CGj looks at the roles of directors and governance professionals in building a good cybersecurity governance framework.
Cybersecurity governance is one of the key challenges confronting entities, commercial and non-commercial, these days. With the push into digital transformation and as their online footprint increases, organisations find themselves more exposed to cybersecurity attacks.
With headlines of phishing scams and database hacks becoming more commonplace, organisations are increasingly aware of the paramount importance of guarding against malicious online activities, but shoring up their defences and implementing an effective cybersecurity governance framework remain a major challenge.
A new cybersecurity report, soon to be published by The Hong Kong Chartered Governance Institute (HKCGI) and PricewaterhouseCoopers (the HKCGI/PwC Report), highlights some areas that warrant prompt attention by organisations to protect against cyberthreats.
More than 60% of the 1,400 companies surveyed for the HKCGI/PwC Report said they are ‘very confident’ or ‘somewhat confident’ in their cybersecurity teams, but only slightly over 36% of these businesses said they have their boards do regular reviews (at least once a year) of cybersecurity strategy.
‘This is why our research report is titled “plugging the hole”. People are actually not doing as well as they think from a governance perspective. That’s why we came up with five imperatives and obviously the number one is, test, test, test your system,’ says Mohan Datwani FCG HKFCG(PE), Institute Deputy Chief Executive and co-author of the HKCGI/PwC Report.
Having the right board DNA
Knowing what kinds of testing are needed, however, and how to go about it, is the tricky part. The many different kinds of testing out there, and the many different scenarios impacting what is required, make it difficult to get clear, straight answers to these questions.
Nevertheless, one clear message for organisations and governance professionals is the importance of building the right board DNA. Kok Tin Gan, Founder of PricewaterhouseCoopers (PwC) Dark Lab and co-author of the HKCGI/PwC Report, points out that having board members with a cybersecurity or IT background ‘instantaneously’ changes the board’s DNA when it comes to overseeing cybersecurity. He emphasises that this is a key factor in ensuring that the organisation is prepared for cybersecurity challenges.
‘The board or management can always outsource the testing, but how effectively and regularly you monitor the testing process requires board members to have a solid knowledge of cybersecurity to be able to ask the right questions,’ Mr Gan points out. He adds that this does not mean that board members need to be ‘super techie’ – this is about having sufficient knowledge to challenge management about whether they have the right strategies.
New threats, new regulations
As the number of cyber incidents has surged in recent years, jurisdictions around the world are playing catch- up to ensure they have legislation in place to at least ensure that organisations are transparent about the risks they are facing. For instance, the US Securities Exchange Commission (SEC) recently introduced new rules regarding cybersecurity disclosures that mandate public companies to report cybersecurity incidents within four days.
‘We have more legislation moves in the cybersecurity and data privacy area,’ says Gabriela Kennedy, Partner, Mayer Brown. She adds that the growing number of cybersecurity laws and related regulations in different jurisdictions has pushed companies to prioritise their strategy vis-a-vis cybersecurity.
‘The potential leakage of confidential information, trade secrets, intellectual property and personal data can trigger fines and potential litigation, depending on which jurisdiction is involved, and boards have started to pay more attention to cybersecurity,’ she says. She adds that strict data privacy and to a certain extent cybersecurity legislation has now been adopted by many jurisdictions in Asia Pacific, another factor heightening the attention of boards to this issue.
Getting boards onboard
For governance professionals a key question will be how to ensure that the board gives due attention to cybersecurity. Ms Kennedy agrees with the point made above about the benefits of getting cybersecurity and IT expertise on the board. There are also huge benefits, she points out, from having a cybersecurity committee to lead the board’s work in this space.
Tech-savvy directors and a cybersecurity committee can play a vital role in assisting directly with the company’s risk management strategy and understanding what a company needs when it is under attack, Ms Kennedy says. ‘This means having somebody who understands the IT infrastructure of the company and would know immediately who to deploy, who to call upon,’ she says.
According to the HKCGI/PwC Report, however, only around 21% of businesses said they have a specific cybersecurity committee with defined responsibilities and lines of authority.
Building a good cybersecurity governance framework
The experts interviewed for this article stress that there is no ‘one-size-fits-all’ solution and different companies may develop different approaches to deal with cyberthreats.
‘I think the question is more around how do you make sure that the board builds the right framework for cybersecurity-related governance,’ says Dylan Williams FCG HKFCG, General Counsel and Company Secretary, Sands China Ltd.
The board has to set the right tone and get involved in putting a solid governance structure in place, he points out. ‘Starting at the top, make sure that the board communicates that the company has a very strong cybersecurity-aware culture. The board should also be involved in defining what the organisation’s cybersecurity strategy is,’ he says.
The governance framework, both Mr Williams and Ms Kennedy emphasise, must also ensure that the organisation can react accurately and promptly when it comes to cybersecurity threats. Having a person in the right position to make the right decision when the ‘fire’ starts will help.
‘It’s important to have people who will know what needs to be done and will have a certain level of authority to make decisions,’ Ms Kennedy says. The response plan will depend, however, on the nature of the organisation, the type of data it owns and the areas of risk identified.
Mr Williams and Ms Kennedy also recommend tabletop training exercises for key personnel as an indispensable part of any framework. This is especially true for large companies running businesses across jurisdictions. They should be conducting these exercises at least once a year, Ms Kennedy suggests, bearing in mind that cyberthreats will rarely affect only one office in one country and that the nature of cyberthreats changes over time.
She adds that such training exercises are a good way to get people interested in cybersecurity issues, as well as raising their awareness and understanding about the latest threats of course.
Seeking external help
Even with the best defences, cyberattacks are still likely to occur and each attack can be an important lesson for organisations. The key here, however, is not to try to cover up or underestimate what has happened.
‘I’ve seen many examples of companies trying to play down what has happened,’ says Ms Kennedy. ‘That’s very dangerous because you’re not dealing with the real problem. So it’s best to bring in an objective and outside team that’ll figure out what was the root cause of the incident.’
Mr Williams agrees that having an external consultant can be beneficial in identifying cybersecurity weaknesses, as ‘external consultants are constantly up to date with the issues that are being faced by multiple industries,’ he says.
Pokit Lok, Principal of Risk Advisory Services at BDO, stresses the importance of having at least a yearly audit by an external party even if the company has an extensive IT team. ‘The business people in the company might not be familiar with what the IT people are doing. An external IT audit can check on what the IT team is doing or not doing, and help the company improve its cybersecurity environment,’ Mr Lok says.
This is important even in a company with more complex IT systems and large teams. ‘You can have a lot of systems to protect your environment, but this does not mean that the systems are configured properly. A professional IT party can help to audit that,’ Mr Lok says. Very simple loopholes can get overlooked, he adds. It only takes one member of staff to open a remote desktop link to an important server to allow hackers to compromise the company’s entire software ecosystem.
Future trends in cybersecurity
Cyberthreats continue to evolve every day and organisations need to stay up to date with key trends in this space. Data theft stands out as a significant concern. Mr Williams points out that most cybersecurity attacks are fundamentally about getting access to data within organisations. Consequently, one of the fast evolving areas of cybersecurity regulations relates to data protection. In this context, Mr Williams urges governance professionals is to keep an eye on the rapidly evolving data protection laws.
This is another reason why regular data stocktakes or inventory checks are a good idea. Knowing what kind of data is being collected by the organisation will help management and the board understand the nature of the risks they face in the storing of such data. There should be regular assessments of whether data collection policies are in line with data protection regulations, Mr Lok says, and Ms Kennedy points out that organisations often retain unnecessary data and for far too long.
‘Most companies have been focused on how they can exploit data – data is the new oil, as they say. And yes, it is the new oil, but it sits in old barrels that get rusty and start leaking a data lake that can soon become a disaster,’ she says. Data auditing should therefore assess what data really needs to be stored and for how long, what practices are good and which are not and, of course, an audit should extend to the supply chain because vulnerabilities can be introduced through the supply chain, she adds.
‘It is absolutely important to audit your third-party vendors and to look at who is in charge of procuring your IT systems,’ she says, ‘because vulnerabilities can be introduced through multiple entry points. You might have a junior staff member procuring software that becomes a problem, for example.’
Another key trend that should be on organisations’ watch list is the rising number of ‘social engineering’ scams. This involves scammers impersonating individuals to perpetrate fraud. Ms Kennedy points out that developments in artificial intelligence (AI), such as the increasingly accurate deep fakes enabling the scammers to replicate the voice or image of a CEO or finance director, are making this type of fraud a lot more dangerous. ‘AI is giving us a lot of power and fantastic tools, but it’s also introducing new threats and vulnerabilities,’ she says.
People, people, people
A well-known principle for organisational transformation is to address ‘people, processes and technology’, but Mr Lok emphasises that people are by far the most important part of this trio when it comes to addressing cybersecurity.
‘It doesn’t take sophisticated or advanced IT skills to steal a company’s money via methods such as phishing or other social engineering attacks. People come first because staff will use the internet and be exposed to fraud so they should have sufficient training and awareness in cybersecurity,’ Mr Lok says.
There is also no single ‘silver bullet’ when it comes to defending against cybersecurity risks, Mr Gan shares. ‘If someone tells you that you have to implement A, B or C and then you will be safe, that person is lying to you,’ he says. A good defence framework is layered like an onion – each layer guards against a particular scenario, but you can never prevent every scenario. This is another reason why awareness of cybersecurity issues within the company at all levels is so important.
Mr Gan adds that organisations also need to recognise the dangers of underinvesting in cybersecurity. For instance, the bounties that the tech giants offer to people to find critical bugs in their software are worth far less than what the bug would fetch on the black market, he explains, making it less of a financial incentive for tech-savvy people to report the bugs to the company.
‘Cybersecurity is all about find and fix – you have to find and then fix. The find is more difficult because it’s random, unpredictable and requires a lot of effort,’ Mr Gan explains. ‘Hence, companies should up their investment in cybersecurity and up their expertise in this area,’ he says.
How can governance professionals add value?
The previous section emphasises that cybersecurity needs to involve everyone in an organisation, so what contribution should governance professionals be making in this space?
‘Be proactive and get out there,’ says Mr Williams. ‘Engage with the board, engage with your IT teams, find out what the IT teams are doing, engage with your legal counsel, find out how your legal counsel is addressing some of the issues from a legal perspective. On the contracting side, engage with your auditors, because I’m sure your auditors are doing work in all of these different areas, maybe not for you but maybe for other clients. See in what ways you can learn from them.’
Our interviewees also suggested a number of ways governance professionals can raise their game in this area. Mr Lok recommends getting further certifications and technical expertise. For example, they might consider gaining the Certified Information Systems Auditor certification offered by the Information Systems Audit and Control Association, or the Certified Information Systems Security Professional certification offered by the International Information System Security Certification Consortium.
Mr Gan suggests that one of the most useful skills to acquire is the ability to hack. ‘Learning how to hack will give you an extra lens to see what attackers will do, how they might attack and the logic behind the defence systems available,’ he says.
Finally, governance professionals need to recognise that it is only a matter of time before their organisation faces a cyberattack. The time to prepare is therefore now.
In summary, businesses face challenges managing cybersecurity because of rising digital transformation and online threats. The Institute’s new cybersecurity report emphasises the importance of paying attention to cybersecurity concerns. Risk management is aided by cybersecurity committees and directors who are computer-knowledgeable. Board commitment, reaction strategies and external audits are all components of a strong cybersecurity governance system. Data protection, social engineering and AI-driven frauds are three future trends. Investment in cybersecurity is crucial and increasing public awareness is important. Governance professionals can contribute by participating in diverse teams, earning certifications and learning hacking techniques. Cyberattack preparation is crucial.
Poo Yee Kai and Kelly Le
SIDEBAR: Imperatives to improve cybersecurity
The new cybersecurity report, soon to be published by The Hong Kong Chartered Governance Institute (HKCGI) and PricewaterhouseCoopers, aims to help directors and governance professionals improve their organisation’s cybersecurity, proactively minimise cyber risks, and protect crucial assets and reputations in today’s rapidly changing digital ecosystem. To this end, it puts forward the following five imperatives.
- Prioritise cybersecurity testing.Regularly conduct comprehensive testing, including penetration testing, vulnerability assessments and social engineering simulations, to stop possible cyberthreats from taking advantage of vulnerabilities. Identify weak points and take proactive measures to fix them.
- Establish security policies and procedures.To reduce potential vulnerabilities, develop and maintain current security policies, include security in the software development lifecycle and promote secure coding practices.
- Implement identity and access management policies. These manage access to sensitive data and systems, granting authorisation only to authorised employees.
- Monitor third-party cybersecurity risks. To reduce risks related to external dependencies, assess and evaluate the cybersecurity measures of third-party vendors and partners, and implement effective third-party risk management procedures to protect the organisation’s digital ecosystem.
- Invest in cybersecurity awareness training.To promote a security-conscious culture, offer regular cybersecurity awareness training for stakeholders and employees. Inform them of the most recent online dangers and safe practices for protecting digital assets and data.