – especially when a breach is suspected or is known to have occurred, don’t they? BRILL: Absolutely. You know, where is the money today? The value in most companies is not sitting in a bank vault. It is sitting on the surface of a hard drive. Whether it’s your transaction data, your financial data, your R&D data, your planning data, whether it is that spreadsheet on how you did last month or the PowerPoints on what you are going to do next year. That information is the value. You have a responsibility to protect it. But look, so does everybody in your company from the CEO on down. However, there is a difference. Your job really centers in many ways on the concept of stewardship. You uniquely think in your work about controls, about protection, about understanding what happened and analyzing what happened.
3
In some ways you’re in the best position to drive that awareness, to drive that concern, and to make sure that throughout the C-suite and throughout your technology organization, and throughout your whole organization, people are actually thinking in terms of the value of the information that they deal with on a day-to-day basis, just the normal stuff that they work with and the fact that for everybody else in the world it’s not the normal stuff. It’s confidential. It’s valued. It’s got to be protected. Your ability as a steward in the financial end of the business, as a controller, as a CFO, as a treasurer, translates directly into an understanding of protecting information. In my experience, too few people with that skill really get the most out of it in terms of getting this message across within their organizations. SURRAN: That’s not just a best practice, that’s become a regulation, hasn’t it? Last month, the SEC’s Division of Corporation Finance released a guidance document that outlines disclosure practices for public companies, in light of the most recent spike in cyber security attacks and data breaches. As a result, these risks and events must now be disclosed, right? BRILL: Well, it goes along with what you and I have been saying, Becky. The evolution is that the value is in digital form and it needs to be protected. The risks associated with that are no longer a risk that we just think of in terms of the technology, of the CIO, of the head of information systems, of the information security officer. It now affects the company’s ability to exist and to be successful. For that reason I think the SEC guidance in this area is really very practical. It’s saying that you have to evaluate these risks and determine whether, like any other risk, not that they exist, they exist for everybody, but do they have a material effect? On your company and on its statements? You need to be looking at incidents and determining whether those incidents cause you to change your evaluation and perhaps have more to disclose. That disclosure process is now going to be as evolutionary as any other process. You’re going to have to evaluate what the risks are, how they have changed over time, how your reaction to them has changed over time, and ultimately whether you’re current status for protection is reasonable, or whether there is a risk out there that you need to come forth with and fix and maybe disclose. SURRAN: The SEC is not asking for disclosure of generic risk factors that could apply to any company. How particular, and how specific, should companies be in describing the potential costs and consequences that could result from cybersecurity risks? BRILL: There’s always value in what security people refer to as security by obscurity. That is, you don’t tell all the details, and I don’t think anybody is expecting you to do so. On the other hand, just saying wow, there is a risk out there isn’t going to do it either. To me it’s kind of thinking about where the intersection is between the kinds of information that you’re holding and what happens if that information gets out? So it’s the value of that information to you, the value of that information to a potential third party, and the expectation of your stakeholders, whether it’s your customers or your employees, your board, that you’re going to do a good job in securing that.
4
SURRAN: On one hand, this is information that the so-called market participant would want to know before making an investment decision. On the other hand, are financial executives really capable of determining what constitutes a material cybersecurity breach or whether the organization has appropriate defenses in place? BRILL: The evolution of risk is a really interesting area. It’s one where the corporate risk manager has suddenly become much more important than ever before. The area of cyber risk is an area that the risk managers are spending time on. They’re learning by working with the insurance companies that are now offering cyber risk and data loss risk and data breach risk policies, how to assess the risks and how to assess what the appropriate reaction is. Make no mistake about it, the problem that most organizations face in assessing the risk of these incidents is that they don’t have many of them, and that’s a good thing. But it’s like anything else. If you don’t have incidents on which to base some experience and some planning, it’s theoretical. So you know, what do we tell people? We say, understand the data that you have. Go on a data diet. If you have data that you don’t need to collect, don’t collect it. If you have data that you have collected and that you don’t use, get rid of it unless there is a legal or regulatory requirement to have it. If you have data that you needed and is out of date, get rid of it. There is no law that says you must keep everything forever. If there was every one of us would be on that show Hoarders. You’d have paper lining the rooms. We’d have disc drives all over the place. So manage what it is that you collect. Manage what it is that you keep. Do that actively and you are going to reduce your risk level. Put in the right controls so that if something unusual is happening you have the reasonable chance of noticing it and doing something about it. You have managed the risk. I think the key, if there is a key, is this. Nobody is expecting that your organization is going to achieve a level of security that you would associate with Fort Knox. It’s not going to happen. It’s not viable. It’s not worth it. But, if you take as your measure answering the question, are we protecting our information in a commercially reasonable way that makes sense for us, that’s a very fair question. Now, that may be tempered by outside influences. You may be subject to things like the PCI standard for credit card data. HIPAA standards, but you build those in. But ultimately you want to say we’re doing things in a commercially reasonable way, at a commercially reasonable cost, and achieving a commercially reasonable set of controls, standards and security. SURRAN: In recent years, our viewers are increasingly using cloud computing solutions for their organization. To what extent does that have an impact – or do we know if it has an impact – on their vulnerability to cyber attacks? BRILL: The cloud is a very attractive concept, because you don’t have to worry about hardware. You don’t have to worry about software. You don’t have to worry about patching, updating, and other things we’ve talked about over the years. But the problem is can you simply say, yeah, it’s being taken care of? And how do you know? The cloud can be inexpensive. It can be flexible. It can allow you to have computing power when you need it and not pay for that power when you don’t need it.
5
But with it comes responsibility. Who is using it, how are they using it, where are they using it? Is our data safe? Is it in a location that we’re comfortable with? Who can gain access to it? Can you gain access to it if there is a dispute about payment? All of these are very real. We’re finding today that there are surprises. People are discovering that their companies have gone to so called cloud computing and they didn’t know about it, because one of the ways that people are changing and moving from local computing to cloud computing is what’s sometimes called stealth clouds. And what’s a stealth cloud? A stealth cloud occurs when somebody in your organization gets the brilliant idea that they can use one or another of these cloud based services for analysis, for computation, for something. Rather than going through the IT department and the risk management department and getting a formal approval, they pull out a credit card and they charge it. They expense it. Suddenly your data may be placed at risk, maybe in another country, and you didn’t even know this was happening. It’s for that reason that I really talk to you guys in terms of stewardship. I am getting people to understand that we’re not trying to keep track of this stuff because we are accountants and we like to keep track of things. But because the risks associated with doing it wrong can be disastrous. It doesn’t take much for a data breach to occur that’s really the fault of a third party, but then we may end up having to take responsibility for, and notifying hundreds of thousands to people, and having the cost, and having the reputational damage. Keeping that stewardship, keeping that knowledge of what’s going on has become so important that I think that like everything else in your world, your position in regard to risk understanding and risk management has to evolve. SURRAN: I don’t have to tell you: times are tough. Organizations are deferring expenditures: from capital purchases to routine maintenance. Our viewers are being asked to find more budget cuts. From your perspective, Alan, are there some savings that are penny-wise, but pound-foolish? BRILL: I am reminded of an example, Becky. We had a customer who came to us because they thought there might be something wrong in one of their financial management systems. We went in, and we found out that somebody on the outside had attacked them, using a very particular technical attack. It’s called a SQL injection. They figured out that they could send commands right in from the internet that would bypass the normal security, would go directly to the data base and start feeding out database information. Once they figured out that this could be done, they did it over and over and over. Over 40 thousand times. Successfully. They just changed account numbers. If there was a real account with that number they got it. If there wasn’t, it would say, I don’t know what you’re talking about. Here’s the sad part. That risk occurred because the system that was attacked was an old system. It was a system that they were planning to change, to swap out for a new one. However, because of the economic conditions they said to themselves, you know, this system works. This system is going to last for another year. Maybe we’ll replace it next year. Let it go. So the system continued operating, but because it was that old system nobody really wanted to spend time maintaining it. While this is all happening, the risk of this kind of an attack, this SQL injection, started getting greater and greater. They didn’t bother putting any defenses in place. So a system that in its
6
heyday had been reasonably secure became insecure because of the change in the technological capabilities of the bad guys. Unfortunately for them we had to be honest and say, look, we can stop it from happening. We can install, and did install, a program. It’s called an ISAPI filter. It sits between the internet and the application and it looks at the traffic coming in. If it sees this strange kind of code, it kills it. It is a free piece of software. It is open source. It took us less than 90 minutes to download it, install it and tune it and it stopped it dead. Forty thousand people’s financial records out in the wild because inertia seemed the best course for the company. Don’t let that happen. Even if you have systems that seem to be secure, as a steward it’s not a bad idea to once in a while ask, how do we know they are still secure? Have you reviewed them? Have the risks changed? Have the kinds of attacks changed? Should we be doing something, until we build a new system to make these systems a little bit more secure? SURRAN: That would be great if everyone was in control of their own systems and their own information. But, increasingly, our viewers and their organizations rely on service providers and/or open up their systems to vendors and customers. What can you do minimize the occurrence of so-called third-party breaches? BRILL: The only way that I know, to manage third-party breaches is to manage the third parties. You can turn over any parts of your organization's work to them that you want, but you can’t turn over the responsibility. You are still responsible for that data. You need to ask the right questions. You need to be sure that the answers that you’re getting are reasonable answers and that you have a reason to believe that what they've told you is the truth. Now sometimes that might involve third-party reviews of partners that you’re thinking about dealing with. Or finding out whether they have independent reviews done. Sometimes you ask for the SAS 70 Type 2 certificate. Sometimes you ask for other things. But make sure that in your dealings you retain the right to ask those questions and to expect answers. If things change, if, for example, your vendor merges with another company, either as the acquirer or the acquired company, and your data is going to be moved to another data center, it’s going to be processed differently. You should make sure that your contract calls for them to have an affirmative obligation to let you know what the changes are, and not simply to assume that they are okay with you. In this world we’re seeing a lot of activities where cloud providers are merging, are growing, and a cloud provider that has your data in the states, but suddenly acquires a site in a third-world country and decides to move your data may be putting it at more risk than you really would want to be put at. You need to know that. So you can’t abandon your responsibility for stewardship just because you sign a contract to have a third party handle your data, or handle your data processing. You retain that responsibility. The risk is yours ultimately. So it’s manage, control, understand, ask the right questions, and make sure that whoever is asking the questions is technically capable of understanding those answers.
7
If you don’t like the answer, ask some more questions. If you are not comfortable the fault is not with you, it’s with them, and you need to get to the bottom of that. SURRAN: Before we began this interview, you told me about the potential danger from being attacked by a “botnet.” Remind me: how do these so-called “zombies” work? BRILL: There is no question but that the bad guys are getting smarter and more sophisticated. There are hacking organizations that are more like corporations than anything else. People are employed there. They come in in the morning, they hack. They have their coffee break, they hack. After lunch they come back and hack some more. Some of them are very good hackers and some of them are basic hackers. The basic hacker will get a certain amount of the way into your organization, and then when you look at the code you can actually see that a more sophisticated hacker has now shown up, and is pushing the attack further in. Now, I have seen attacks against our clients with four or five levels of hacker brought in by the same organization. So the world is changing. We are now the target. Why? Because we can be. Because not everybody controls everything. Remember the old adage. I have to secure myself against every form of risk that can reasonably occur. The attacker has to find one hole that they can get through and they can defeat everything else. About a year ago there was an article published in a magazine called Foreign Affairs. It was written by William J. Lynn III, Deputy Secretary of Defense of the U.S. In that article Secretary Lynn revealed that there had been a massive breach of U.S. military secrets. It was tracked down to the following. Somebody put an infected thumb drive into a computer in the Middle East. It spread to both classified and unclassified systems. Ultimately it was one of the most damaging intrusions every to occur. Now that occurred to the Defense Department, which presumably does a pretty good job of protecting themselves. What’s worse is they didn’t know the intrusion had occurred for a number of months, and then they took the steps to repair it and to prevent this from happening. But could that be happening to you? Could somebody have put in a thumb drive that they brought from home that has a virus on it? SURRAN: For instance, Alan, do we really know who’s listening in to our marketing department’s weekly conference calls? BRILL: This is a big thing. You know we hear all of the things that have been going on and the hearings that have been going on in London about things as simple as voice mail. But something we all use every day are conference calls. Some organizations have conference calls that are very important. They have them every week and the dial in number hasn’t changed in years. So if you have people who have access to that information, who now left and maybe went on to a competitor, are you sure that they’re not dialing in? Are you sure that they aren’t just listening to see what’s going on? The odds are you might never know it. Because most of these systems don’t do a lot of announcing of who is on, who is off. We think that good practice is, when you have a sensitive dial in number and somebody who used it leaves, you should change the number. It may be a pain in the neck to have to notify everybody that that number has changed, but it’s actually a lot better than having your data leaking and not even knowing it.
8
SURRAN: I know you’re not an attorney, Alan. But, since you’ve been associated with criminal investigation agencies, let me ask you a quasi-legal question: I know that information and telecommunications technology advances at the speed of light. But what about the laws protecting and overseeing that technology? To what extent are they in place? BRILL: Well, there are many laws that get involved both in the area of security and privacy of data. Obviously in the health care area, HIPAA and HITECH, those who process credit card data have regulations that they have to follow. There are many regulations. The problem is this - the technology we use advances at the speed of light. There is no question of that. Somebody asked me, how do you know when your computer is obsolete? The answer I gave them is, you unpacked it, and that’s becoming true. Cell phone manufacturers tell me that their life cycle for new products is now three to four months, and that they have to keep bringing out new products. New and better things. The result of that is we have gone into an environment where we don’t control things as much as we used to. We used to control all the in points. We provided them, we controlled them, we secured them. But now we’re entering an era where a term that you’re hearing is BYOD, bring your own device. Companies are having to adapt to the fact that they have to transmit data to smart phones, to people using tablets, and that not only may the company not have perfect control of those, they may not even own them. So the strategies for doing that have become vital. That laws that cover that, the laws that would cover computer crime, you have got to remember, they are advancing, but only at the speed of legislation. So the gap between the technological capability and what the law covers can be considerable at any given time. We have to protect ourselves against that. You know, the fact that something may be illegal doesn’t stop it from happening. If somebody wants to commit that crime and target your company, they may well do it. If you’re not watching you may not even know it happened. Relying on the law as a deterrent has limited reality in the cyber world because jurisdictions don’t exist. The attacker can be anywhere in the world. Whether you’re in New York or California or Bombay or Australia, we are all one hop away from the hackers. We have to deal in a situation where the primary responsibility for the security of our systems doesn’t lie in government. It doesn’t lie anywhere but in our own organizations. That’s why I keep coming back to the fact that you folks are specialists in controls. You understand value. You understand risk. That knowledge expanded to cover the new situation of technology is of tremendous value to the organization. It’s a unique opportunity, and I think it’s one that’s worth taking advantage of. SURRAN: A few months ago, Alan, you addressed the issue of “defense against terrorism” for the NATO Centre of Excellence. I’m curious: shouldn’t those countries be more concerned with border control than with countering cyber terrorism? BRILL: If you think about it, what’s the difference? There is a physical border that people come across, but there’s also a cyber border that data comes across. Data travels freely between countries. It doesn’t necessarily go through customs or immigration at the airport. It doesn’t have a passport that somebody looks at and stamps. It doesn’t get visas. Protecting a country involves much more than protecting its physical borders.
9
If you look at the kinds of attacks we were talking about earlier, where they’re attacking the infrastructure by using malware, that’s coming across a border. Not defending that border puts us at risk. What NATO is saying is what we’ve been saying. The doctrine is changing that we can no longer defend the perimeter and assume we’re fine. We defend the perimeter, but let’s assume that the bad guys have already found a way of getting in. Let’s make sure we have the tools in place to recognize them, to root them out. When we find them, we need to investigate what happened, to stop it from happening, and protect ourselves a little better. We may get hit again, but maybe in a different way. If we keep getting hit the same way, that says something. We don’t want to have that happen. This is evolutionary. What worked today, may not work tomorrow. A risk that doesn’t exist today is going to be an important one tomorrow. Organizations that don’t keep up and fall behind, their risks will increase, whether they like that or not. SURRAN: As always, Alan, I’ve learned a lot from what you’ve told us. If our viewers could take one thought away from this program, what would you like that to be? BRILL: Remember you and I have talked for years, and it always comes down to the same thing. The fact that you choose to ignore a cyber risk doesn’t mean that that risk is going to ignore you. You can put your head in the sand, but you can still be hacked. With the techniques that are out there now, that hack can be devastating to your organization. You don’t want to be that next victim. You want to be smart and protect. Get the help that you need to do that. It doesn’t have to be tremendously expensive. It doesn’t have to be the kind of things that make it impossible to do your job. But achieve that level that we talked about, that commercial reasonable level, and you’re going to be doing the right thing for your organization. I think you’re going to feel good about it. SURRAN: Kroll’s Alan Brill, thanks – as always – for bringing us up-to-date and come back soon. BRILL: We’ll see you soon, Becky, take care.
