RISK MANAGEMENT

Definition of Cyber Risk Management for Data Security:

Generally, risk management may be defined as actions to measure, control and reduce the probability of an event and its consequence. (See ISO/IEC Guide 73) There are numerous sources for risk identification, standards guidelines and frameworks for management.

Federal Financial Institutions Examination Council Cybersecurity Assessment Tool FFIEC – The FFIEC drafted the Assessment Tool as a framework for financial institutions to have accurate threat information to identify their risks and determine their cybersecurity preparedness over time. The User Guide states,

The Assessment consists of two parts: The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.  

FCC Cyber Security Planning Guide – This framework was developed by the Federal Communications Commission (FCC) to assist small businesses in developing and maintaining policies for protecting critical business data.  Their tool is designed for small businesses that lack the resources to hire dedicated staff to protect their business, information and customers from cyber threats.  It is written in sections in a workbook format so the participant can proceed from section to section as tasks are completed.

International Organization for Standardization / International Electrotechnical Commission ISO/IEC 27005 Information Security Risk Management, states:

NIST Publication 800-39 for Managing Information Security Risk states:

NIST SP 800-39 provides a structured, yet flexible approach for managing risk. This publication discusses the basic concepts of risk management as four components: framing risk, assessing risk, responding to risk; and monitoring risk over time.

The guide then introduces a three-tiered risk management approach that allows organizations to establish an enterprise-wide risk management strategy as part of a mature governance structure, involving senior leaders and executives, and including a risk executive. The three-tiered approach addresses risk at: the organization level, the mission/business process level; and the information system level.

The four components of the risk management process are discussed in connection with  their applicability across the three tiers of risk management. This approach enables organizations to integrate the risk management process throughout the organization.

The risk of cyberattack is now an unavoidable major factor for individuals, businesses and governments in our interconnected world. The World Economic Forum Global Risk Report for 2018, Top 5 Global Risks in Terms of Likelihood, lists Cyberattacks as the number three risk surpassed only by extreme weather events and natural disasters.  The report states on page 6,

“Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years … Another growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning.”

Since neither business nor governments can be completely immune to cyberattacks, a comprehensive risk management program should be the paradigm for control and resilience.  Recommendations for a cyber risk management program include:

• Identify the cyberthreats and their specific risks;
• Identify the critical systems, networks, and data essential to business operation;
• Establish management governance to implement cyber risk mitigation programs and technologies;
• Implement an incident response plan to promote cyber resilience;
• Respond appropriately per the legal requirements of a breach.

SEC Cybersecurity Disclosure and Controls Checklist – In February 2018 the U.S. Securities and Exchange Commission (SEC) outlined cybersecurity disclosure requirements for public companies under the various federal securities laws.  The checklist comprises the following categories:

• Risk Factors – Item 503(c) of Regulation S-K and Item 3D of Form 20-F require companies to disclose the most significant risk factors for investment in their company securities.
• Financial condition and result of operations – Item 303 of Regulation S-K and Item 5 of Form 20-F require a company to discuss its financial condition, changes in financial condition, and results of operations.
• Description of Business – Item 101 of Regulation S-K and Item 4.B of Form 20-F require companies to discuss their products, services, relationships with customers and suppliers, and competitive conditions.
• Legal Proceedings – Item 103 of Regulation S-K requires companies to disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party.
• Financial Statement Disclosures – information about the magnitude of the financial impacts of any cybersecurity incident should be incorporated into its financial statements.
• Board Risk Oversight – Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclose the extent of its board of directors role in the risk oversight of the company.
• Disclosure Controls or Procedures – company must have disclosure controls and procedures in place to enable senior management to make decisions about cybersecurity risks and incidents.
• Certifications – Exchange Act Rules 13a-14 and 15d-14 require a executives to make certifications regarding the design and effectiveness of disclosure controls and procedures, and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of these controls.

Risk Assessment In Practice:

To generate an accurate risk assessment, the program must address the company assets subject to attack, the types of threats, the vulnerabilities of processes and systems, and impact of a successful cyberattack. These issues should be addressed in an overall Incident Response Plan.