Why we need business, operational and financial resilience to optimize cybersecurity

The average cost of a data breach in 2022 was $4.35 million and is expected to reach $5 million in 2023. Cybersecurity research firm Cyber Ventures predicts that cybercrimes will cost the world $10.5 trillion by 2025. According to the Securities and Exchange Commission (SEC), “the potential costs and damage that can stem from a cybersecurity incident are extensive. Many smaller companies have been targets of cybersecurity attacks so severe that the companies have gone out of business as a result.”

To drive down risk and improve resilience to malicious cyber activity, governments and the private sector must evolve their respective approaches to cybersecurity risk management. Both parties must leverage their capabilities more strategically and develop frameworks to prioritise investments aligned to cyber threats.

In March 2023, the White House released its long-anticipated National Cybersecurity Strategy. Charting the course for this “decisive decade,” the Strategy recognizes that different actors throughout the digital ecosystem have comparative advantages when it comes to reducing risk, observing malicious cyber activity, synthesizing threat information and producing actionable guidance, disrupting threat actors and building resilience. To that end, the Strategy demands more from government and the private sector.

Two overarching principles drive the National Cybersecurity Strategy. First, “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem." Second, the “economy and society must incentivize decision-making to make cyberspace more resilient and defensible over the long term.” Aligning policy and business decisions with these principles will undoubtedly raise our national cybersecurity posture. A more secure and resilient cyber domain is also good for business – investing in security costs money, but cleaning up a breach costs more.

Making the investments necessary to absorb additional responsibility for security may involve short-term costs, but it will also raise public confidence in the reliability of critical infrastructure and technology, increase productivity and profits and enable stronger, more strategic partnerships between the federal government and the private sector. In short, the private sector and the government are well-served by building cybersecurity into every aspect of operations and governance.

Historically, the federal government relied on voluntary frameworks to encourage the adoption of strong cybersecurity standards by the private sector. Cyber incidents, such as the SolarWinds supply chain attack and the Colonial Pipeline ransomware attack, however, revealed the limitations of a purely voluntary model and underscored the cascading consequences of cyber incidents. Even before the release of the National Cybersecurity Strategy, high-profile cyberattacks in 2020 and 2021 forced the federal government to reassess its reliance on voluntary measures to improve cybersecurity for critical infrastructure and technology companies.

Recognizing the need to raise the collective visibility of malicious activity on domestic networks, the US Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2021, which directed covered entities to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. This legislation earned the buy-in of the private sector because it enabled the federal government to disrupt malicious cyber campaigns sooner and provide critical insights into the tactics of our adversaries

Meanwhile, the Executive Branch has been prolific in its efforts to encourage the adoption of more robust cybersecurity practices. Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, wrote an open letter to corporate executives and business leaders in June 2021, urging them to implement the five best practices from Executive Order 14028, including using third-party penetration testers and refining incident response plans.

In July 2021, President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, directing the Department of Homeland Security (DHS) and the Department of Commerce to develop cybersecurity performance goals for critical infrastructure. The two departments released the first version of the baseline cross-sector Cybersecurity Performance Goals (CPG) in October 2022 and have updated them since. Since they were released, the CPGs have informed new federal cybersecurity requirements for surface transportation and aviation, among others.

In February 2023, CISA Director, Jen Easterly, and Executive Assistant Director for Cybersecurity, Eric Goldstein, published an article in Foreign Affairs magazine making the case that: “in every business, the responsibility for cybersecurity needs to be elevated from the IT department to the board, the CEO and the senior executive level.” To that end, Director Easterly and Executive Assistant Director Goldstein declared “every technology provider must begin by creating products that are both ‘secure by default’ and ‘secure by design.’” They have been advocating for adoption of those principles ever since.

Relatedly, in March 2022, the Securities and Exchange Commission (SEC) released a proposed rule on cybersecurity risk management and governance. The new SEC rules seek to engage senior management and the board in a meaningful way.

Among other things, the proposed rule clarifies disclosure requirements related to a registrant’s policies and procedures for identifying and managing cybersecurity risks, cybersecurity governance structure, management’s role in addressing and mitigating cybersecurity risks and whether an individual with cybersecurity expertise sits on the registrant's board.

These requirements underscore the importance of advancing risk management and governance efforts across the boardroom community to ensure resources and investments are applied to those cyber risks that have the most material financial, business and operational impact.

The National Cybersecurity Strategy builds on the Administration’s work to date. While the federal approach to cybersecurity is evolving – and that evolution may result in new standards - it will also drive better cybersecurity practices for critical infrastructure and technology companies, reducing the risk for cyberattacks that hurt productivity, public confidence and, ultimately, profits.

For its part, the government has an obligation to its private sector partners to demonstrate the security value of new cybersecurity requirements and public-private partnerships. As the Strategy demands more of the private sector, it makes bold commitments on behalf of the government. It envisions a full-court press to tackle malicious cyber activity – from international coordination on ransomware and aggressively going after cyber criminals to disrupting malicious cyber campaigns and taking down threat actors’ infrastructure.

The government is doing a lot of that already – earlier this year the FBI infiltrated the Hive ransomware group, captured decryption keys and distributed them to victims. In April, the FBI and its international partners took down Genesis, an online store of hacked and stolen data. Together, these actions demonstrate how the government can leverage its unique resources and authorities to reduce risk to its partners and the public.

Additionally, as the government creates new standards for the private sector, it should ensure that any additional burdens are harmonized across all levels of government. Compliance costs should not detract from security investments. The Strategy commits to harmonizing regulations through the Office of the National Cyber Director and the Office of Management and Budget, much like the Cyber Incident Reporting Council at DHS is working to deconflict various cyber incident reporting requirements. However, these harmonization efforts navigate the complexities of independent agency regulators.

Finally, government must develop a framework to better assess interdependencies across critical infrastructure owners and operators and the potential cascading effects of cyber incidents. A sound framework for such analysis will drive strategic investments in security and facilitate greater resiliency. The Cybersecurity and Infrastructure Security Agency (CISA) is in the process of doing just that.

The cybersecurity ecosystem (people, processes, technology) is largely focused on addressing technical-level threats used to mitigate risk. While the cybersecurity ecosystem continues to evolve, it still lacks the ability to contextualize cyber threats and incidents to business, operational and financial exposures. The 'material' determination is influenced by the incident's impact on the company's business, operations and financial condition.

Below is an enumeration of the types of business and financial factors that should be contemplated when determining incident materiality. The types of costs and adverse consequences that companies may incur or experience as a result of a cybersecurity incident include the following:

• Costs due to business interruption, decreases in production and delays in product launches.

• Payments to meet ransom and other extortion demands.

• Remediation costs, such as liability for stolen assets or information, repairs of system damage and incentives to customers or business partners in an effort to maintain relationships after an attack.

• Increased cybersecurity protection costs, which may include increased insurance premiums and the costs of making organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants.

• Lost revenues resulting from intellectual property theft and the unauthorized use of proprietary information or the failure to retain or attract customers following an attack.

• Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.

• Harm to employees and customers, violation of privacy laws and reputational damage that adversely affects customer or investor confidence.

• Damage to the company’s competitiveness, stock price and long-term shareholder value.

Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders.

Technology changes quickly and so do cyber threats. Static analyses of today’s risk are less helpful than establishing a regular flow of information to the board that supports cybersecurity investment decisions based on business, operational and financial considerations. With the board’s eyes kept regularly on cybersecurity as an aspect of routine governance, directors will be equipped to comply with the SEC’s new requirements.

Chris Hetner, former senior cybersecurity advisor to the SEC Chair and Chair of the Nasdaq Center for Board Excellence Insights Council, says: “It is essential for boards to continuously incorporate cyber risk management discussions related to the most effective way to reduce the financial and business impact connected with cyber risk. The conversation isn’t just for the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). It is a broader c-suite discussion, which must be led by the Chief Financial Officer (CFO) and General Counsel.”

Hetner says that boards can no longer ignore cybersecurity, noting: “The default tendency of executives is to rely on periodic tactical and technical reports to justify tech solutions that may address technical security issues.” He adds that: “Too often, cybersecurity gets lost in translation when engaging board members and the C-suite. This leaves leadership unsure of precisely what they are funding and where residual gaps remain.”

Hetner and the NACD recently supported the launch of a service where boards are supported to more effectively provide oversight related to cyber risk exposure. The X-Analytics and NACD Cyber Risk-Reporting Service is an annual subscription providing quarterly board reports highlighting the financial exposure attributed to an organization’s cyber risk. The platform relies on the same analytics used by leaders within the cyber insurance industry.

This new NACD service facilitates a broader c-suite conversation related to cyber risk and assists boards in engaging in discussions that transcend the technical aspects of cybersecurity.

To conclude, investing in cybersecurity costs money. Shortchanging cybersecurity investments costs more.