With an increase in very public security breaches and increasingly common business disruptions due to ransomware, boards are paying more attention to cybersecurity. They recognize it as a huge risk to enterprises and are forming dedicated committees that focus on cybersecurity matters, often led by a board member with security experience (such as a former chief information security officer [CISO]) or a third-party consultant.
CISOs: Make 2020 the year you focus on third-party cyber risk
The global supply chain is also top-of-mind for CISOs, as many have been forced to expand their security perimeter outside of the security organization and IT. This focus makes sense given the 650% increase in supply-chain attacks from 2020 to 2021.
The information and cyber risk challenges CISOs will face in 2022 are manifold. Besides still dealing with an increasing number of attacks, special focus needs to be given to the detection of cyber-attacks which are going to be even more sophisticated than what we have seen in the past and to the cyber risks associated with business partners and third parties. Also, regulatory pressure will increase on proper cyber risk management to make financial services organisations more resilient against cyber threats.
Over the past three years, cybersecurity has continued to grow as a priority. Financial firms keep allocating more resources, increasing board involvement, and making investments that are more aligned to IT and business priorities. The report also identifies several key cyber risk management trends at large financial institutions, as well as future implications that may be relevant to firms of all sizes in the wake of COVID-19.
Technology is a part of everything that financial institutions do, but adopting new technologies across businesses comes with increased cyber risks. It is therefore likely no surprise that respondents ranked rapid IT changes and rising complexities as the No. 1 challenge in managing cybersecurity (figure 5) for the last three years, while the second biggest challenge was the unavailability of skilled cyber professionals to help secure systems in such a rapidly evolving IT environment.
Finally, companies should work on ensuring that boards and management committees place cybersecurity high on their agendas. As noted earlier, having an engaged board can help the entire organization focus on the challenge of managing cyber risk while assuring that adequate resources are allocated. And board oversight should be ongoing, rather than only at the initial stages or when there is a cyber incident.
The global supply chain is also a top-of-mind concern for CISOs, as many have been forced to expand their security perimeter outside of the security organization and IT. This focus makes sense given the 650% increase in supply-chain attacks from 2020 to 2021.[3]
Cyber attacks are up: There were on average 270 attacks per company over the year, a 31% increase over 2020. Third-party risk continues to dominate: successful breaches to the organization through the supply chain have increased from 44% to 61%.
For the third consecutive year, EY researchers have analyzed cybersecurity-related disclosures in the proxy statements and Form 10-K filings of Fortune 100 companies to identify emerging trends and developments and help companies identify opportunities for enhanced communication. We looked at 76 Fortune 100 companies that filed those documents from 2018 through May 31, 2020. We focused on the areas of cybersecurity board oversight (including board-level committee oversight and director qualifications), statements on cybersecurity and data privacy risks, and risk management (including cybersecurity risk mitigation and response efforts and engagement with external security consultants). We also examined the current regulatory and US public policy landscape as it relates to cybersecurity, as well as perspectives from investors, directors and EY cybersecurity professionals.
More boards are assigning cybersecurity oversight responsibilities to a committee. Eighty-seven percent of companies this year have charged at least one board-level committee with cybersecurity oversight, up from 82% last year and 74% in 2018. Audit committees remain the primary choice for those responsibilities. This year 67% of boards assigned cybersecurity oversight to the audit committee, up from 62% in 2019 and 59% in 2018. Last year we observed a significant increase in boards assigning cybersecurity oversight to non-audit committees, most often risk or technology committees, (28% in 2019 up from 20% in 2018), but that percentage dropped this year (26% in 2020). A minority of boards, 7% overall, assigned cyber responsibilities to both the audit and a non-audit committee.
The percentage of companies discussing cybersecurity in the context of director qualifications has increased significantly in recent years. In 2020, 58% of companies included cybersecurity as an area of expertise sought on the board or cited in a director biography, up from 51% last year and 39% in 2018. However, a few companies explicitly cited cybersecurity experience in certain director biographies one year but not the other. The disclosures indicate that companies are paying more attention to noting director experience or expertise in cyber.
Nearly all (99%) companies we reviewed addressed data privacy in the risk factor disclosures included in their 2020 and 2019 10-K filings, compared with 93% in 2018. The degree of explicit focus on data privacy as a material risk varied widely. Around a quarter (24%) focused on data privacy as a stand-alone risk factor, often noting increasingly complex and changing data privacy regulations that create high financial and legal exposure in addition to the reputational and operational risks involved.
While the percentage of companies disclosing that they performed cyber-incident simulations or tabletop exercises more than doubled from 3% last year to 7% in 2020, the number of companies making this disclosure remains low. Of the handful of companies communicating that simulations, drills or tabletop exercises were conducted at the management level, none disclosed whether the board was involved in these exercises.
Disclosures around material cybersecurity incidents are steadily rising but remain low at 13%, up from 12% in 2019 and 7% in 2018. In 2020, 10 companies disclosed cyber incidents, with each company disclosing a single incident. Only one of those events had occurred in the past year, with the rest as far back as 2006. Around a third of the disclosed data breaches related to cyber attacks of third-party service providers. The depth of the disclosures varied, often based on how recent the event was. Disclosures ranged from stating the occurrence of an incident and related broad implications to providing a more in-depth account, including the number of account holders affected, the nature of the data and remedial steps taken to fix the security vulnerability.
Policymakers in Washington continue to grapple with how to address rising and evolving cyber threats. While a legislative solution is unlikely in 2020, it remains a key concern and focus for Congress and the administration.
No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third Party Service Provider poses to their data and systems and effectively address those risks. The Department has provided a two year transitional period to address these risks and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019.
CISO Africa 2020 delves into why IT and data security has greater value than merely a defensive mechanism. Designed as a peer-led conference for information security, fraud and risk professionals, the CISO Africa 2020 conference will showcase pragmatic case studies and provides high-level interactive discussions on the latest approaches and tactics to allay the bombardment of cyber-attacks, but deliver and interpret business value.
When creating your presentation, you should only include relevant information and focus on being concise with your explanations. Succinctly presenting cybersecurity performance makes it easier for board members to absorb the information that you are sharing with them. Using KPI data is recommended as it provides context into cybersecurity programs that can be used by the board when assigning a budget for cybersecurity.
Instead of giving long explanations with technical details, you can provide at-a-glance visibility into your continuous cybersecurity monitoring. Consistent ratings across all factors and a brief explanation of how those translate to business imperatives, such as financial or reputation risk, can give your Board the information necessary to make strategic decisions.
Senior security leaders are under continuous pressure to protect their organizations from threats. Our 2021 Leadership Perspective Survey data suggests that CISOs are also focused on how to communicate risks with their boards and peers. The data also shows where CISOs have shared goals and challenges across the C-suite, leading to opportunities for collaboration and networking. The overwhelming challenges of 2020 led to numerous productive discussions in which Evanta communities hosted 204 virtual events for 7,600 CISOs.
In early 2020 before the pandemic, all things related to the cloud, including system migration, architecture, strategy, data, and security were still the number one priority for CISOs. Controlling user access and communicating about risk rounded out their top priorities early last year.
Adam Bixler, global head of third-party cyber risk management at BlueVoyant, says that threat actors use the weakest touchpoint to gain access to their target and, often, it is the weakest link in a third-party supply chain that threat actors focus on to navigate upstream to the intended company. 2ff7e9595c