Opening Cyber Governance remarks, Kellogg Corporate Governance Conference
“Good morning! As a fellow director, I thought I’d give you some of my inside perspective of cyber governance. I think it’s a part of the larger picture of enterprise risk management in the digital age, but the time has come for cyber to become its own domain and its own area of board policies, procedures and expertise.
Our last CIA head, Leon Panetta, basically said that there is a potential cyber Pearl Harbor coming that could cripple our financial systems. Our FBI head said, surprisingly, in one meeting, “There are two types of companies out there right now. Companies that have been hacked and companies that are going to be hacked.” So, welcome to the club.
What we are experiencing is the largest transfer of wealth that we’ve ever seen around the globe, most of it, of course, being illegal. And they’re all correct because there are cyber criminals out there stealing your data, trade secrets, patents and intellectual property. There are activists that are really just trying to disturb your company or your brand and then there are insider threats, both malicious and accidental.
So my view is that boards are under attack, companies are under attack and we need a new game plan to go after that. Imagine that every night your headquarters building was being broken into. First they’re stealing Post It Notes, maybe a potted plant, maybe they might take some disk drives eventually, a laptop.
But if you found out that anyone was getting into the building just for little incidents you’d be calling the CEO at 2 a.m., saying, “What the heck is going on?” and probably have a board call the next day.
And that’s what’s happening with cyber…but often you don’t know it. As we are sitting here, all of your companies are being hacked, or “pinged” right now. May multinational corporation have attempts on their systems tens of thousands of time per day! Do you know what your threat volume looks like. Many boards do not know what there stats are, I recommend, as a first step that you find out and track it at the board level.
Some quick stats. The average breach right now, depending on whose data you believe, is about $2 million to $5 million in costs for companies, which actually sounds low from an insurance point of view. So that just deals with things like forensics and legal and PR and payments to consumers and the communications that have to go out. But there are many breaches that have been huge, some reported, some not.
Everyone remembers the Sony breach. It was about $170 million of hit to their P&L and about a 30 percent share drop because of one massive breach. Estimates are that over $114 billion is spent on mitigating such malware attacks. It hits about one in ten companies. My colleagues will probably say the numbers have gotten worse, but this is public data.
About a billion people have been affected. That’s up about 40 percent. So that’s about, what, one in three consumers from a state-side number. So for those who think, “You know, that’s really scary, Dean, but not in my industry,” guess again. It happening in every industry that you can imagine, including everyone in this room.
Most of us tend to sit back in boardrooms and say, “Hey, we’ve got IT guys working on this. They’ve got really great vendors that take care of things…right?” But the cyber security industry is really struggling to keep up, and some breaches go on, over and over and over again, some not being detected, or taken care of.
Groups are trying to fix these problems. One that a few of us are involved in is called “The Security Innovation Network” that brings startups together with government and major corporations to get entrepreneurial startups to solve more rapidly solve our biggest government cyber threats, to solve corporate threats and develop the next generation protection products.
There are over 100,000 cyber security jobs open in this country. We don’t have enough people to catch up with the hackers. So if you are a hacker, you know the advantage is on your side. They love your websites. There was a survey done with the Fortune 2000 sites. There are a lot of hidden files in your websites, some called “temporary files”. And simple things like a Word document or PDF have data that the hackers can use to get information. Often it’s undetected. Usually, it leads to what is called a “DOS” or a disruption of service. Someone goes into the site and disrupts it. And that could lead to a string of incidents.
What’s worse than that? I think it’s when they don’t just disrupt your site, they actually control it. Those of you in banking and finance and insurance know that that’s a really hot target right now.
From a governance and liability point of view, the IT losses from theft are huge because they can lead to restatements. But the government sometimes makes it harder, like the SEC evolving disclosure opinions that are not always clear. Congress, just passed a draft cyber bill that is pulling between the privacy advocates and disclosure.
So, under the auspices of protecting your company, if this law does pass, we will have to disclose to the government private sensitive data about your consumers, all under the auspices of protecting the homeland. Yet another heated board debate.
Compliance and disclosure are also interesting, and vary by state and by country. Just by state, there are things that the board has to be involved in. There are timing issues about when and how you disclose.
One interesting example is something called the “Red Flag Rule.” The FTC basically says, “How do we protect you guys from giving loans to people who are the identity thieves?” They already have Dean’s ID and they are trying to get a loan for their house. So there’s a whole series of things that the board has to be aware of with these Red Flag Rules. And they’ll keep coming out.
So here are five of what I think are key cyber security governance challenges. One is the attack of sophistication. I think we are going from scareware to “ransomware” where they’re not just taking control of your site or something behind the firewall, but they’re actually holding it hostage. And that will become more and more prevalent in the next 24 months. The disruption of services stats, depending on whose numbers you like to believe, have gone from about 1.5 million incidents in 2011 to 120 million a year later. So, it’s going up…not down.
The second area to keep focused on is emerging technology. We all hear about mobile and social and BYOD. Does anybody know what BYOD is? Is not bringing your own drinks to the office, it’s bringing your own device to the office. All of us do that as board members. How many of you look at your board decks on your ipad, sitting at home back on the couch? It is a totally unsecured device! We are part of the problem. Dell tracks that half of the client breaches they have now are somehow tied back to these BYOD devices. So your CIO’s and CISO’s are struggling with that.
The next trend in social is not just being on Facebook or Twitter. That’s where malware is going. Now they’re going after those profiles to get in touch with people to get access to your websites and your corporate servers. That’s very sophisticated.
And then you all know about mobile. Mobile is essentially the enabler that is making this a bigger problem as we move to mobile payments. It ties right back to people’s networks. And you don’t just have to be in the financial services industry to be concerned about mobile.
Then there’s the outsourced Cloud and “open source software,” which is free stuff. Mostly unsecure. The tech industry, as an example, affects about 26 percent of the data loss for consumers. And guess what? The tech industry is the largest user of outsourced providers. So make sure your outsourced provider has better standards than you do. And most are, many companies have done audits of their outsourced provider and found that their own internal regulations were not as good as the cloud provider.
You may also hear about “exploit kits,” automated programs that go into your servers, attack and then start spreading malware. So it’s not one little program, it’s more of a systemic thing. Dell is tracking about 16 million malware samples. I’m sure this number has been upgraded. So that’s about 44,000 new programs created a day as we sit here right now!
And the last threat that I’m most concerned about, just because they have more resources, is nation state cyber terrorism. Most people point the finger at Russia and China. There are others, of course. But, you know, China has a five-year plan that’s going after top industries, many of them represented in the room. They’d like to get your secrets.
So someone like Monsanto that has a very proprietary corn formula, they’d may want to get their hands on that. In the old days, they used to have break into the building. Now they can just go after it through cyber means.
Any of your ever watch Alias, the TV show that had this secret CIA group that really wasn’t the CIA, it was fake? It was called “SD6.” So China has this building you might have heard of. It’s called “Unit 61398.” In and around that building, there are estimated to be over 10,000 scientists, “analysts” they call them. I call them “hackers” who are state funded and coming after your data and are probably responsible for billions of dollars of theft.
From a board perspective, what do we need to do? I break it down to three things to focus on – the three “Ps”: protections, procedures and public disclosure. It’s very much like you protect other parts of the company.
“Protections” prevent the likelihood of an attack or a breach. These are procedures to actually mitigate it, to minimize that disruption, and then there are public disclosures. It sounds easy, but you have a tug of war with the executive team that is trying to innovate and compete in a connected economy. It’s very tough to go in and start clamping down.
So you are going to get a lot of tug of war. You’ll see it if you bring a CMO and a CTO into the same room. You’re going to see a lot arguments about how secure your network should be and how much we should be taken off the net and locked down.
You need to ask the right questions. Let’s look at a couple of examples. One multi-national corporation had a major breach where companies got into their database. What they couldn’t establish was, “Okay, they accessed it, but did they download it?” Because when they were trying to fix the problem, they kind of stumbled on all the evidence. It made forensics very tough. So they called one of the big 3 auditors in to say, “Okay, we know they accessed, but we don’t know if they downloaded these 160,000 files of consumer information.” The board had a dilemma about should we disclose this or not. The auditor came into that meeting and could not definitively say, “They were definitely accessed. You should disclose.” There was kind of a muddled decision about how to disclose. And that’s why sometimes you see partial disclosures out there.
Another multi-national never knew about the breach. So one day, the GC gets a call from the FBI saying, “Listen, you guys have been breached.” “Really, how to you know?” And he mumbled something about the CIA and the NSA, so there were a lot of investigations going on around the globe. The problem was the FBI can’t tell you much, so your CISO is frustrated. The best thing to find out is WHEN it happened, in that case it was over a year ago, and the FBI was just calling them. They can’t track it down. They can’t figure out what to do and typically those don’t get disclosed because you have no idea what’s happened and the government’s really not going to give you a lot of information to solve it.
Here are some tips that I use as a director. I’m not an absolute expert, but I’m an example of how you can learn about complex digital and cyber governance issues, become a better enabler of the board, get the right people in to help…even if it is as simple beginning to ask the right questions.
Some things that I look at are, “Do you have a committee set up?” Twenty-nine percent of directors are focused on IT cyber issues right now, which sounds small, but is up. So I think you should have a separate committee. I think you need a Chief Information Security Officer. I don’t think it should report to the CIO of the company. Typically it should report much higher because it is very broad-based. And you need to meet with those people and ask them the right questions and audit and validate the answers.
You need insurance. Fifty-seven percent of directors are not looking at insurance, according to the latest surveys. It’s simple. You guys know how to do D&O. It’s very simple; it’s the answers that are complicated. You really need to understand the coverage and the gaps there. The good news is coverage is up about 33 percent in 2012, so people are focused on this.
Of course, disclosure would be my third one. There are new teeth in these SEC cyber disclosure rules that were released in 2012, and probably being updated now.
On that front, I would recommend three things. First, separate these disclosures from your normal disclosures. The SEC is looking for more granularity. Second, report the actual breaches and they are looking for more succinct information on that. They also want to know about potential breaches. The SEC now wants detailed information of what a potential breach could be and what its impact would be on shareholder value if it were to occur. My issue with it is that if you put too much information out there, guess who is reading it? That secret unit in China? So you have to be very careful.
Also do your due diligence. It’s tough, you know, really understanding the BYOD policy and how it affects the company and what happens if you lose a mobile device and really getting into that granularity – not as a manager, but just as a understanding observer. And don’t be afraid to bring somebody into the meeting with you. You know, you don’t need a huge consulting thing, there are focused audit groups that can help to give the board a snapshot of, “Now we know what we don’t know” and education is the next important thing.
As directors, we just need to get more educated and move from the learning stage into, “What do we do about this?” and tip it into the regular risk profiles that we look at.
A good place to start is with ourselves. So when you’re asking “What about this? What about that?” just think about it with yourself. What are your procedures when you get board documents on your unsecured phone and ipad? What are your delete procedures there? We used to always get Board Decks, which some of us still do and we are never sure if everyone shredded them properly, but usually you knew if they were left at the meeting. So, I just challenge each of you to look at all of your devices and see, “Gee, I’ve got unsecure software. I’ve got outdated software. It’s not secure.” Most people say, “Well, Dean, I have a Blackberry. So I’m good, right? They’re more secure.” Even things like Blackberry, they have just come out with a new program that separates your personal data and your business corporate data … well the UK government has not accepted that as a secure approach, just another example of cyber governance ambiguity!