Mon, Feb 15, 2021
A new year typically brings a renewed sense of optimism; however, 2021 brings with it promises of unparalleled challenges for board members as their role in cyber risk oversight and increasing organizational resilience has never been more important. Over the course of 2020, as organizations shifted already overburdened staff to build capacity to support remote working, threat actors aggressively exploited weaknesses exposed in the transition. This shift continues as evidenced by the fact ransomware attacks are at an all-time high heading in 2021, surpassing business email compromise for the first time as the attack of choice, and it doesn’t stop there. Sophisticated threat groups lodged deep inside organizational networks have mastered exploiting the trust relationship established across entities in the supply chain.
Unfortunately, even though securing an organization is challenging enough in normal times, the regulatory landscape continues to shift underfoot, adding pressure to already uncertain conditions. Driven by larger and larger breaches, how organizations manage and protect customer data is pushing states to introduce stricter legislation such as the California’s Privacy Rights Act (CPRA), which strengthens the California Consumer Privacy Act (CCPA). From a U.S. federal perspective, the introduction of the Cybersecurity Maturity Model Certification (CMMC) is forcing hundreds of thousands of suppliers across the defense industrial base to transition from an attestation-based compliance model to an onsite validation of controls by a certified assessor.
As a result, 2021 will require boards to ensure they have the appropriate metrics and intelligence to hyper-focus cyber risk oversight on:
With the adoption of broader remote work, boards need to ensure the closure of security controls that were set aside or exempted in lieu of expeditiously getting employees connected and productive. New business operating models dictate the establishment of an entirely new set of security monitoring capabilities to identify potentially malicious and unauthorized access and activity. As such, boards must proactively determine if existing incident response and cyber crisis management capabilities are adequate for the new workforce paradigm. Investments that help improve threat detection and response mobilization must be prioritized.
Effective questions to ask security leadership include:
Boards that have historically treated compliance with a “check-the-box” mentality will find 2021 challenging due to an uptick in regulator actions and consumer-driven litigation to protect sensitive data. Data privacy changes require organizations take a hard look at consent for data collection and use, in addition to the data being protected.
When it comes to revisiting data governance, effective questions to ask legal and information security leadership include:
With the legislative spotlight shining on data governance, boards should take the opportunity to update a company’s inventory of digital assets, which could also prove valuable during potential M&A activities.
Recent global supply chain attacks place third-party cyber risk management front and center in 2021, and legislation such as CCPA and GDPR make organizations liable for incidents originating in third parties. This forces boards to take a hard look at whether there is necessary visibility to determine the maturity of organizational cyber security and data privacy controls. But how do boards do this?
Effective questions to ask legal and information security leadership include:
When it comes to managing cyber risk, boards must understand the current organizational risk profile, including the company’s risk appetite and risk tolerance. As a part of a robust risk transference strategy, a fundamental question each board must evaluate is the adequacy of cyber insurance. This presumably simple question may lead to some unexpected findings when the risks are carefully considered and requires an accurate cost analysis to determine potential loss from a cyberattack. For example, some cyber insurance underwriters now require stricter cyber security controls be in place before writing or renewing policies. This brings the board full circle as these mandatory controls may require investments in unanticipated areas. When calculating the amount of required coverage, boards must determine the need and cost for external counsel, retainer-based digital forensics, crisis public affairs support, potentially crippling regulatory fees and possible post-incident litigation.
It’s been said that hope is not a strategy. In 2021, some organizations around the world are hoping for the return to some semblance of pre-pandemic operations; however, for many organizations and boards, the new normal will be nothing like the past. The new year vows a complex array of previously unconsidered challenges. The collective of board recommendations noted herein are centered on establishing a deeper understanding of the cyber risk maturity of organizations and its leadership with the goal of reducing cyber risk and increasing organizational resilience.
This article was originally published in Ethical Boardroom Magazine.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Proactively identify vulnerable systems and devices that may be exploited by an attacker or malicious software, often resulting in data loss or breach.
Kroll’s remote work security assessment identifies vulnerabilities of work-from-home employees and networks, and provides guidance on minimizing the risks posed by a decentralized network often complicated by personal devices and unstructured environments
Cyber security and privacy experts from Kroll lead CCPA and GDPR data mapping exercises to identify and catalog crucial data categories, elements and processing activities, helping meet different regulatory requirements.
Our data privacy and compliance experts translate the technical into practical and cut through less-than-specific legal requirements to navigate the complex compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Practical data privacy solutions from cyber security, compliance and valuations experts.