EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints
Issue 34: 16 January 2013

TAPESTRY NETWORKS, I NC WWW.TAPESTRYNETWORKS.COM +1 781 290 2270

Cybersecurity and the board

On 30 November 2012, members of the European Audit Committee Leadership Network (EACLN) met in Madrid for their 18th stand-alone meeting. In one session, Mark Hughes, managing director at BT Security, joined members for a discussion of cybersecurity risks and how boards and companies can respond. 1 For a
short biography of Mr Hughes, see Appendix 1, on page 10.

This document summarizes the key points that Mr Hughes and members raised in the discussion, along with background information and perspectives that members shared before the meeting. 2 For further information
about the network, see About this document, on page 9. For a list of participants, see Appendix 2, on page 11.

Executive summary The security risks associated with cyberspace have evolved in tandem with the benefits as the Internet has become an increasingly important infrastructure for communication and commerce. While business leaders have been aware of these risks for some time, and EACLN members have touched on them in past meetings, 3 the issue of cybersecurity has grown in urgency in recent years. Mr Hughes and EACLN members stressed three main points: Companies face a range of threats from cyberspace (Page 2) Mr Hughes explained that the confidentiality, integrity and availability of sensitive information are all at risk from cyberattacks and that todays adversaries are even capable of targeting physical assets, such as laptops, electric generators or reservoirs. Adversaries include national governments, criminal groups and hacker activists (hacktivists), who use a variety of techniques to pursue objectives such as stealing competitive intelligence and intellectual property, siphoning off money or disrupting operations. Mr Hughes and EACLN members touched on numerous examples, highlighting the gravity of the risks. In-depth defense is essential (Page 4) The discussion underscored the importance of incorporating cybersecurity into the companys enterprise risk management (ERM) framework and processes to identify the risks, assess their impact and calibrate the appropriate mitigation. Members reiterated a key point made by many experts: assume that attackers will breach company networks, even if perimeter defenses are robust. Companies should establish comprehensive, in-depth defenses that include prioritizing protection of the most critical information and implementing real-time monitoring to detect and respond to intrusions, along with a host of other measures to prevent the company from being an easy target. At the same time, cybersecurity measures must be balanced against other company objectives, such as productivity or collaboration across business boundaries.

In another session members discussed Strategy, risk appetite and the board. See European Audit Committee Leadership Network, Strategy, risk appetite and the board, ViewPoints, 16 January 2013. 2 ViewPoints reflects the networks use of a modified version of the Chatham House Rule whereby names of members and guests and their company affiliations are a matter of public record, but comments made before and during meetings are not attributed to individuals or corporations. Member and guest quotes appear in italics. 3 See, for example, European Audit Committee Leadership Network, The Challenge of Overseeing IT Risks and Governance, ViewPoints, 3 December 2010.

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Boards should focus more on cybersecurity (Page 6) EACLN members and Mr Hughes agreed that boards must be more engaged on cybersecurity, echoing the findings of recent surveys that boards are only beginning to address the problem. Boards should treat cybersecurity risks like other important risks. As with other risks that are particularly complex and that evolve quickly, members suggested that boards should seek input from internal and external experts. Mr Hughes offered guidance on what audit committee chairs (or other board members) can ask management about the threats faced by the company and the measures used to counter them.
For a list of discussion questions for audit committees, see Appendix 3, on page 12.

Companies face a range of threats from cyberspace As the opportunities afforded by the Internet have grown, so too have the security risks. Mr Hughes pointed out that the Internet can amplify the power of various actors in a way that has both positive and negative consequences: The Internet is an opportunity for small enterprises like Facebook and Google to

have a large reach and impact. That is the asymmetrical opportunity of the Internet. But this also creates an asymmetrical impact for threats. People, if they know enough, can do a lot of damage.
Major security breaches at prominent companies and warnings from cybersecurity experts have brought the issue to the foreground in recent years. In a speech delivered in June of 2012, Jonathan Evans, director general of the Security Service (MI5) in the United Kingdom, said of the risks from cyberspace: This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions. What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations. 4 Physical assets as well as information assets are vulnerable Mr Hughes elaborated on Mr Evanss remarks, explaining the three critical characteristics of information that are in jeopardy from cyberattackers: Confidentiality. Attackers can find and exploit sensitive information, such as personal information about employees or customers, or company information about products, research or strategies. Integrity. Attackers can manipulate information so that it is no longer accurate and trustworthy. Software code can also be altered, changing the behavior of critical applications. Availability. Attackers can destroy information or disrupt access to it. They can delete data in databases or simply bring down a server with a denial-of-service attack. The impact of such attacks can be devastating. In his June speech, Mr Evans pointed to a specific example: One major London listed company with which we have worked estimates that it incurred revenue losses of some 800m as a result of [a] hostile state cyber attack not just through intellectual property loss but also from commercial disadvantage in contractual negotiations. 5

4 5

Jonathan Evans, Address at the Lord Mayors Annual Defence and Security Lecture (Mansion House, City of London, 25 June 2012). Ibid. 2

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Attacks on information assets can have an indirect impact on physical assets, but experts stress that a cyberattack can also target physical assets more directly. Attackers may penetrate industrial control processes and manipulate them to damage machines or systems, including critical infrastructures. A member described the conclusion drawn from a test of a potential attack: An electrical generator can be remotely accessed and

its parameters altered so that it is irreparably damaged. Look at [Hurricane] Sandy and imagine a major metropolitan area with no power and no prospect of power. Mr Hughes mentioned the Stuxnet worm
that was used to attack Irans nuclear centrifuges and the case of a valve in a reservoir being controlled remotely. He underscored the reality of the threat: Its not hype. Adversaries have a variety of motives and means Mr Hughes and EACLN members discussed the different types of attackers companies, governments and other organizations face: National governments. Experts such as Mr Hughes and Mr Evans argue that the military and intelligence agencies of sovereign states are among the most dangerous threats in cyberspace. 6 Sovereign states have enormous resources in terms of personnel and tools, and they can have multiple motives for launching attacks against the private sector as well as government agencies. These motives include a desire to obtain military secrets from other countries or intellectual property from foreign companies to benefit their own companies. Mr Hughes mentioned several countries in particular that are thought to be frequent sources of government or government-sponsored attacks. Attackers from China, for example, are focused on stealing intellectual property, using sophisticated approaches that are hard to trace back to the source. Iran is a sophisticated emerging threat that often targets the availability of services. Western countries are also sources of attacks: the United States and Israel are thought to be responsible for the release of Stuxnet, the malware that targeted Irans nuclear facilities. 7 Mr Hughes noted that the threat could come from any country: Everyone is active against everyone, as far as I can see. A member also noted that assigning attribution to a country can be difficult: They say

its China, but China is a big place. Who funds it? Is it students, the government or hacktivists?
Criminals. Criminals in cyberspace perpetrate a variety of crimes, such as siphoning off money from bank accounts or stealing sensitive information to abet the commitment of fraud, extortion and other crimes. This information can include customer payment data or passwords, for example. In recent years, companies such as LinkedIn and Yahoo have experienced the theft of payment data and passwords for millions of customers. 8 Earlier this year, a wave of cyberattacks in Europe and beyond targeted both consumer and business bank accounts, resulting in the loss of at least 60 million. 9 More recently, hackers stole over 36 million from 30 banks in Germany, Italy, Spain and the Netherlands. 10 The loss of certain kinds of information can have cascading effects for other companies. In 2011, RSA, which supplies security tokens for access control, suffered a data breach that compromised the tokens.
6

See also James Lewis, Rethinking Cybersecurity A Comprehensive Approach (speech at the Sasakawa Peace Foundation, Tokyo, 12 September 2011). 7 Ellen Nakashima and Joby Warrick, Stuxnet Was Work of U.S. and Israeli Experts, Officials Say, Washington Post, 1 June 2012. 8 Joe Mont, The Push for New Cyber-Threat Disclosure Requirements, Compliance Week, 7 August 2012. 9 Nikolaj Nielsen, Cyber Criminals Steal Millions from EU Banks, EU Observer, 27 June 2012. 10 Bede McCarthy, Hackers Net 36m in Europe Banking Attack, Financial Times, 5 December 2012. Cybersecurity and the board 3

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Subsequently, several large customers of RSA experienced intrusions that may have been linked to the compromised tokens. 11 Hacktivists. Cyberspace has become an arena for activists pursuing agendas relating to the environment, human rights, economic justice and other causes. Hacktivists may use cyberattacks to disrupt company operations, deface websites or steal and expose sensitive information. The most recent edition of Verizons Data Breach Investigation Report, released in March 2012, found that hacktivist groups were responsible for 58% of the data stolen in 2011. This information was less sensitive, however, than the information taken by criminals, consisting of names, user names and email addresses rather than credit card information or passwords. 12 Hacktivists can nonetheless have enormous impact. Mr Hughes cited the example of Sony, which shut down its online PlayStation Network when it realized it had been hacked. The ripples of damage continued to radiate for more than a month, reportedly costing the company $171 million to remediate. 13 Cyberattackers use a range of tools and techniques. Many of them are technically advanced, such as cleverly crafted malicious software (malware) or sophisticated methods for breaking encryption or breaching firewalls. But attackers also use simple approaches, such as tricking people into revealing passwords or other information (a method known as social engineering) or even rummaging through rubbish bins (dumpster diving). Both experts and EACLN members mentioned a particularly alarming technique: recruiting or planting insiders, such as employees or contractors, in order to use their privileged access in planning and launching attacks. One audit chair said, We had employees paid by states to infiltrate our company and alter our code. A well-planned attack may use a combination of approaches. The term advanced persistent threat (APT) has emerged in recent years to describe long-term attacks focused on specific targets and using the full range of methods, including highly sophisticated ones. 14 Evolving information technologies and the ever-changing ways in which they are used constantly present hackers with new opportunities. The scale of the problem is undeniable, yet the reluctance of companies to report incidents suggests that it may be even bigger than the available data suggest. As Mr Hughes noted,

We have lots of headline scare stories, but not a lot to go on. The insurance industry is struggling to develop products as there is so little data available.
In-depth defense is essential Like cyberattackers, companies seeking to defend themselves against attack have an array of tools and techniques at their disposal. The arms race between attackers and their targets has produced increasingly sophisticated software and hardware for detecting malware and network intrusions, encrypting data and controlling access to systems. These tools are complemented by specific policies and practices for employees to follow, along with training programs to propagate those policies across the organization. There are also tools and policies for addressing the special vulnerabilities that technologies such as cloud computing and mobile devices introduce. 15
Matt Egan, The Disclosure Debate: When Should Companies Reveal Cyber Attacks? Fox Business, 28 October 2011. David Goldman, Hacktivists Stole 58% of Thieved Data in 2011, CNN Money, 22 March 2012. 13 Adam Martin, The 44 Days That Cost Sony $171 Million, Atlantic Wire, 2 June 2011. 14 Mathew J. Schwartz, Advanced Persistent Threats Get More Respect, InformationWeek, 9 February 2012. 15 These are discussed in Ernst & Young, Fighting to Close the Gap: Ernst &Youngs 2012 Global Information Security Survey, Insights on IT Risk, November 2012.
11 12

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

However, Mr Hughes echoed a point that other security experts and guests at several other audit committee network meetings have repeatedly emphasized: Everyone is breached. Your companies have to operate with that as a given. At a recent meeting of the North American Audit Committee Leadership Network, Shawn Henry, a former official at the US Federal Bureau of Investigations responsible for cybersecurity investigations, made the point even more starkly: There are two types of companies: those that have been breached, and those that dont know they have been breached. 16 High-level strategies The fact that the battle against cyberattackers has to be fought within the network as well as at the perimeter necessitates a layered approach to defense. Mr Hughes and the members discussed three broad tactics: Prioritize sensitive information and systems to be secured. Companies should classify information and systems according to how critical it is to secure them and then apply the appropriate controls. A member said, We classify all our information and encrypt some of it its a commonsense thing. Mr Hughes said, Put the strongest firewalls and vulnerability scanners 17 in front of the highestvalue targets. He also noted that the classification of data is a strategic issue: You cant leave it to the

[chief information officer] and [chief information security officer] to decide what is most important.
Increase the use of monitoring. Companies should monitor what is going on inside their systems, using sophisticated tools to analyze behavior. It is also important to be able to respond quickly when an attacker is detected in the network. As Mr Hughes explained, This is not about compliance; its about

real-time monitoring of the network and the applications. You also need to give people the authority to act in real time. Real-time monitoring is the next big thing.
Defend the perimeter. The inevitably of breaches and the need for measures inside the network do not obviate the need for perimeter security, which is the first line of defense. Cybersecurity should be approached in a comprehensive, multipronged manner that takes into account everything from user privileges to software patches to incident management. As Mr Hughes noted, attackers take company defenses into account when choosing targets: They look for easy targets. For a list of 10 steps to reduce
cybersecurity risk, see Appendix 4, on pages 1315.

Too much security? When one member noted that absolute security might require moving certain data to an isolated network with no access at all from the outside, it raised the question of how much security is too much. Security measures can undermine productivity if they are too restrictive. A member provided an example of the dilemma involved: Some companies depend on R&D, and its not done only within the company. Rather, its done by worldwide networks that include universities and other companies. Limiting the flow of information within these wider networks spanning multiple organizations would impede the research and company performance. Security may also be a drain on resources, forcing companies to make choices about how to allocate expenditures. Mr Hughes suggested quantifying both the potential risk and associated cost of mitigation:

16 17

Audit Committee Leadership Network, Cybersecurity and the Board, ViewPoints, 7 November 2012, page 5. Vulnerability scanners look for weaknesses in systems, such as misconfigurations and software bugs, which can be exploited by hackers. 5

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

What is an acceptable degree of loss? We motivate the staff around zero loss, but we have to prioritize some areas over others because we do not have unlimited resources.
Companies may also need to consider other objectives, including ethical and legal obligations. When a member asked about tools for retaliating against attackers, Mr Hughes warned members to be careful: Yes,

there are such tools you can use the same tools that attackers do. But its against the law in most jurisdictions. Others may have a different view, but there are boundaries.
Boards should focus more on cybersecurity EACLN members and Mr Hughes agreed that boards must be more engaged on cybersecurity. A member noted, As board members, we must acknowledge the problem and then ask IT what they are doing about

it. Too many board members think that there isnt a problem or that it is someone elses problem.
Indeed, a recent report published by Carnegie Mellon CyLab, a cybersecurity research and education center, found serious shortcomings in board oversight of cybersecurity. 18 The report was based on a survey of over 100 board directors and senior executives at Forbes Global 2000 companies. Comparing the results of the 2012 survey with similar surveys conducted in 2008 and 2010, the report states: For the third time, the survey revealed that boards are not actively addressing cyber risk management There is still a gap in understanding the linkage between information technology (IT) risks and enterprise risk management Boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks. 19 Among European companies, the percentage that reported rarely or never reviewing key elements of company security programs was 44% for annual budgets, 53% for roles and responsibilities and 38% for toplevel policies. 20 Delegating responsibility for cybersecurity oversight The CyLab report noted shifts in cybersecurity oversight, including the delegation of responsibility to different committees of the board. The report and pre-meeting conversations with EACLN members identified several approaches to delegating responsibility: The audit committee is responsible for cyberrisks. CyLab found that at 41% of the European companies responding to the survey, the audit committee still has the most responsibility for cyberrisks. 21 Many EACLN members also noted that cybersecurity is chiefly addressed by the audit committee as part of the committees oversight of risk management in general. A risk committee oversees privacy and security. The CyLab survey detected a sharp increase from earlier surveys in the percentage of companies that are assigning cybersecurity oversight chiefly to risk committees. At 22% of the European companies participating in the survey, the risk committee has the

Jody R. Westby, Governance of Enterprise Security: CyLab 2012 Report (Pittsburgh: Carnegie Mellon University, 2012). Ibid., page 5. 20 Ibid., page 17. 21 Ibid., page 19.
18 19

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

most responsibility for cyberrisks. The percentage is about the same in North America, but substantially higher in Asia (38%). 22 The full board is responsible. According to the CyLab survey, 34% of European companies give the full board the most responsibility for cyberrisk. Again, the percentage was very similar in North America and substantially higher in Asia (48%). 23 In pre-meeting conversations, members mentioned that the frequency and regularity with which boards address cybersecurity varies from company to company: Regular reviews. A few members reported that their board addresses cybersecurity on a regular basis. One member reported, The audit committee reviews what the company is doing [regarding

cybersecurity] at every meeting. It would never be off the agenda.

Ad hoc discussions. Other members reported that cybersecurity comes up more occasionally as part of a broader discussion of risk. One member said, One meeting is dedicated to risk, and this is one type of

risk. Half-yearly, we go through the 10 risks that are most challenging, and IT security is there now and then.
Drilling down on issues The complexity of cybersecurity and the pace of technological change make effective oversight a challenge for boards. Mr Hughes and the members identified several approaches that can help ensure effective coverage of cybersecurity risks and facilitate the boards work in this area: Leverage the companys risk management machinery. Mr Hughes reminded members that the existing ERM system should incorporate cybersecurity risks. Like management, the board should treat cybersecurity risks as any other risk, using the ERM system to identify and assess these risks. Then it should evaluate the appropriate mitigation in the context of other risks. Mr Hughes remarked that the process should be ongoing: Rerun the risk assessment process when you look at a new market, a new

product or a product change.

Bring in internal audit. Internal audit can provide additional information about company systems and processes. A member said, The internal audit director and his expert on cybersecurity will report to the

audit committee. They will cover all the scenarios they look at general systems, controls of different units in different countries, methods of reporting, methods of auditing.
Bring in outside experts. As with other complex risks, members suggested that boards should seek support from experts outside the company, who can provide supplemental information and fresh perspectives. One member said, Developments are so quick that it is impossible to keep staff informed

of developments, so bring in experts. We get an annual presentation on cybersecurity developments and threats. Another member said, Its like any other risk you are not comfortable with you go and get some external help from the external auditor, fraud experts and/or technical experts.

22 23

Ibid. Ibid. 7

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Questions the board should ask about cybersecurity

Mr Hughes listed a number of questions that audit committee chairs (or other board members tasked with cybersecurity oversight) should ask management: How much would a cybersecurity breach impact the organization, and can management demonstrate the rationale behind that assessment? Where and what are the most critical assets? How does management determine which assets are critical? What are the most critical applications? How does management determine which applications are critical? What monitoring is in place, and what level of continuous detection? What anomalies has management found? Who is management working with in the industry and government? What is being shared, and how? What is management doing with third parties who have access to the network, and what level of control does management have over them? Who are the privileged users with high-level access, and how are they being managed? How is software patch management being handled? What has management done to protect the company against denial-of-service attacks?

Cybersecurity disclosures When and how to report cyberattacks is an evolving issue that could become an important topic of discussion for boards and especially audit committees. Companies are required to disclose when personal data have been compromised. They may also have obligations to investors regarding other types of data losses or cyberattacks that have material effects. Regulators have started addressing the issue of disclosure to investors. In October of 2011, the Division of Corporation Finance at the US Securities and Exchange Commission issued guidance on disclosure of both cybersecurity risks and actual incidents. The guidance notes that although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. 24 The guidance goes on to discuss potential obligations stemming from requirements in areas such as risk factors, managements discussion and analysis and legal proceedings, among others.

24

US Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, 13 October 2011. 8

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Quantifying the impact of these disclosures presents problems. Whereas valuing the impact of privacy breaches is now fairly routine, it can be very difficult to quantify the loss of intellectual property. As Dmitri Alperovitch of the cybersecurity company CrowdStrike explained in an interview with the Council on Foreign Relations, The challenge is that, quite frankly, a lot of this has been painless thus far because when someone goes into your company and steals your intellectual property, its not like they stole your car you still have your intellectual property. Until someone does something with it that damages you, you havent experienced that loss in many ways. Thats why a lot of these companies have been hesitant to come forward. 25 Because companies are hesitant to disclose attacks, it is likely the magnitude of the problem is severely underestimated. Members of the ACLN have recently mentioned some of the dilemmas around disclosure. 26 One member said, The issue is how much you disclose it could damage your reputation, but the faster you come clean, the more credibility you have with clients. The same member noted that if we decide a breach requires disclosure, we evaluate with counsel what exactly to disclose we dont want to provide a roadmap for other attacks. Other ACLN members mentioned bringing in outside law firms and consultants to help deal with the issue. Conclusion Mr Hughes described a range of adversaries lurking in cyberspace. These adversaries are threatening the confidentiality, integrity and availability of sensitive information, and even, in some cases, physical assets such as electric generators. Given the persistent pressures on the network perimeter, companies should put in place in-depth defenses that prioritize the protection of critical information and include real-time monitoring to detect and respond to intrusions, as well as other specific measures. Cybersecurity should be integrated into the ERM system, and boards should play a critical oversight role, asking more detailed questions about cybersecurity threats and responses than they have in the past.

About this document

The European Audit Committee Leadership Network is a group of audit committee chairs drawn from leading European companies committed to improving the performance of audit committees and enhancing trust in financial markets. The network is organized and led by Tapestry Networks with the support of Ernst & Young as part of its continuing commitment to board effectiveness and good governance. ViewPoints is produced by Tapestry Networks to stimulate timely, substantive board discussions about the choices confronting audit committee members, management and their advisers as they endeavor to fulfill their respective responsibilities to the investing public. The ultimate value of ViewPoints lies in its power to help all constituencies develop their own informed points of view on these important issues. Those who receive ViewPoints are encouraged to share it with others in their own networks. The more board members, management and advisers who become systematically engaged in this dialogue, the more value will be created for all.
The perspectives presented in this document are the sole responsibility of Tapestry Networks and do not necessarily reflect the views of network members or participants, their affiliated organizations, or Ernst & Young. Please consult your counselors for specific advice. Ernst & Young refers to all members of the global Ernst & Young organization, each of which is a separate legal entity. This material is prepared and copyrighted by Tapestry Networks with all rights reserved. It may be reproduced and redistributed, but only in its entirety, including all copyright and trademark legends. Tapestry Networks and the associated logos are trademarks of Tapestry Networks, Inc. and Ernst & Young and the associated logos are trademarks of EYGN Ltd.
25 26

Cybertheft and the US Economy, An Interview with Dmitri Alperovitch, by Jonathan Masters, August 11, 2011. Audit Committee Leadership Network, Cybersecurity and the Board, page 8. 9

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Appendix 1: Biography of Mark Hughes Mark Hughes is the managing director at BT Security, a position he assumed in October 2005. He is responsible to the board for all aspects of security in BT. This involves ensuring that BT has the right policies and procedures to keep BTs assets whether physical, logical or information secure from attack; to counter fraud and also to minimize disruption in the event of an incident. This includes BTs civil resilience obligations. Mr Hughes joined BT in 2002, assuming responsibility for a number of ventures, including the partnership with government for the Criminal Records Bureau in Scotland and other government contracts. He then ran the operations for a sales division in the major customer market sector, focusing on BTs core services. Prior to joining BT, Mark was the commercial director of MWB Business Exchange. Mr Hughes is a non-executive board member of the National Security Inspectorate and a member of the Senior Strategic Steering Group of the Centre for the Protection of National Infrastructure.

Cybersecurity and the board

10

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Appendix 2: Participants The members of the network participating in the meeting sit on the boards of nearly 40 large-, mid- and small-capitalization public companies. Network members participating in all or part of the meeting included: Mr Aldo Cardoso, Audit Committee Chair, GDF SUEZ Mr ngel Durndez, Audit Committee Chair, Repsol Mr Lou Hughes, Audit Committee Chair, ABB Mr Daniel Lebgue, Audit Committee Chair, Technip Mr Pierre Rodocanachi, Audit Committee Member, Vivendi Mr Nick Rose, Audit Committee Chair, BAE Systems and BT Ms Guylaine Saucier, Audit Committee Chair, Areva Mr Tom de Swaan, Audit Committee Chair, GlaxoSmithKline* and Royal Ahold Mr Jack Tai, Audit Committee Chair, Royal Philips Electronics Dr Bernd Voss, Audit Committee Chair, Continental AG Mr Steve West, Audit Committee Chair, Cisco Systems** Mr Lars Westerberg, Audit Committee Chair, Volvo

The following Ernst & Young partners participated in the session: Mr Christian Mouillon, Global Vice Chair, Assurance Mr Mark Otty, Area Managing Partner, EMEIA

* Mr de Swaan stepped down as audit chair of GlaxoSmithKline on 31 December 2012, but remains a member of the audit committee. ** Member of the Audit Committee Leadership Network of North America.

Cybersecurity and the board

11

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Appendix 3: Discussion questions for the audit committee ? Have your companies experienced any significant attacks? How did they play out? What was the impact of these attacks? ? What cybersecurity risks are you most worried about? What kinds of attacks do you see as the most dangerous and/or likely? ? What new vulnerabilities have you perceived or experienced as a result of changing technology? ? What kinds of strategies have your companies implemented to secure their systems and operations? How do your companies respond to attacks? Do you feel confident that your companies have cybersecurity under control? ? How should companies collaborate with each other, both within their own sectors and across sectors? What kind of forums would be helpful? ? What should companies disclose to their shareholders and the public about security incidents? ? What is your boards level of engagement with cybersecurity? How often is cybersecurity discussed? ? What topics are discussed, and in how much detail? Who reports to the board from management? Does the board or audit committee ever hear from the chief information security officer, if you have one? ? If responsibility for cybersecurity is shared among committees, how are issues delegated? How are efforts coordinated? ? Will cybersecurity risks prompt boards to recruit more directors with technical experience? ? Do you see any emerging best practices for board oversight of cybersecurity?

Cybersecurity and the board

12

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Appendix 4: Ten steps for reducing cybersecurity risk Mr Hughes pointed EACLN members to a recent publication from CESG, 27 the information security arm of the UKs Government Communications Headquarters, which offers high-level guidance to companies seeking to improve their cybersecurity. Boards can use the checklist to determine if management is keeping the company secure. The publication identified steps for companies to take in 10 critical areas, quoted below (for more detail on each area, please consult the CESG publication): 28 Information Risk Management Regime Establish a governance framework: Enable and support risk management across the organisation. Determine your risk appetite: Decide on the level of risk the organisation is prepared to tolerate and communicate it. Maintain the Boards engagement with cyber risk: Make cyber risk a regular agenda item. Record cyber risks in the corporate risk register to ensure senior ownership. Produce supporting risk management policies: An overarching corporate security policy should be produced together with an information risk management policy. Adopt a lifecycle approach: Risk management is a whole life process and the organisations policies and processes should support and enable this. Secure Configuration Develop corporate polices to update and patch systems: Establish and maintain policies that set out the priority and timescales for applying updates and patches. Create and maintain hardware and software inventories: Use automated tools to create and maintain inventories of every device and application used by the organisation. Lockdown operating systems and software: Create a baseline security build for workstations, servers, firewalls and routers. Conduct regular vulnerability scans: Run automated vulnerability scanning tools against all networked devices at least weekly and remedy any vulnerability within an agreed time frame. Network Security Police the network perimeter: Establish multi-layered boundary defences with firewalls and proxies deployed between the untrusted external network and the trusted internal network. Protect the internal network: Prevent any direct connections to external services and protect internal IP addresses. Monitor: Use intrusion monitoring tools and regularly audit activity logs.

27 28

Originally, the Communications-Electronics Security Group, but the expanded name was dropped in 2002. CESG, 10 Steps to Cyber Security (Cheltenham, UK: GCHQ, 2012), page 3. 13

Cybersecurity and the board

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Appendix 4: Ten steps for reducing cybersecurity risk (continued) Test the security controls. Conduct regular penetration tests and undertake simulated cyber attack exercises. Managing User Privileges Establish effective account management processes: Manage and review user accounts from creation and modification to eventual deletion. Limit the number and use of privileged accounts: Minimise privileges for all users. Provide administrators with normal accounts for business use. Review the requirement for a privileged account more frequently than standard accounts. Monitor all users: Monitor user activity, particularly access to sensitive information and the use of privileged accounts. User Education and Awareness Produce a user security policy: Produce policies covering the acceptable and secure use of the organisations systems. Establish a staff induction process: New users should receive training on their personal security responsibilities. Maintain user awareness of the threats: All users should receive regular refresher training on the cyber risks to the organisation. Support the formal assessment of IA [information assurance] skills: Encourage relevant staff to develop and formally validate their IA Skills. Incident Management Obtain senior management approval and backing: The Board should lead on the delivery of the incident management plans. Establish an incident response and disaster recovery capability: Develop and maintain incident management plans with clear roles and responsibilities, regularly test your plans. Provide specialist training: The incident response team should receive specialist training to ensure they have the skills and expertise to address the range of incidents that may occur. Malware Prevention Develop and publish corporate policies: Produce policies to manage the risks to the business processes from malware. Establish anti malware defences across the organisation: Agree a corporate approach to managing the risks from malware for each business area. Scan for malware across the organisation: Protect all host and client machines with anti virus solutions that will automatically scan for malware.
Cybersecurity and the board 14

EUROPEAN AUDIT COMMITTEE LEADERSHIP NETWORK

ViewPoints

Appendix 4: Ten steps for reducing cybersecurity risk (continued) Monitoring Establish a monitoring strategy and supporting policies: Implement an organisational monitoring strategy and policy based on an assessment of the risks. Monitor all ICT [information and communications technologies] systems: Ensure that the solution monitors all networks and host systems (e.g., clients and servers). Monitor network traffic: Network traffic should be continuously monitored to identify unusual activity or trends that could indicate an attack. Removable Media Controls Produce a corporate policy: Implement policy to control the use of removable media for the import and export of information. Limit the use of removable media: Limit the media types that can be used together with user and system access and the information types that can be stored on removable media. Scan all removable media for malware: All clients and hosts should automatically scan removable media. Any media brought into the organisation should be scanned for malware by a stand alone scanner before any data transfer takes place. Home and Mobile Working Assess the risks and create a mobile working policy: The policy should cover aspects such as information types, user credentials, devices, encryption and incident reporting. Educate users and maintain their awareness: Educate users about the risks and train them to use their mobile device securely by following the security procedures. Apply the secure baseline build: All mobile devices should be configured to an agreed secure baseline build. Data should be protected in transit and at rest.

Cybersecurity and the board

15