More talk about cybersecurity risk

People continue to talk about cybersecurity and risk, but not always in a way that I think makes a lot of sense. Here’s a sample.

The IIA

The IIA finds a disparity between the level of risk internal auditors assign to cyber and the percentage of their audit plan allocated to addressing it. Just this week, their The Standard online newsletter advertised an upcoming conference:

Strengthen Your Cyber Risk Plan

Cybersecurity continues to be a pervasive challenge, with 85% of audit leaders in the recent 2022 Pulse of Internal Audit survey ranking it high or very high risk in their organizations. Yet it only covers 11% of audit plans. How are you managing cyber risks in your plan? We have practical implementation tools for you at our Cybersecurity Virtual Conference on October 27.

Register today.

This is nonsense. Dedicating 11% of all internal audit resources to one source of business risk (especially as so much is allocated to SOX) means that CAEs are taking it very seriously indeed! In fact, it may well have more resources allocated to it than any other source of business risk.

I’m not saying that the conference won’t be of value. I don’t know. I am saying that the conclusion drawn in the marketing and the Pulse report is misleading.

PCAOB

The PCAOB Staff recently issued an edition of Spotlight, Audit Committee Resource. It contains some useful points about the external auditor’s assessment of fraud risk (as it relates to the possibility of material misstatements of the financials). But it also suggests that the Audit Committee ask these three questions of the external auditor:

• What is the auditor’s view on management’s cybersecurity risk assessment approach, overall cyber assessment, and conclusions?
• Did the auditor identify and assess cybersecurity risks and evaluate potential cyber breaches within the company’s operations, which may have an effect on financial reporting? If so, what were the results of the auditor’s procedures?
• Has the auditor changed its overall approach to addressing cybersecurity risks as a result of increased cyber threats to corporations and government agencies from external sources?

The likelihood that a breach would result in a material error in the financial statements filed with the SEC is (in almost every case) slight. Hackers don’t break in to manipulate the financials. So why should the external auditor be concerned?

By all means they should perform a risk assessment for SOX (I like using the IIA’s GAIT Methodology), but the real risk from a breach is operational, not financial reporting.

If I was on the Audit Committee, I would want the external auditor to focus on the real sources of risk to the financial statements rather than waste their time and my money.

There are better ways to spend money, such as on cyber defenses, than on encouraging the external auditor to believe that cyber is an area of risk to the financial statements – or pretending that they have the competence to assess how management assesses the business risk from cyber breaches.

Deloitte

Writing last month in the Wall Street Journal, Deloitte had better advice on cyber for boards. They had a good summary of the SEC’s cybersecurity proposal:

A cybersecurity proposal by the Securities and Exchange Commission (SEC) in March has sparked increased discussions about cyber risk in corporate boardrooms. Boards at many companies are asking what measures they should consider taking to help improve governance and risk management ahead of the new SEC rules.

The proposed rules aim to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. The SEC received nearly 150 comment letters on the proposal and is expected to issue final requirements later this year. If adopted as proposed, the new rules would require prompt reporting of material cybersecurity incidents and disclosures in periodic filings focused on:

• Policies and procedures to identify and manage cybersecurity risks
• Management’s role in implementing cybersecurity policies and procedures
• Corporate directors’ cybersecurity expertise, if any, and the board’s oversight of cybersecurity risk
• Updates about previously reported material cybersecurity incidents

Even before the proposal was issued, oversight of cybersecurity risk had become an increasing area of focus for boards. A survey by Deloitte and the Center for Audit Quality of 246 audit committee members published in January found that two-thirds of participants with oversight responsibility for cybersecurity expected to spend more time on the topic in the coming year. In addition, 62% identified cybersecurity as one of the company’s top risks to focus on in 2022.

Intelligently, they did not mention financial reporting in their list of risks and threats:

The list of threats includes theft of information, disruption of functions, ransomware demands, destruction of hardware and software, and corruption of data.

The financial risks that can stem from loss of confidentiality, integrity, critical business processes, and information assets can be substantial. In addition to direct costs, operational impacts such as an inability to produce goods and services, system downtime, missed opportunities, and an outsize focus on incident or breach management impacts can be significant. A company’s brand, one of its greatest assets, can be damaged significantly from the loss of customer trust that can occur with cyber incidents.

They make sense with:

Boards can consider several measures to promote an increased focus, beginning with a cyber risk assessment by business area that includes the company’s readiness for a cyber incident, the response plan, and the recovery plan. Evaluation of the organization’s cyber incident response plan is also critical at the board level, with a focus on the controls surrounding business functions and what steps will be taken in the event of an incident. The board can also set an expectation that the incident response plan has been practiced through scenario planning or wargaming exercises to improve the company’s ability to respond and recover in the event of an attack. The teams for such a review should include senior management from each line of business and corporate function.

McKinsey & Company

Also in August, the consulting firm McKinsey shared Creating a technology risk and cyber risk appetite framework.

They start with:

When it comes to technology risk and cyber risk, financial institutions are increasingly shifting toward a risk-based approach to determine their priorities for controls. Those controls should be based on their current security capabilities, the likelihood of threats, and the impact of any potential cyber breach. However, the question remains: can organizations really make strategic, objective decisions about which controls they should and should not implement, given their appetite for technology risk and cyber risk?

Their reference to a “risk-based approach” takes you to their 2019 publication, The risk-based approach to cybersecurity.

The 2022 piece asserts (my emphasis):

Risk-based management measures risk against an organization’s risk appetite to determine where further technology and cyber controls are needed. The goal is to reduce the remaining technology and cyber risks to a point the business can tolerate. To succeed, it must have clear, measurable statements on its technology risk and cyber risk appetite, defined in business terms, with clear ownership.

However much I dislike the idea of an enterprise having a single risk appetite (amount of risk), I agree that risk limits (or criteria) are useful when it comes to specific sources of business risk.

The key part of the McKinsey quote is that any criteria are “defined in business terms, with clear ownership”. They explain (my emphasis):

Many organizations find that they already have components of an optimal risk appetite framework (such as thresholds for key risk indicators) or overarching, enterprise-wide statements that present the overall appetite for risk as high, medium, or low. These organizations, however, struggle to measure their risk appetite against real-world business events and to agree on risk appetite–based thresholds for metrics.

For example, it is easy for organizations to say that they have a low appetite for cyber risk. But debate begins when they ask what constitutes such a low appetite in terms of control implementation and when the first and second lines of defense ask whether residual risk falls within or outside of that overall appetite. To manage technology risk and cyber risk effectively, organizations must lay out an objective risk appetite framework that supports business decisions on risk and uses objective metrics and reporting to achieve alignment with the risk appetite.

In other words, they point out that calling the risk appetite as “low” means nothing when it comes to decision-making.

McKinsey clarifies with (my emphasis):

An organization’s risk appetite should be measurable and aligned with business objectives. The business should set the risk appetite together with the technology teams, basing it on how much technology and data impact they would accept to achieve business objectives. Those technology teams should ask the business questions, such as how many minutes of unplanned downtime it is willing to accept for a specific business service, how much sensitive data it would accept losing to achieve its objectives, and what combination of cyber investment, cyber control, and business enablement it needs to manage cyber risk during day-to-day operations. These insights should determine the organization’s risk appetite and the associated control objectives.

Interpreting again, the level of potential service interruption that would be considered acceptable (remembering that there is a range or potential levels, each with its own likelihood) is determined based on how it might affect the achievement of business objectives.

The 2019 piece has some important statements, including (my highlights):

• First, our perspective is that cyberrisk is “only” another kind of operational risk. That is, cyberrisk refers to the potential for business losses of all kinds—financial, reputational, operational, productivity related, and regulatory related—in the digital domain. Cyberrisk can also cause losses in the physical domain, such as damage to operational equipment. But it is important to stress that cyberrisk is a form of business risk.
• Decisions about how best to reduce cyberrisk can be contentious. Taking into account the overall context in which the enterprise operates, leaders must decide which efforts to prioritize: Which projects could most reduce enterprise risk? What methodology should be used that will make clear to enterprise stakeholders (especially in IT) that those priorities will have the greatest risk reducing impact for the enterprise? That clarity is crucial in organizing and executing those cyber projects in a focused way.

Yes. Cyber should not be risk-assessed based on the threat to information assets, but on threats to the achievement of enterprise objectives!

Organizations succeed by achieving their objectives, not by simply avoiding harms – even harms to information assets!

Consider this statement by McKinsey:

If the objective is to reduce enterprise risk, then the efforts with the best return on investment in risk reduction should draw the most resources. This approach holds true across the full control landscape, not only for monitoring but also for privileged-access management, data-loss prevention, and so forth. All of these capabilities reduce risk somewhat and somehow, but most companies are unable to determine exactly how and by how much.

I don’t think McKinsey goes nearly far enough.

Let’s upgrade that last statement in two steps. First (with changes highlighted):

If the objective is to reduce enterprise risk, then the efforts with the best return on investment in risk reduction should draw the most resources. This approach holds true across the full control landscape, not only for monitoring but also for risks related to privileged-access management, data-loss prevention, safety, compliance, change control, supply chain, government actions, competitors, customer satisfaction, reputation, credit, cash flow, exchange rates, and so forth. All of these capabilities reduce risk somewhat and somehow, but most companies are unable to determine exactly how and by how much.

In other words, how should management and the board allocate scarce resources between all the various sources of risk to enterprise objectives?

Far too few assess cybersecurity risk and investment decisions in this way.

Let’s take it to the next level by modifying the objective as well.

If the objective is to achieve enterprise objectives, taking the right level of the right risks and opportunities, then the efforts with the best return on investment in risk reduction should draw the most resources. This approach holds true across the full control landscape, not only for monitoring but also for risks and opportunities related to the timely introduction of new products and services, the completion of major systems projects and upgrades, the hiring of new personnel, the initiation of marketing initiatives, the acquisition of other organizations, obtaining new customers, privileged-access management, data-loss prevention, safety, compliance, change control, supply chain, government actions, competitors, customer satisfaction, reputation, credit, cash flow, exchange rates, and so forth. All of these capabilities can increase the likelihood of achieving objectives somewhat and somehow, but most companies are unable to determine exactly how and by how much.

Boards and executives are in the business of running the entire business, not just technology and not just protecting the organization from the consequences of a cybersecurity breach.

The sooner everybody remembers that, including InfoSec practitioners, the sooner those organizations will start taking the right level of the right cybersecurity (and other) risks.

I welcome your thoughts.