Cybersecurity Guide for Directors

dentons.comA cybersecurityguide fordirectorsBy R. William “Bill” Ide III and Amanda Leech, Dentons Governance Center

2 dentons.com

A cybersecurity guide for directorsBy R. William “Bill” Ide III and Amanda Leech, Dentons Governance Center[1]With the ever-present reality of cybersecurity damages that frequently accompany a significantbreaches, there has been a tendency in board breach.governance literature to treat cybersecurity risksdifferently than other risks facing the organization. While this guide is specific to boards of directors,In practice, however, boards have long been tasked the fiduciary principles of oversight apply to seniorwith protecting their companies from significant management as well. Senior management alsorisks. While cybersecurity may appear to many delegates and oversees, but at a more granular levelboard members to be a daunting new risk, the than boards. In the end, senior managers shouldlong-established “tried and true” board governance also follow the principles of this guide to establishapproach to risk oversight described herein works proper oversight, ensure that sufficient processeswell and should be applied to cybersecurity risk. and controls are in place and assure their boards that cyber risks are identified and managed well.Board duties generally fall within six categories:(i) governance, (ii) strategy, (iii) risk, (iv) talent, Cybersecurity oversight: The role of the board(v) compliance and (vi) culture. With respect to For company management and boards of directors, acybersecurity, the board’s duties in each of these record number of recent incursions—such as those atcategories play a critical role in effective oversight of Target and Sony—demonstrate that cybersecurity riska company’s cybersecurity program. is as significant as other critical strategic, operational, financial and compliance risks under boards’Every director should have a general understanding purviews.of cybersecurity risk and what it means for directors’oversight responsibilities. While the basic business- Since the passage of the Sarbanes–Oxley Actjudgment obligations of directors are the same for of 2002, the Delaware courts have repeatedlythis emerging area of risk, cybersecurity itself is broadened proactive duties of oversight fora dynamic and complex subject. The purpose of independent directors in areas of material impactthis guide is to provide a “plain English” review that on shareholder value such as risk, compliance andhelps directors and senior managers carry out their executive compensation. Just as boards are chargedcybersecurity oversight duties, including cyber with overseeing a company’s financial systemsstrategy development and governance. Effective and controls, they also have a duty to oversee aoversight in this area can mean the difference company’s management of cybersecurity, includingbetween “learning the hard way” and incurring oversight of appropriate risk mitigation strategies,significant damages, or successfully mitigating the systems, processes and controls.dentons.com 3

Without effective oversight and accountability, centralization requires high-level managementan organization’s cybersecurity governance attention to resolve conflicts. Decentralizationsystems, policies and procedures can be rendered favors local decision-making by each unit; on themeaningless, leaving the enterprise vulnerable other hand, cybersecurity must by its nature beto attack. In today’s world of continually reported centralized, and at times must seek to override thosematerial data breaches, boards cannot claim lack local decisions. Accordingly, IT or the CISO shouldof awareness as a defense against allegations of report to a senior management member who canoversight failures. Regulators and shareholders are oversee the enterprise’s cybersecurity programincreasingly demanding more evidence of director decision-making, and to whom the board can look asattentiveness to cyber risk. As the Target breach accountable for cybersecurity.demonstrated, breaches can result in calls fordirector removal. Even if directors are re-elected, the Cybersecurity strategy and risk oversightboard and the company will likely face numerous Too often, IT presents boards with cybersecurityshareholder derivative and class action lawsuits. reports that are technical but lack an enterprise-wide strategic overlay. For effective oversight, boardsCybersecurity governance should hold senior management accountable to ensure that a clear and concise cybersecurityThe first question for the board is: Who owns strategy, understandable in nontechnical terms,management of the cybersecurity risk at the board is in place, along with systems and controls tolevel and management level? Typically, boards monitor its implementation. This requires regulardelegate cybersecurity oversight to the audit dialogue between the board and management,committee—or to the risk committee if one is part and the sharing of accurate and useful information,of the board’s governance structure—for a more including metrics to track performance and provideconcentrated review, with periodic reports to the full accountability. Most importantly, a concise, high-level,board. Others approach cybersecurity as a matter to “plain English” cybersecurity strategic plan must bebe overseen by the full board. Company size, industry agreed to by the board and senior management.and existing board risk management structures willdictate the best approach. For the foreseeable future, Risk-based strategycybersecurity will require considerable attention by Instead of a castle-and-moat, “keep the bad guys out”boards working with management, internal audit, prevention-based approach, cybersecurity strategyenterprise risk management (ERM) and cybersecurity has evolved to a risk-based approach. Becauseexperts as the threats continue to evolve and the total a perimeter defense cannot provide completeenterprise seeks to adjust. Processes, systems and protection, the risk-based approach focuses insteadcontrols must remain fluid for the foreseeable future. on prioritizing and protecting identified “crown jewels” (for example, third-party information, intellectualAt the management level, the CEO is ultimately property and critical process control networks). Risk-accountable to the board for management of based defense includes detecting and respondingcybersecurity risk. Often, a CEO looks to business before the additional protections around the “crowninformation technology (IT) or, in larger organizations, jewels” can be compromised, while also stoppinga chief information security officer (CISO) to intruders before they inflict other forms of disruptiveinterface with the board and hold accountability and reputational damages, as in the Sony breach.for cybersecurity risk management. This approachbuilds from a technology knowledge platform, While perimeter defenses remain essential forbut the major challenge is governance of the total deterring less sophisticated attacks, effective cyberenterprise requiring established management skills strategies now allocate security resources around aof communications, project management, behavioral company’s information and processes, with additionalscience and command presence. layers of protection around the most valuable assets. Tomorrow, new technologies and techniques mayTechnical solutions are one piece of managing the require further shifts in strategies. Boards shouldrisk, but as the following chart shows, every function regularly seek independent third-party reviews onin the enterprise has a role to play. For success, each strategic best practices for companies with a similarbusiness unit must own and embrace cybersecurity industry, size and risk profile.as a priority. Tension between a decentralizedbusiness model and cybersecurity’s desire for4 dentons.com

Cybersecurity Governance Components Board of Directors Oversee cyber strategy and monitor risks as part of the overallSuccess of the entity strategy and ERMnow depends oncyber – and the entityis only as protectedas its weakest link. HR & Compliance Provide training and IT & Security education Business Units/ Evaluate cyber risks and Operations drive implementation of cyber strategy and ERM Implement and drive conformance with the cyber strategyLegal/Regulatory & Best-in-Class Privacy Cyber Risk Assure compliance Mitigation Modelwith applicable cyber and privacy laws Procurement Protect against third party intrusionsThe cyber threat calls Acquisitions & for the business Growth model to adopt cybersecurity as a Adopt strategies to key component. decrease risks in entering into new markets (i.e., China) These critical components all need to collaborate and be a part of the cybersecurity strategy.Risk prioritizationThis key part of strategy begins with the identification and prioritization of cyber risks. Cybersecurity resourcesare finite, so the strategy should focus on the most material cyber risks, considering the likelihood of harm if riskswere realized. To facilitate this prioritization, many companies maintain a risk register of material cyber risks—acentral repository for all risks identified by the company, including data, locations, access points, security devicesand other related information. The risk prioritization process should precede the budget and resource allocationprocess to ensure alignment between resources and risks. dentons.com 5

Ranking risks and determining which to accept, that together can comprise the foundation of amitigate or transfer is a substantial undertaking. Its cybersecurity risk strategy for any enterprise:effectiveness depends on the quality of informationand knowledge of individuals who make the • Identify: Develop organizational understandingrecommendations. Board members must be assured of the overall cyber risk context, including assetthat every function in the company has been solicited management (systems, data, hardware, devices,to contribute to the strategy’s development. In communication flows), business environmentparticular, those with responsibility for law, privacy, (prioritization of risks, objectives and activities)physical security and crisis management response and governance (every part of the enterprise mustwill need to offer integral input. Many industries know its role and be accountable). In other words,will have specific regulatory concerns that must what are the cyber activities that could be harmedbe woven into the strategy. As part of the risk and in what ways?prioritization process, senior management shouldprovide detailed recommendations about the plan • Protect: Deploy safeguards to prevent intrusions,to the board, including identification of risks to be including access control, awareness and training,accepted, mitigated or transferred (through cyber data security, information protection processes,insurance). maintenance and protective technology.Strategy best practices and standards • Detect: Enable timely discovery of a cybersecurityCyber risk has escalated so rapidly, and so publicly, breach to limit the harm from intrusions throughthat entities everywhere are scrambling to regain surveillance, detection of anomalies and events;ground and keep up with the evolving cyber threat. continuous security monitoring; and detectionGovernments, regulators, industries, companies processes.and thought leaders alike are looking for theright approach—or approaches—to address this • Respond: Implement plans and activities to containcomplex and dynamic issue. So it’s no surprise that any damage resulting from a cybersecurity breachcybersecurity strategy best practices, standards through comprehensive crisis managementand public policies are still very fluid and multiplying incident response planning and implementation ofrapidly.[1] tabletop exercises.Today, it is unclear today what standards will become • Recover: Develop plans and activities to resumewidely viewed as best practices, and whether those normal operations following a cybersecuritystandards will vary by industry and/or company event, including post-event mitigation and lessonssize. Boards and management should agree on the learned.best approach for their company. For purposesof demonstration, let’s assume that the standards As an initial matter, the company should developdefined below are the right approach in the present a detailed plan highlighting the gaps betweendiscussion. current practices and best practices in each of the above functions, along with concrete stepsIn February 2014, in response to Executive Order for remediation. High priority should be given to13636, the National Institute of Standards and implementing a robust incident response plan toTechnology (NIST) released its Framework for minimize damages from breaches. In addition toImproving Critical Infrastructure Cybersecurity, any required remediation, the board should monitora set of industry standards and best practices the development of the complete cybersecurityfor cybersecurity risk management.[2] The NIST strategy, beginning with risk prioritization, as wellCybersecurity Framework was developed as a as the program’s effectiveness. There are two majorvoluntary framework to reduce cyber risks to critical activities to monitor: (i) the build-out and installationinfrastructure, and incorporates globally accepted of the strategic plan and (ii) the effectiveness oftechnical standards, guidelines and practices, the plan. The utilization of dashboards to monitorincluding ISO 27001, ISA 62443 and COBIT 5, among the installation and effectiveness of the strategicothers. The framework includes five functions plans is essential for meaningful board oversight of cybersecurity strategy.6 dentons.com

DashboardsWith respect to cybersecurity, effective dashboards should be carefully tailored to meet the needs of thecompany and its board. As a result, creating a dashboard requires input from both management and theboard. The general trend is a bifurcated approach, in which maturity and overall effectiveness are monitoredby separate dashboards. Below are descriptions of both, as well as sample dashboards that can be modifiedto the particular dynamics of industries and size.Maturity dashboardsThe maturity dashboard presents metrics that depict the maturity of the company’s cybersecurity program.At its most basic, this dashboard can simply be an assessment of the company’s cybersecurity strategy withrespect to the five NIST designed functions, detailed above. NIST recommends that, with respect to eachfunction, a company determine the maturity of its program using the following terms: (i) partial, (ii) risk-informed, (iii) risk informed and repeatable or (iv) adaptive. For companies that have previously identifiedweaknesses and remediation efforts in its cybersecurity program, the maturity dashboard should also includemetrics that allow the board to monitor the progress of the identified improvement efforts.Sample maturity dashboard• NIST assessment Function Target Actual Change Identity Protect Detect Respond Recover*Actual state can be color coded. for example, red can be used if the target state has not beenachieved; green can be used if the target state has been acheived.• Implementation of projects Project Projected Timeframe On Track Notes1.2.3.4.*Additional rows should be added to table as needed.† The “on-track” column shuold include ”yes” or “no.” Again, the boxes can be color-coded for easeof review• Summary of implementation challenges Project Item Number: Summary of Challenges Proposed New Timeline: # of Previous Extensions: dentons.com 7

Effectiveness dashboardsIn contrast to the maturity dashboard, the effectiveness dashboard provides metrics that allow the board toascertain how effective the program is. It generally focus on threat assessment, threat detection, remediationmetrics and recovery metrics. Some boards also request certain protection-related metrics when the programis maturing; however, as protection efforts become consistent, these metrics have limited usefulness. Theeffectiveness dashboard is most useful when it provides numerical metrics rather than high-level conclusorydeterminations based on underlying numbers not provided to the board.Sample end-of-quarter effectiveness dashboard• 1. Number of severe incidents: ________ Status: Resolved or Ongoing• 2. Description of severe incident Type of Incident DescriptionHow Discovered:Time to Discovery: Time to Resolve: Estimated Cost:* Table should be reproduced for each severe incident in the applicable time period. External incidents that suggest newforms of risk should also be reported with description of mitigation activities.• 3. Detection metricsPhysical access controls – number of incidents: ________Environmental controls – number of incidents: ________ Item Detected/Received Resolved NotesUnauthorized User AccountsUnauthorized DevicesCredential TheftIncidents Involving PPI Alerts from Security Service Provider4. Training metrics Metric End of Q1 End of Q2 End of Q3 End of Q4Percent of New Hires Competing training w/in 30 daysPercentage of Employees Current on Annual Awareness Training*Metrics should be included for cuirrent and at least two previous quarters to show trends.8 dentons.com

While it is management’s responsibility to develop As cyber threats have continued to escalate, it isand implement the cybersecurity strategy, and increasingly unrealistic to expect that IT alone is ableboards should not micromanage, boards have an to provide adequate protection against cyber risks.obligation to retain the prerogative to fully understand These should be managed through the lens of thea company’s risk exposures. In the event that a board entire enterprise. History demonstrates that “viewingfinds itself in need of additional information about a data breaches as a ‘technical issue’ is a recipe forparticular issue, it can engage in a deep dive. Similarly, failure.”[5] While IT will likely always have a majorif a board observes a large number of stakeholders role in cyber risk mitigation, there are significantproviding input on the same cybersecurity concern— differences in the skills and goals of the IT functionor if management faces delays in implementing a and the information security function.particular aspect of the strategy—the board can usea deep dive to assure proper management of the More and more enterprises are appointing a CISO toidentified risk area. While boards should generally stay lead cybersecurity. While the CISO must honor andfocused on the macro and defer to management on reinforce the business support mission of IT, his/herthe micro, as noted above, there are times when they highest responsibility is prioritizing security measuresshould be more deeply involved in the tactics and to mitigate cyber risk. Further, the CISO must have aimplementation of strategy (for instance, in the event national security outlook, including awareness of “tailof a material cyber incident). On these occasions, risks” and “black swans.” It will be rare that a CISO willespecially, good communication and leadership are have the business operations, project management,critical for maintaining trust between management communications and C-suite skills to eliminate theand the board. need of a senior management member overseeing the CISO for the CEO and the board.TalentA major responsibility of a board is to ensure the Distinguishing responsibility between the deliverycompany has the right talent to accomplish its goals. of IT and information security is an importantSelection, evaluation and compensation of the CEO governance step. Assuring cyber risk managementis the major task. However, it is also important that throughout the full enterprise, beyond IT, raises otherthe board ensures the right skills and experiences are governance dynamics. The cyber threat involvesbrought to bear in managing something as vital to the information in the hands of suppliers and otherorganization as cybersecurity. third parties beyond the purview of IT, in which procurement and legal experts must be involved.Following the departure of Target’s CEO, much was Dealing with significant insider risks and pressures tomade of the fact that the company did not have a compromise are also beyond the scope of IT. Further,CISO or a chief security officer (CSO).[4] A key area limiting oversight to IT can restrict the budget,of board oversight is ensuring that the company’s influence and authority required to manage cyberorganizational structure is aligned behind its strategy, risk effectively, which places the whole company atand that management has the skills and experience greater risk.to execute the strategy.Historically, the business IT function has primarily The risk-reward considerations for cybersecuritybeen a technology provider, charged with delivering management are so significant that seniortop quality data, Internet connectivity, hardware, management must be in charge of the process.software and other technologies to business units. In addition, “deferring responsibility to IT inhibitsMany companies also allowed business units to critical analysis and communication about securityuse third-party technologies. Following decades in issues, and hampers the implementation ofwhich entities have become totally dependent on effective security strategies.”[6] In the end, seniorIT for their flow of information, the cyber threat has management must lead cyber risk decisions so thenow developed into something far more dangerous appropriate cybersecurity strategy can be effectivelythan previously anticipated. Nevertheless, many implemented and monitored throughout thecompanies that relied on the IT function for cyber risk enterprise, with effective oversight by the board.management continued to do so without consideringthat the threat has grown exponentially beyond just a In addition to the management skills and experiencesquestion of technology. needed to address cyber risk, an advocate is neededdentons.com 9

to assure such skills and experience at the board Culturelevel. As noted previously, cybersecurity is primarilya governance challenge beyond IT. A CEO whose Cyber risks should be managed through the lenscompany manages cybersecurity well would bring of the entire enterprise. Every employee has a roleto valuable insights and experiences. The right IT to play, and a top-down culture of cybersecurity istechnologist could be a positive contribution to a essential for containing and managing this evolvingboard, but for most companies that would not be risk. Studies show that employee lapses are the majornecessary. enablers of cyber intrusions. A strong culture of inspiration and accountability is the best preventiveCompliance measure for threats from misinformed, inattentiveIn general, boards rely on the general counsel, or malicious employees. Peter Drucker said, “Cultureinternal audits and ERM, among other functions, to eats strategy for breakfast.”[7] He might have addedprovide independent risk assessments and to confirm that it feeds on policies, systems and controls whichrisk management processes are in place. For the are only as effective as the culture of the organizationforeseeable future, cyber risks are potentially more in which they exist. With regard to cybersecurity,consequential than other enterprise-significant risks. the culture either supports and reinforces policies,It is important that the general counsel, internal audits systems and controls, or it overrides and underminesand ERM give cybersecurity a high priority. Boards them. It is essential that all employees—withoutshould undertake regular, proactive discussions with exception—understand that everyone has anthese functions to ensure their leaders recognize equally important role and obligation to protect thethat cyber risk is dynamic and requires continuous enterprise from cyber intrusions. They must feelexternal screening for new forms of threat mitigation. empowered to so act.For example, internal audits can no longer focussolely on perimeter defense controls, without Cybersecurity, like all major risks, requires a cultureconsideration of risk-based controls. Likewise, ERM of accountability, collaboration and continuousshould monitor and screen externally new forms of education and training, with all efforts geared towardcyber risks, with the awareness that some cyber risks supporting the strategy and mitigating cyber risks.are more qualitative and difficult to measure. Creating that culture drives individual awareness and acceptance of the strategy, shared commitment to itsIncreasingly, cybersecurity is becoming more of a implementation and, ultimately, cyber risk mitigation.legal and regulatory area where the general counsel’s All of this starts with a “tone at the top” from thelead on assuring disclosures, full understanding of board and senior management. For values andlegal risks and adequate crisis management plans will behavior to permeate through the organization, thebe critical. highest levels of the enterprise must lead by example. If a board member or C-suite member is cavalierFor independent verification as to the status of the about passwords or phishing, that will soon be knowncompany’s cybersecurity program, the board should throughout an organization. Cybersecurity requires allstrongly consider authorization of an ethical hacking at the top to live in glass houses.program. Ethical hacking is designed to uncovervulnerabilities, and is conducted internally or by anexternal contractor. Few companies receive pristinereports from ethical hacking. While the greatestvalue from ethical hacking can be achieved byleveraging findings across the enterprise to remediateimmediate security vulnerabilities, the activity alsohas important awareness-raising implications forinternal audits, ERM and the board. Finally, internalauditors and the general counsel should periodicallycommission a third-party cybersecurity strategy andgovernance review to assure that the company iskeeping pace with best practices and that the picturepresented to the board is verified as accurate.10 dentons.com

About the authors: R. William (Bill) Ide, III, a partner at Dentons, chairs the advisory board to the Conference Board’s Governance Center and serves as the general counsel and secretary of the EastWest Institute. Bill formerly served as senior vice president and general counsel of Monsanto Company. He was counsel to the United States Olympic Committee and president of the American Bar Association, and he previously served as a member of the board of directors of Albemarle Corporation and Popeyes Louisiana Kitchen, Inc. Amanda K. Leech is a senior managing associate at Dentons. She focuses her practice on general corporate counseling of both privately held and public companies, focusing on mergers, acquisitions, joint ventures and strategic alliances. Amanda also counsels boards of directors on implementing corporate governance and compliance programs, and assists boards of directors with special independent review and investigations.Endnotes: 11[1] Bill Ide and Amanda Leech are Members of the Dentons Governance Center and the Guide is based upon their working withand service on public company boards. Dentons Governance Center colleagues Joseph Blanco and Crystal Clark made substantialcontributions to this Guide.[2] The International Organization for Standardization’s ISO 27001 has been an international information security management standardsince 2005. In 2011, the SEC issued interpretive guidance on companies’ disclosure obligations regarding cybersecurity risks and materialbreaches, and has prioritized information sharing about cybersecurity practices and incidents. In 2014, the FTC asserted itself as theFederal government’s principal cybersecurity regulator with a series of rules requiring employers to take “reasonable” cybersecurity measures.And in January 2015, the Obama Administration proposed new cybersecurity legislation to address online fraud and data breaches. Similaractivities are taking place at the state level and in the Congress. While this is far from an exhaustive summary, as long as the cyber threatcontinues, it is reasonable to assume that legislators and regulators will continue to respond with new policy proposals.[3] http://www.nist.gov/cyberframework/[4] Brian Krebs, The Target Breach, By the Numbers, Krebs on Security, May 6, 2014, http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/[5] Online Trust Alliance, 2014 Data Protection & Breach Readiness Guide 4 (2014).[6] National Association of Corporate Directors, Cyber-Risk Oversight Handbook 7 (2014).[7] Bill Aulet, Culture Eats Strategy For Breakfast, Techcrunch.com, April 12, 2014, http://techcrunch.com/2014/04/12/culture-eats-strate-gy-for-breakfast/ dentons.com

About DentonsDentons is a global law firm driven to provide a competitive edge in an increasingly complex andinterconnected world. A top 20 firm on the Acritas 2014 Global Elite Brand Index, Dentons is committed tochallenging the status quo in delivering consistent and uncompromising quality in new and inventive ways.Dentons’ clients now benefit from 3,000 lawyers and professionals in more than 80 locations spanning 50-plus countries. With a legacy of legal experience that dates back to 1742 and builds on the strengths of ourfoundational firms—Salans, Fraser Milner Casgrain (FMC), SNR Denton and McKenna Long & Aldridge—theFirm serves the local, regional and global needs of private and public clients.www.dentons.com. Know the waydentons.com© 2015 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates.This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content.Please see dentons.com for Legal Notices.CScybersecurity-090115 — 01/09/2015