Cyber Security Policy and Governance for Fiduciaries

By 2020-12-09February 11th, 2021No Comments

Imagine that you are the board chair of a major corporation with operations in multiple countries. You are preparing to meet with the press to announce a new product. Your EVP of European operations has just called to inform you that there has been a major breach of customer data at one of your German subsidiaries. You were informed that the breach will be the subject of the lead article in tomorrow’s Financial Times. What do you do?

Most people think of a cyber breach as the loss of customer or patient data. That’s true. But perhaps the biggest risk is the loss of trust by your customers and the quantifiable asset of goodwill. While consumers may choose another provider, equity investors also make their displeasure known.  On average, the loss of market value from a cyber breach amounts to about 7.5% of total value. It can be significant. For example, in 2013, 38 million Adobe customer accounts were breached. The capital loss? Approximately $18 Billion.

But wait, you already have a robust team of security officers and access to the best consultants in the business. You have been told that your company meets all applicable US and global cybersecurity standards like the NIST and ISO/IEC 27001. So why worry?

Meeting technical and operational guidelines is important, but boards have the added responsibility of monitoring the company’s overall compliance with best practices. Best practices differ from technical guidelines because they focus on the process of managing cyber risk, not just the particulars of how it is done. Board members must be able to demonstrate that they are doing so on an ongoing basis and not just quarterly or semiannually. Furthermore, the board’s perspective includes understanding how cyber risk fits in with their enterprise risk profile. Full cybersecurity is, as one of my professors at MIT told us, a “negative goal”; there is no such thing.

Suppose you could bring up your company’s cybersecurity governance monitoring dashboard on your mobile device and be up-to-date on the when, how and by whom the breach was perpetrated, as well as the remediation to manage the breach? With that information you would be able to provide intelligence about and demonstrate transparency of your security protocols. You can confirm when the breach was first discovered, that the breach remediation policy was put into place six hours ago, that the relevant authorities have already been notified, and that your backup customer data is secure. Your employees, customers, and the capital markets are assured that you are following best practices.

Diogenes is in the beginning stages of working on a systematized solution to meet this need. Using a combination of a bespoke database and an advanced form of Artificial Intelligence, our system is being designed to gather and organize all applicable data and compare it with all relevant best practices. It will provide an ongoing audit trail and be proactive; a failure to adhere to one or more of the best practices will be immediately communicated to senior managers and the appropriate board committee.  In the event that the SEC or, in this case, the German “Act on Regulatory Offenses” (Ordnungswidrigkeitengesetz or OWiG), the board can immediately provide details so as to mitigate possible liability.

You have finished your coffee and have reviewed the current status of the breach via your company’s cybersecurity monitoring dashboard. Even before a reporter asks for your reaction to the article, you start by addressing the issue directly. You can share with the press that your company’s proactive measures are already in place and that the breach has been contained. This doesn’t mean that the problem has been completely resolved. But by having a sophisticated yet simple tool to monitor your company’s cyber risk, your customers can breathe a sigh of relief and the capital markets are assured of your competence.