‘I don’t know much about cyber, but I’m in charge.’
Being a fiduciary in a regulated world.
‘I don’t know much about cyber, but I’m in charge.’
“Cyber risk is business risk.” This statement has become the norm at conferences and on webinars. Specific to the financial industry, cybersecurity risk is now as significant as financial risk. The latter has well-refined standards and practices to measure and manage—the former does not. Ask executives and board members—they find themselves in the position of being responsible for, but not experts in, cybersecurity. In many cases, they are fiduciaries for the business.
“Fiduciary” is a term that is normalized in the investment industry, reflecting the substantial relationship between decisions the fiduciary is tasked with making and the outcomes on assets owned by someone else. It commonly takes the form of investment managers with discretion to make investment decisions on behalf of their clients or a retirement plan committee with discretion to make investment decisions on behalf of an employee retirement plan.
Simply put, a fiduciary is expected to act prudently and solely in the best interests of another party. They are expected to have some level of skill and knowledge. If they don’t, they seek expert advice.
Are new security guidelines coming?
Currently in the financial industry, there is no specific regulation imposing fiduciary conduct standards with respect to cybersecurity. However, in March 2022 the SEC proposed new guidelines over strategy, governance and reporting of cybersecurity risk.1 The effect of this proposed guidance is driving cybersecurity and its related risks further into the C-Suite. The proposed penalties for failure with respect to data security involve mandatory public disclosure and, in cases of negligence, subpoena to the Department of Justice. While the “teeth” of the proposal are still to be determined, we expect this regulatory focus over cybersecurity will expand for one reason: trust.
“The SEC strives to promote a market environment that is worthy of the public’s trust and characterized by transparency and integrity.”2 Traditionally, we interpret this in regards to primarily financial assets. But hackers have told us with their actions that data is as valuable to them as financial assets. It’s not just the SEC making this evolution, either—most financial regulators are prioritizing cybersecurity.
Trust is not necessarily lost in the event of a cyber-breach. Target Corporation suffered a 2013 breach and its subsequent recovery has proven that reputation can be recovered. What causes lasting damage is when a forensic audit uncovers negligence or laziness with respect to actions taken, or not taken, to affirmatively anticipate and protect against a cyberattack. Meaning, fiduciary responsibility is oversight of the process and resources deployed, not necessarily the outcomes. Using the retirement benefits committee example, a negative investment return does not in itself indicate a failure of fiduciary duty as long as the committee can demonstrate a prudent process around investment decisions.
Comparing financial risk to cyber risk
A CFO probably considers financial risks such as liquidity or credit by forecasting potential economic scenarios, and testing how the company’s balance sheet would perform. Ultimately, the financial team would create a confidence interval of those scenarios where they were comfortable with the business’ posture. Then in review, the team can evaluate their initial projections versus actual outcomes by assessing market values.
While cybersecurity lacks the luxury of market values for risk measurement, it does have levels of measurement. Consider the following:
- Ask the cybersecurity team, “What are the top 75 threats that the company expects to face this quarter and why do we think that?” That number could represent a three standard deviation confidence interval for attack activity, created by historical data and intelligence.
- Using this convention, how does the cyber program connect each of these 75 threats to specific compensating controls the infrastructure has in place to mitigate them? Defining the scope of risk and implementing specific mitigation processes is a very defensible and effective process.
- At the end of the quarter, how many of those 75 threats actually showed up during the period and how many of those attacks have been stopped? For the attacks that were expected, but did not show up, how is it verified that they were indeed absent versus undetected?
If the necessary information is not available, the fiduciaries now know where to invest until they are able to satisfy a standard of measurement.
Let’s flip back to financial risk. When making a loan, a bank has a clear process in place to evaluate a borrower. It considers a “failure and recovery” loop: if the borrower’s income is impaired and they can no longer service the loan, are there other assets to utilize for payment? If there are no other assets to support repayment, is there recoverability in an asset tied to the loan (i.e. house for a mortgage)? If there is no asset tied to the loan, can the bank insure against this loan? Finally if all else fails, can the business survive a complete wipeout of this loan?
This “failure and recovery” loop translates well to cybersecurity. A malicious email gets through the primary gateway: is there something in place to identify it (other than the employee) while it is sitting in an inbox? Let’s say that fails and the employee clicks on a ‘bad’ link. That attack traverses to a laptop. Will the endpoint security detect it? And, even though we might be highly confident in these two layers, let’s pretend the attacker succeeds to this point and then calls out from the laptop to the internet to bring malware on to the company network—do we know that the network security tools will see and stop this execution?
This probably sounds like defense in depth, a strategy incorporating layers of protection across IT infrastructure for resiliency. Caution to the fiduciary: defense in depth, in and of itself, doesn’t mean secure or even layered. The strategy only works if the security team’s process aligns each threat to each of the steps in the above example. For the “Top 75 Threats” list, that’s 75 different attack paths mapped out and tested. Once again, if the information is unavailable, the fiduciaries now know where to invest.
Though the practice of managing cyber risk is young, Gartner research forecasts:3
- “By 2026, at least 50% of C-Level executives will have performance requirements related to cybersecurity risk built into their employment contracts.”
Leaders can use their business acumen and minimal operations expertise to set a risk standard for the business to live up to. In doing so, decision makers will have a framework to evaluate the investments made (people, process, and technology), quantify risk, and determine if they are doing enough—just like they do with every other department of their business.
"SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies," Securities and Exchange Commission, sec.gov.
"Agency and Mission Information," Securities and Exchange Commission, sec.gov.
“Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem,” Gartner, gartner.com (login required).