WIXLIB

Assessing Cyber Risk Critical questions for the board and the C-suite2Do we have the right leader andorganisational talent?Everyone within an organisation holds someresponsibility for cyber risk. With everyone responsibleand with many leaders busy performing their legacyduties, organisations can fail to designate an appropriateleader – the “right” leader – who will ultimately beaccountable for cyber risk.High maturity Cyber leader has the right mix oftechnical and business acumen tounderstand how the organisationoperates, to engage with the business,and to know where to prioritise efforts. Teams of passionate and energisedstaff stay up-to-date on the latest cybertrends, threats, and implications fortheir business. Cyber risk discussions take place atBoard and C-Suite level. There is a sufficient number of skilledstaff with relevant industry experiencefocused on the right areas. Compensation and total rewardprogrammes are in line with industryand risk profile/importance to theorganisation.6Moderate maturity Cyber leader is in place but is primarilyfocused on technical risks associatedwith cyber security. Cyber leader has a working knowledgeof the industry but does not fullyunderstand and appreciate how theorganisation operates. Cyber risk is a significant focus butremains relatively high-level. Cyber risk issues often stall at the IT ormanagement level. Skilled staff is present in IT and somebusiness areas, but with limitedindustry-specific threat knowledge.Low maturity Little focus on cyber risk fromleadership. Cyber knowledge and talent arecompartmentalised in the IT function. Ad hoc training programmesare developed for specific newtechnologies. High turnover of staff due to a lack ofinvestment in talent strategy.

Assessing Cyber Risk Critical questions for the board and the C-suite3Have we established an appropriatecyber risk escalation frameworkthat includes our risk appetite andreporting thresholds?Developing meaningful cyber-related messages forthe broader organisation can help foster the flow ofinformation when there are cyber incidents or concerns.But clearly defining the triggers or threshold events,as well as the actual process for moving informationup to management, can make the difference betweenfunctional and effective.High maturity Clearly articulated risk appetiteand cyber risks are incorporated intoexisting risk management andgovernance processes. Established enterprise-wide cyber riskpolicy is approved and challenged,when necessary, by the Board. Clearly described and operationalisedroles and responsibilities across thecyber risk program. Key risk and performance indicatorsexist, and processes are in placeto escalate breaches of limits andthresholds to senior management forsignificant or critical cyber incidents.Moderate maturity Established cyber risk policy is not fullyimplemented outside IT. Cyber risks are addressed onlygenerally in overall risk managementand governance processes.Low maturity No formalised cyber framework isin place. Any risk escalation is ad hoc and only inresponse to incidents. Risk appetite is not integrated intocyber risk framework. Cyber risk response tends to bereactive rather than proactive. An alternative senior managementcommittee has adequate time devotedto the discussion of the implementationof the cyber framework. Incident management frameworkincludes escalation criteria aligned withthe cyber risk programme. Evaluation and monitoring of the valueof cyber insurance is in place.7

Assessing Cyber Risk Critical questions for the board and the C-suite4Are we focused on, and investing in,the right things? And how do weevaluate and measure the results ofour decisions?With risk and performance tightly linked, leaders shouldknow what they’re expending on resources – and theyshould know that they’re bringing the right resourcesto bear on cyber challenges. Failing to develop a peoplestrategy, overpaying for services, and other drags onoperating costs are all very real risks.High maturity Cyber risk is considered in allactivities – from strategic planning today-to-day operations – in every part ofthe organisation. Investments are focused on baselinesecurity controls to address themajority of threats, and strategicallytargeted funds are used to managerisks against the organisation’s mostcritical processes and information. Organisation has made an effort toidentify their “black swan” risks and hasa programme to anticipate andavoid these unlikely, but potentiallycatastrophic threats. Organisation’s investments andbudgets align to risk (clear businesscases for investments exist) and arereflected within the cyber strategy. Senior management provides adequatefunding and sufficient resources tosupport the implementation of theorganisation’s cyber framework. A mechanism for crediblechallenge exists.8Moderate maturity Cyber framework is internally focusedwithout added industry-basedprocesses. Cyber strategy and investmentsare neither aligned nor supportive ofone another. Imbalance of security investmentacross baseline security controls andthose required for highly sophisticatedattacks. Strong threat awareness is focusedon enterprise-wide infrastructure andapplication protection. Implementation of identity-awareinformation protection. Automated IT asset vulnerabilitymonitoring is in place. No significant mechanism foranticipating “black swan” risks.Low maturity Lack of cyber strategy, initiatives, andinvestment plan. Only basic network protection/traditional signature-based securitycontrols exist, with minimal concern fornew technologies and methodologies. Occasional IT asset vulnerabilityassessments are performed. Business case for cyber investment israrely made.

Assessing Cyber Risk Critical questions for the board and the C-suite5How do our cyber risk programme andcapabilities align to industry standardsand peer organisations?It’s important to know if your organisation is lagging– to know how you stand against businesses that areeffectively addressing cyber risk. But what do you doif you discover you are lagging? If the Board and theC-Suite aren’t actively in charge of the challenge, who is?High maturity Comprehensive cyber programmeleverages industry standards and bestpractices to protect and detect againstexisting threats, remain informed ofemerging threats, and enable timelyresponse and recovery. Adoption of an industry frameworkto establish, operate, maintain, andimprove/adapt cyber programmes. Organisation has conducted anexternal benchmarking review of itscyber programme.Moderate maturity Cyber programme implements anumber of industry best practicesand capabilities, including basic onlinebrand monitoring, automated malwareforensics, manual e-discovery, criminal/hacker surveillance, workforce/customer behaviour profiling, andtargeted cross-platform monitoring forinternal users.Low maturity Cyber measures are ad hoc, with littlereference to industry standards andbest practices. May conduct intermittent high-levelreviews in support of compliance andregulatory requirements. Compliance and other internalprogramme reviews may beundertaken occasionally but notconsistently. Organisation periodically verifiesinternal compliance with policies,industry standards, and regulations. Organisation has formally certifiedcritical and applicable areas oftheir business (e.g., ISO 27001:2013certification).9

Assessing Cyber Risk Critical questions for the board and the C-suite6Do we have a cyber-focused mindsetand cyber-conscious cultureorganisation-wide?As they try to strengthen their posture to become moresecure, vigilant, and resilient, many businesses focus oneducation and awareness. But the need runs deeper.How do you change behaviour? Guidance on the answershould come from the Board and the C-Suite.High maturity Strong tone at the top; the Board andC-Suite promote a strong risk cultureand sustainable risk/return thinking. People’s individual interests, values,and ethics are aligned with theorganisation’s cyber risk strategy,appetite, tolerance, and approach. Executives are comfortable talkingopenly and honestly about cyberrisk using a common vocabulary thatpromotes shared understanding. Company-wide education andawareness campaign establishedaround cyber risk (all employees, thirdparties, contractors, etc.). Awareness and training specific toindividual job descriptions helps staffunderstand their cyber responsibilities. People take personal responsibility forthe management of risk and proactivelyseek to involve others when needed.10Moderate maturity General information security trainingand awareness is in place. Targeted, intelligence-based cyberawareness focused on asset risks andthreat types is in place.Low maturity Acceptable usage policy is in place. Little emphasis on cyber risk outsideof IT. Awareness and training issues arereactively addressed, in that trainingis given only after a breach ornoncompliance is discovered, and onlyto a small subset of individuals.

Assessing Cyber Risk Critical questions for the board and the C-suite7What have we done to protect theorganisation against third-partycyber risks?The roots of many breaches have their origins withbusiness partners, such as contractors and vendors.Cyber concerns extend far beyond the four walls ofyour business, requiring you to align with your partners,to understand what they are doing, and to ensurethat you’re comfortable with the risk factors thoserelationships present.High maturity Cyber risks are seen as part of thedue diligence process for criticaloutsourcing and subcontractingarrangements. All third parties are engaged througha consistent process, and policiesand controls are in place (e.g., right toaudit), aligned to the organisation’sexpectations and risk tolerance. Third parties receive specific trainingon cyber issues, tailored to relevantneeds and risks.Moderate maturity Steps are taken to mitigate potentialcyber risks from outsourcingarrangements. Due diligence around outsourcingand subcontracting arrangements isencouraged but inconsistently applied.Low maturity Only basic network protection isin place. Third-party due diligence and cyber riskprotection measures are nonexistent. Communication from third partiesrespecting cyber incidents is notcontractually embedded. Some correlation of external andinternal threat intelligence. Risk management programmeincludes profiling and assessing allmaterial third-party relationships andinformation flows. Processes are in place to ensuretimely notification of cyber incidentsfrom third parties. Steps are taken to mitigate potentialcyber risks from outsourcingarrangements based on third-partyprofiling and risk assessments.11

Assessing Cyber Risk Critical questions for the board and the C-suite8Can we rapidly contain damages andmobilise diverse response resourceswhen a cyber incident occurs?Even among highly secure businesses, it can often takedays or weeks to discover a breach. What matters isconfidence in your ability to respond – confidence inyour processes – once you do detect the active threat.From leadership’s perspective, critical incident response capabilities include aclear and current chain of command, a thorough communication plan (includingback-up contacts), and a broad view of legal issues, public relations needs, brandimplications, and operational impacts.High maturity Clear reporting and decision pathsexist for action and communicationin response to a security failure oraccident. Cyber incident response policies andprocedures are integrated with existingbusiness continuity management anddisaster recovery plans. Crisis management and cyberincident response plans andprocedures are documented andrehearsed through wargaming,simulations, and team interaction. External and internal communicationsplans exist to address cyber incidentsfor key stakeholders. Organisation is actively involved inindustry simulations and trainingexercises.12Moderate maturity Basic cyber incident response policiesand procedures are in place but noteffectively integrated with existingbusiness continuity management anddisaster recovery plans. IT cyber attack simulations are regularlyundertaken. Cyber attack exercises are implementedintermittently across the business.Low maturity Some IT business continuity anddisaster recovery exercises occur. Cyber incident policies, responseplans, and communications are minimalor nonexistent.

Assessing Cyber Risk Critical questions for the board and the C-suite9How do we evaluate the effectiveness ofour organisation’s cyber risk program?The answer to this question is simple. You evaluate fromend to end. Execution is the difficult part. The otherchallenge: seeing beyond systems – to understandbusiness-wide implications and to examine businessprocesses, not just IT, through a critical lens. They’rechallenges that demand leadership and involvementfrom the Board and the C-Suite.High maturity Board and C-Suite ensure that the cybersecurity programme is reviewed foreffectiveness and that any identifiedgaps are appropriately managed in linewith risk appetite. The Board, or a committee of theBoard, is engaged on a regular basis toreview and discuss the implementationof the organisation’s cyber securityframework and implementation plan,including the adequacy of existingmitigating controls.Moderate maturity Basic cyber risk assessments take placeon a fixed, unvarying schedule and arenot industry-specific. Internal audit evaluates cyber riskmanagement effectiveness no morethan once a year.Low maturity Cyber assessments and internalaudit evaluations are sporadic ornonexistent. Cyber measures remain relativelystatic and any improvements lack anexperiential basis. Lessons learned are sometimes, butinconsistently, applied to improvemanagement of cyber risk. Regular internal and externalassessments (health checks,penetration testing, etc.) ofvulnerabilities are conducted to identifycyber security control gaps appropriatefor the industry. Oversight activities include regularcyber security budget evaluation,service outsourcing, incident reports,assessment of results, and policyreviews/approvals. Internal audit evaluates cyber riskmanagement effectiveness as part oftheir quarterly reviews. Organisation takes time to absorbimportant lessons and modify thesecure and vigilant aspects of theprogramme to emerge strongerthan before.13

Assessing Cyber Risk Critical questions for the board and the C-suite10Are we a strong and secure link inthe highly connected ecosystemsin which we operate?The cyber readiness of your partners influences yourcyber posture. But cyber risk is a two-way street when itcomes to partners. Are you a weak link? Are you a leaderon cyber risk? Are you making a positive impact when itcomes to cyber and the broader business landscape?Collaborating with peer organisations and partners to share intelligence onthreats is just one example of how business leaders can develop a more relevant,more holistic approach to cyber risk.High maturity Strong relationships are maintainedwith internal stakeholders, externalpartners, law enforcement,regulators, etc. Supportive of innovative sharinginitiatives that do not compromiseinformation security and privacy. Knowledge and information sharingwith industry sector, independentanalysis centres, government andintelligence agencies, academicinstitutions, and research firms. Expansion of sharing efforts andrelationships, to include partners,customers, and end users. Preference for vendors thatsupport industry standards andcyber advancements. Independently maintain matureprogrammes to avoid being theweakest link.14Moderate maturity Ad hoc threat intelligence sharing withpeers, or active collaboration withgovernment and private sector onthreat intelligence.Low maturity Minimal external relationshipdevelopment and no informationor knowledge sharing with peers,government, or external groups.

Assessing Cyber Risk Critical questions for the board and the C-suiteSetting higher goals, settingstrategic goalsWhether you’re building or revamping, it’s importantfor organisational risk leaders to set a target state forcyber maturity.Effectively defining that target staterequires an understanding of thebusiness context and resulting priorities,along with discussions between cyberleaders and decision-makers in therest of the organisation. While not allorganisations need to be at the highestlevel in all areas of cyber maturity,the target state should support theorganisation in achieving its strategicgoals – balanced with the cost and timeof achieving it. In many instances, thisapproach drives the organisation towardhigher levels of maturity for areas inwhich cyber risk practices are deemedcritical.Developing a mature, advanced cyberrisk programme is not just aboutspending money differently. It’s abouttaking a fundamentally differentapproach – investing in an organisationspecific balance of secure, vigilant,and resilient capabilities to develop aprogramme unique to your needs.Where do you stand?Based on the results of your assessment,does your current state of maturitysupport or hinder your strategy andmission?If your maturity index is not aligned withyour target state of maturity – or if youhave not yet developed appropriatecyber goals – it’s time to start enhancingyour cyber risk posture.Of course, it isn’t possible for anyorganisation to be 100 percent secure,but it’s entirely possible to manage andsignificantly mitigate the impacts ofcyber threats, including theft, regulatorypenalties, legal compensation, andreputational damage. By workingcollectively, we can minimise the growingpotential for broad scale infrastructureoutages and business disruption at thenational, or even the global, level.For more information, contactone of our leaders:Nick GallettoGlobal Cyber Risk Services Leader 1 416 601 6734ngalletto@deloitte.caJames Nunn-PriceAsia Pacific Cyber Risk Services Leader 61 2 9322 7971jamesnunnprice@deloitte.com.auEd PowersUS Cyber Risk Services Leader 1 212 436 5599epowers@deloitte.comChris VerdonckEMEA Cyber Risk Services Leader 32 2 800 24 20cverdonck@deloitte.comKlaus JulischSwiss Cyber Risk Leader 41 58 279 6231kjulisch@deloitte.chAsh RaghavanGlobal Cyber Center of Excellence Leader 1 212 436 2097araghavan@deloitte.comMark CarterSwiss Risk Advisory Leader 41 58 279 7380markjcarter@deloitte.ch15

Assessing Cyber Risk Critical questions for the board and the C-suiteAdditional corporate governanceresourcesswissVR Monitor surveyswissVR Monitor is a survey conducted jointly by swissVR, Deloitte and the University of Applied Sciences and Arts,Lucerne. Every six months, this survey gauges the attitudes of members of Swiss company Boards of Directorstowards the outlook for the country’s economy and their sector and towards current matters of relevance toBoards. The surveyed Board members represent firms from SMEs to listed companies across a range of sectors.As a result, swissVR Monitor is an accurate reflection of the attitudes of Boards of Directors in Swiss companies,as well as the challenges facing them. It illustrates the views of individuals with a long-term influence on theircompany’s success and includes prospects for the economy, their sector and their business.EMEA 360Boardroom surveyAgenda prioritiesacross the regionJune 2016EMEA 360 Boardroom Survey Agenda priorities across the regionDeloitte is pleased to present the inaugural EMEA 360 Boardroom Survey. The survey presents the views of271 directors across 20 countries in the EMEA region, providing a

cyber risk framework. Cyber risk response tends to be reactive rather than proactive. An alternative senior management committee has adequate time devoted to the discussion of the implementation of the cyber framework. Low maturity No formalised cyber framework is in place. Any risk escalation is ad hoc and only in response to incidents.