Navigate Complexities of evolving Cybersecurity Risk

Context:

In today’s digital landscape, organisations are increasingly dependent on technology to drive their business. Maintaining strong cybersecurity practices is critical to protecting against threats, mitigating risks, and ensuring operational continuity.

A comprehensive approach—through well-defined cybersecurity policies, frameworks, and practices—is essential for building a resilient organisation. However, some businesses underestimate the importance of cybersecurity controls, mistakenly viewing them as a drain on budgets or a hindrance to growth. This perception is misguided.

It is vital to set this context, as the Executive Management Committee, Board of Directors (BoD), and Chief Information Security Officer (CISO) have a fiduciary responsibility to act in the best interests of the organisation and its stakeholders. While the Executive Management Committee focuses on the day-to-day running of the business, the BoD has distinct oversight duties, ensuring the organisation is equipped to defend against cyber threats. They must ensure there are robust systems in place not only to prevent attacks but also to minimise disruption through a well-prepared incident response strategy, enabling the organisation to recover swiftly if an attack occurs.

What is the Extent of Cybersecurity Risks?

Organisations today face constant cybersecurity threats, with one of the most significant risks coming from within—employees with low security awareness. Threat actors often exploit these vulnerabilities, targeting individuals to gain access to systems.

Phishing remains the most prevalent form of cybercrime. It’s estimated that 3.4 billion phishing emails are sent daily by cybercriminals, often disguised to appear as legitimate communications from trusted sources. Techniques like phishing(email), smishing (SMS), and vishing (voice) use social engineering to deceive victims into sharing sensitive information or downloading malware that infects their devices.

Even with the most advanced security tools in place, a single successful phishing attack can provide threat actors access to an organization’s systems, potentially leading to ransomware attacks or data breaches. In addition to phishing, other common attack vectors include:

• Stolen credentials from third-party systems.
• Supply chain attacks, where attackers infiltrate via a vendor’s compromised system.
• Unpatched remote servers or systems that have reached end-of-life.
• Cloud vulnerabilities, where misconfigurations or gaps in security can be exploited.

These risks highlight the need for continuous vigilance and education, as the human factor remains one of the biggest vulnerabilities in cybersecurity.

What is the Potential Impact of Cybersecurity Risk Exposure?

A cyber attack can cause significant damage to an organisation’s systems and operations, impacting its resilience. The effects of a security breach can be categorised into four key areas: financial, reputational, legal, and regulatory.

• Financial Impact: Cyber attacks can disrupt operations, leading to costly system recovery efforts and significant loss of income. The costs can escalate due to business downtime, the need for enhanced security measures, and potential ransom payments.
• Reputational Impact: A breach that exposes sensitive employee or customer data can severely damage an organisation’s credibility. The trust built with clients and stakeholders over years can erode overnight, leading to customer attrition and long-term damage to brand reputation.
• Legal Impact: Organisations that lose control of customer data often face legal consequences, including costly settlements or class-action lawsuits. Data breaches may lead to millions in legal fees and compensation to affected parties.
• Regulatory Impact: Increasingly stringent cybersecurity disclosure requirements mean organisations must promptly report breaches. For example, the SEC has established guidelines for determining the materiality of a cybersecurity incident, mandating timely disclosure to regulators. Non-compliance with these regulations can result in heavy penalties. Similarly, in India, SEBI has implemented cybersecurity disclosure norms requiring listed companies to report cyber incidents quarterly.

The combined effects of a cyber attack can be devastating, highlighting the critical need for proactive cybersecurity measures to protect against these risks.

What are SEBI and Other Regulators’ Cybersecurity Disclosure Norms for Listed Companies?

Regulators globally are placing increasing importance on cybersecurity disclosure norms to ensure that publicly listed companies are transparent about their cyber risk exposures and incident management. The Securities and Exchange Board of India (SEBI) and other regulators like the US SEC have implemented stringent guidelines to enhance cyber resilience.

Key SEBI Disclosure Norms:

• Risk Management Committee (RMC): SEBI mandates that the RMC of listed companies must include a framework to identify and assess both internal, external cybersecurity risks.
• Cybersecurity in Sustainability Reporting: Cybersecurity is now a critical component in Business Responsibility and Sustainability Reporting (BRSR), emphasising its role in long-term business sustainability.
• Best Practices Advisory: SEBI has issued an advisory for all regulated entities, highlighting cybersecurity best practices to help mitigate risks.
• Mandatory Reporting: All listed entities are required to disclose any cybersecurity incidents, data breaches, or data loss to the recognised stock exchange(s) on a quarterly basis, as part of their corporate governance reports.
• Consolidated Cyber Security and Resilience Framework: SEBI has announced a new Consolidated Cyber Security and Resilience Framework, strengthening the cybersecurity regulatory landscape for listed companies.
• CERT-In Reporting: The Ministry of Electronics and Information Technology (MeitY) has directed all organisations to mandatorily report cyber incidents to CERT-In (Indian Computer Emergency Response Team) within 6 hours of identification of such incidents.

US SEC Disclosure Norms:

The US SEC has adopted new rules for publicly traded companies, requiring them to assess the materiality of a cybersecurity incident “without undue delay”, and report the incident within 4 days of determining it to be material.

Additionally, the SEC has issued new guidance mandating that companies disclose their cybersecurity risks, incidents, and governance processes in their quarterly filings, effective from December 2023.

Global Trends:

Similar cybersecurity disclosure norms are emerging across the EU and other regions, emphasising transparency in how organisations manage cybersecurity risks and incidents.

These obligations underscore the growing need for companies to have robust cybersecurity risk management, governance, and controls. As cyber threats become more prevalent, regulators are ensuring that organisations take proactive steps to build cyber resilience and are held accountable for managing cyber risks transparently.

For more insights, refer to IOD Insight: Building Cyber Resilience in Boardrooms.

How can the Executive Management Committee and the Board of Directors Prepare to Assess Cybersecurity Risks?

With the rise in cyber attacks and data breaches, cybersecurity has become a critical concern for organizations worldwide. In India, SEBI’s Listing Obligations and Disclosure Requirements (LODR) regulations mandate that the Risk Management Committee (RMC) of the top 500 listed companies is responsible for overseeing and mitigating cybersecurity risks.

While the responsibility for cybersecurity is distributed across the organisation, ultimate accountability lies with the Executive Management, the Board of Directors (BoD), and the RMC. The following key areas and questions can help them assess the organization's cybersecurity readiness effectively:

1. Cybersecurity Strategy and Governance

• Key Question: What is the company's cybersecurity strategy and governance structure? How does it ensure accountability?
• Focus: Establish clear roles and responsibilities, ensuring that the strategy aligns with business objectives and includes top-level accountability.

2. Risk Management and Controls

• Key Question: What are the company’s key cybersecurity risks? How are they assessed and mitigated? How are third-party vendors evaluated for cybersecurity risks?
• Focus: Evaluate the risk identification and mitigation process, including the effectiveness of internal and external controls, and ensure vendor security assessments are in place.

3. Incident Response, Communication, and Crisis Management

• Key Question: What is the company’s incident response plan? How often has it been invoked? What lessons have been learned from past incidents?
• Focus: Assess the organization’s preparedness for responding to major cyber incidents, including crisis communication strategies and learnings from past events.

4. Regulatory and Industry Standards Compliance

• Key Question: What cybersecurity and data privacy regulations and standards (e.g., CERT, Digital Personal Data Protection Act) must the company comply with? How many incidents were reported last quarter, and what was their financial impact?
• Focus: Ensure compliance with relevant cybersecurity regulations, monitor incident trends, and engage with regulators as required.

5. Technology and Tools

• Key Question: What technologies are in place to protect critical assets? How do these tools detect and remediate cyber threats? Are all endpoints, networks, and devices secured?
• Focus: Review the effectiveness of technologies and tools used for threat detection, remediation, and overall security infrastructure.

6. Cybersecurity Culture and Education

• Key Question: How frequently do employees and executives receive cybersecurity training? What steps are taken to embed a strong cybersecurity culture?
• Focus: Assess the effectiveness of cybersecurity training programs and efforts to cultivate a culture of security awareness. Track the percentage of employees who are certified in cybersecurity.

7. Board Engagement and Cybersecurity Expertise

• Key Question: Is the BoD regularly briefed on cybersecurity threats and incidents? Do they have access to cybersecurity expertise and training?
• Focus: Ensure that the BoD is well-informed about cybersecurity risks and is equipped with the necessary expertise to make informed decisions. Include cybersecurity as a regular agenda item in BoD meetings.

8. Systems Resilience and Business Continuity

• Key Question: What are the company’s Recovery Time Objective (RTO) and Recovery Point Objective (RPO)in the event of a major cyber incident? How frequently are data backup and disaster recovery (DR) systems tested?
• Focus: Evaluate the organisation’s business continuity and disaster recovery plans to ensure resilience and readiness for rapid recovery after an attack.

9. Cybersecurity Budget and Resources

• Key Question: What percentage of the IT budget is allocated to cybersecurity? Are the budget and resources adequate to address the current threat landscape?
• Focus: Ensure that the organisation’s cybersecurity investments are proportionate to the level of risk and threat, and that resources are sufficient to implement necessary security measures.

10.Cyber Insurance

• Key Question: Does the company have cybersecurity insurance? What does it cover and exclude? What financial exposure remains due to cyber incidents?
• Focus: Evaluate the scope of the cyber insurance policy, including coverage limits, exclusions, and the level of risk transferred through insurance.

By addressing these critical questions, the Executive Management Committee and the BoD can gain a comprehensive understanding of the organisation’s cybersecurity posture. This assessment ensures the organisation is equipped to manage, mitigate cybersecurity risks, safeguarding both operations and stakeholders from potential cyber threats.

Enablers for the Executive Management Committee, and the BoD to Improve Cybersecurity Risks Awareness?

For the Executive Management Committee and the Board of Directors (BoD) to effectively oversee and mitigate cybersecurity risks, they need adequate access to cybersecurity expertise. Including cybersecurity as a standing item on BoD meeting agendas enables informed decision-making and ensures the BoD can regularly assess the organization’s cyber risk posture. Here are key enablers and resources to improve their cybersecurity awareness:

• Access to Cybersecurity Expertise: The BoD must have access to cybersecurity expertise, either from within the organization (such as the CISOor other security leaders) or through external advisors. This ensures they can interpret technical risks and understand the evolving threat landscape.
• Cybersecurity as a Regular BoD Agenda Item: Cybersecurity risk should be a recurring topic in BoD and Risk Management Committee (RMC)meetings. Discussions should focus on key cyber threats, recent breach incidents, risk mitigation efforts, and recovery strategies. Keeping cybersecurity on the agenda helps ensure the BoD remains engaged and proactive in addressing cyber risks.
• Training and Education: BoD members and executives should receive cybersecurity training to stay updated on the latest threats, regulations, and best practices. This could include regular briefings from the CISO and participation in workshops to help them understand the technical aspects of cybersecurity.
• Regular Updates on Cyber Incidents: Discussions during BoD and RMC meetings should include reviews of recent cyber incidents, their impact, and the steps taken for recovery. Continuous updates ensure that the BoD is fully aware of the organisation's cybersecurity performance and the effectiveness of existing controls.

External Resources and Regulatory Insights:

Leverage external resources and regulatory insights to enhance the BoD’s understanding of cybersecurity risks. Key references include:

• IOD Insight - Building Cyber Resilience in Boardrooms: Offers practical insights into how boards can enhance their cyber risk oversight.
• SEBI LODR Regulations, 2015 - Amendment to Disclosure Norms: Provides guidelines on cybersecurity disclosures and the importance of transparency.
• IOD Insight - Rethinking Cybersecurity: Explores the changing landscape of cybersecurity and its implications for organisations.
• Cyber and Information Security (C&IS) Division: A government resource for cybersecurity best practices and regulations in India.
• Ministry of Electronics and Information Technology - MeitY Cybersecurity Group: Provides guidelines on managing cybersecurity risks and protecting critical infrastructure.

Establishing a Culture of Cybersecurity Awareness:

Regularly discussing cybersecurity risks fosters a cyber-aware culture at the executive and board levels. This helps prioritise cybersecurity in business decision-making and enhances the organisation’s overall risk posture.

By focusing on these enablers, the Executive Management Committee and the BoD can strengthen their understanding of cybersecurity risks, making the organisation better prepared to defend against and respond to potential cyber threats.

Path aAhead and Areas to Focus on:

Cybersecurity risks are a critical concern for organisations globally as cyber attacks and data breaches continue to rise exponentially. Importantly, cybersecurity is not just an IT issue—it is a business and enterprise risk. In line with SEBI LODR regulations, the Risk Management Committee (RMC) of the top 500 listed companies in India is responsible for monitoring and reviewing cybersecurity activities and mitigating risks. Organisations must also comply with cybersecurity disclosure norms set by SEBI, MeitY, and CERT-In.

To effectively manage these risks, the Board of Directors (BoD) must focus on several key areas:

• Awareness of Cybersecurity Risks: BoD members must maintain a clear understanding of all cybersecurity risks, and the dimensions of risk mitigation strategies in place.
• Readiness Assessment: Regularly assess the organisation's cybersecurity readiness by asking questions about its strategy, policies, and practices. These should cover all aspects, from governance to incident response.
• Vigilance through Tools and Controls: Ensure the organisation has the right tools, controls, and continuous learning programs to stay vigilant against evolving cyber threats. This includes robust monitoring, detection, and incident response mechanisms.
• Cybersecurity Culture: Evaluate how cybersecurity is embedded within the organisation’s culture. This includes the engagement of employees and executives in cybersecurity education and ensuring that they understand their role in maintaining a secure environment.
• Enforcement and Updates to Cyber Policies: Confirm that cybersecurity policies are not only accessible to all stakeholders but also enforced and updated regularly as the threat landscape evolves. Regular policy reviews are crucial to keeping pace with new risks.
• Regulatory Compliance and Reporting: Review regulatory reports on cybersecurity incidents, financial exposure, and the organisation’s adherence to SEBI norms. Keep an eye on emerging disclosure requirements, as regulations will continue to evolve.

Strive for timely transparency on risks to regulators, investors, explain how the organisation detects, reports, and recovers from cyber attacks. At the same time, be cautious — over-disclosure may open the door to negligence claims by stakeholders, a balance that will need careful navigation.

These considerations underscore the importance of having robust cybersecurity risk management, governance, and controls in place.

The old adage, "You cannot defend against an unknown risk," holds true more than ever in today’s landscape. The Executive Management Committee, and the BoD has a critical role in staying ahead of the game, ensuring the organisation is well-prepared to defend against the ever-evolving cybersecurity threat landscape.

Reference: IOD Insight, Artwork by Anita D’Souza.