Crisis Severity

Genuinely Understanding What’s Happening

The severity and pressing-nature of the threat is grossly underestimated by many people. Indicating the true nature of the threat, Dr. Jerome Powell, Chairman of the Federal Reserve, in 2021 publicly stated that he was not so much concerned with another systemic breakdown of the financial system such as what happened in 2008. Instead, what he is most concerned about is “cyber risk.” In a presentation to the Economic Club in Washington, D.C., Powell indicated that “cyber is the new frontier.” But how is it that your firm can get a handle on the nature of the threat, and the severity of this cyber risk?

The true nature of the cyber risk is networked, multi-factorial, multi-organizational, and cascading. Far too much effort is focused on finding and remediating single-point technical vulnerabilities, when a broader and more integrated view is urgently needed. The rapid rate with which things can come cascading down is evidenced by the crypto-firm FTX. Within two days in 2022, a firm that was valued at $32 billion was in bankruptcy. Many of the contributing factors behind this FTX debacle were information-security and -privacy related. For example, encryption keys were shared on group email accounts, system access controls were lacking, information security staff were in adequately trained, and internal auditing staff were missing. There were many corporate governance mechanisms, such as a functioning board of directors, that were also missing. So then, how do firms come to terms with this networked, multi-factorial, multi-organizational, and cascading cyber risk? They start by closely paying attention to, and recording, what’s happening internally. Many other services (such as third-party search for stolen property in the “dark web”) can be added to paint a revealing real-time picture of the current risk.

Your firm can start this internal recording process by paying close attention to the loss history -- both within their own organization, and outside their organization -- in order to get a sense for what is actually happening in the fast-changing information security and privacy field. Loss history data points of note should include not just the security and privacy breaches reported, but also:

• internal accounting frauds suffered

• related insurance claims filed

• security vulnerability reports received

• staff grievances about security and privacy submitted

• third party reported vulnerabilities not addressed

• shareholder lawsuits filed

• budget overruns occasioned by security or privacy problems

• lost staff days due to system downtime

• lost business deals caused by inadequate intellectual property controls

• government regulator interventions triggered

• adverse external audit reports received

The Need for Management Intervention

Far too many organizations delegate the information security and privacy area to technical staff, and leave it at that. This hands-off delegation isn't working very well. For example, PWC released a 2017 report entitled the Global State of Information Security. That report noted that only 44% of Boards actively participate in the management of their companies overall security strategy. What's often missing is a top-down strategy to manage information security and privacy. Technically, this process involves many aspects of corporate governance, including a risk management system, such as is described in various international standards such as ISO 27001 (from the International Standards Organization) and COBIT5 (from the Information Systems Audit and Control Association). To see where a particular organization stands, with respect to the involvement of the Directors & Officers, one important step that organizations can undertake is to conduct a “Duties Audit(TM).” That process, which is described more fully at https://www.dutiesaudit.com, provides a third-party attorney’s professional opinion as to whether the Directors & Officers are currently in compliance with the minimum required by laws and regulations, but only within the domain of information security and privacy.