Concerns by Policy-Level Executives about Cyber security

Description

On February 26, 2014, the U.S. Commodity Futures Trading Commission published guidance outlining the data security practices it expects from firms it oversees and the third parties they contract with.[1] 

The importance of this issue is also reflected in the notices from the SEC’s Office of Compliance Inspections and Examinations and from the Financial Industry Regulatory Authority.[2] 

Executives and board members lack knowledge about the cyber risks their organizations face and how to include cyber risk management in overall business strategy.

·      52% of directors ranked IT strategy and risk as the #1 issue for which they need better information and processes – behind only strategic planning.[3]

·      69% of directors are concerned that cyber threats may impact growth.

·      77% of respondents to the US State of Cybercrime Survey detected a security event in the past 12 months, and more than a third said the number of security incidents detected increased over the previous year.[4]

·      Only 49% of respondents have a plan for responding to insider threats.

·      Only 38% of respondents prioritize cyber security investments based on risk to the business.

Banking and finance organizations are currently spending up to $2,500 per employee/year on cyber security. At this level this sum represents approximately 15% of the total IT budget. In retail that also amounts to a comparable ratio,

Executive Guidance

Most of the organizations surveyed do not have cyber security programs that can match skills and technological capabilities of their cyber adversaries. To initiate such programs will require first answering the following policy-level questions:

• ·      What are your most crucial cyber assets and what is being done to keep those secure?
• ·      In recent cyber incidents what weak links were discovered and addressed?
• ·      What threats are facing your business?
• ·      What are the most likely internal threats?
• ·      Have any of your partners or those in your supply chain been subjected to a cyber-attack?
• ·      What are your policies for ensuring that partners achieve a minimum level of cyber security?
• ·      Does your business have a written cyber security risk management strategy?
• ·      Does your policy include training employees, perhaps the most important line of defense?
• ·      If a breach occurs who takes the lead? What are the responsibilities of those in the C-Suite?
• ·      What does the company’s cyber insurance policy cover?

---

[1] http://www.cftc.gov/ucm/groups/public/@lrlettergeneral/documents/letter/14-21.pdf

[2] http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf

[3] http://www.fticonsulting.com/global2/media/collateral/united-states/law-in-the-boardroom-in-2014.pdf

[4] http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf