Discussion 1

 The topic I have selected is a  DoS occurred in 2020 to Amazon Web Services

Introduction to Risk

Individuals, businesses and governments face risk daily. Risk is manifested in different forms and may be described as business, non-business, or financial. Irrespective of the type of risk, it’s important to remember the basic goals of security – to maintain confidentiality and integrity, while also ensuring the availability of data and systems. Organizations and governments usually employ different approaches to mitigating risks, but with a good understanding and consideration for risk elements including (i) vulnerabilities, (ii) threats & threat agents, (iii) impact, and (iv) likelihood. Other considerations include an organization or government’s appetite for risk, business goals, as well as internal and external drivers (laws, regulations, and standards). Proven strategies to deal with risk employ an enterprise risk management approach, and also rely on risk management frameworks including but not limited to: NIST’s risk management framework, ISACA’s risk IT framework, and COBIT 2019.


Follow these directions to complete the assignment:Identify a cybersecurity-related attack:Using scholarly sources and/or the web, research, identify, and share an example of a cybersecurity-related attack. Examples may include cyber warfare such as “Stuxnet” or the “Equifax” data breach. Feel free to use any of these. Once you’ve decided on the example you will share, “claim” it by posting it to the discussion. Do not post about the same type of attack as your classmates.Create your post:In a discussion post of approximately 600 to 800 words, explain risk and risk elements related to this attack, including a synopsis, attack type, characteristics, vulnerabilities, threats & threat agents, impact, and likelihood of this attack. You may need to make some assumptions as you write about the risk elements. Clearly state any assumptions that you make. Do not offer a potential solution to the attack; 

Action Items

  1. Complete all of the reading for this module.
  2. Claim the cybersecurity-related attack you intend to discuss by posting it to the discussion.
  3. Create your discussion post according to the directions in the overview.


Risk Concepts

In this chapter, you will:

•  Review basic security concepts

•  Learn about standards, frameworks, and best practices related to risk identification, assessment, and evaluation

•  Learn to describe how business goals, information criteria, and organizational structures affect risk

•  Determine how information systems architecture presents risk to the organization

•  Learn about risk ownership and awareness

•  Recognize legal, regulatory, and contractual requirements for risk management within the organization

This chapter will review a large portion of Certified in Risk and Information Systems Control (CRISC) Domain 1: Risk Identification with coverage of fundamental information security and risk management concepts. We’ll cover a good deal of the terminology associated with risk management and many of the core concepts you’ll need to be familiar with for the exam, but we will go into more depth on many of these concepts in later chapters.

The CRISC exam topics that we cover in this chapter are as follows and include the following domain objectives and knowledge statements:

•  1.6 Identify risk appetite and tolerance defined by senior leadership and key stakeholders to ensure alignment with business objectives

•  1.7 Collaborate in the development of a risk awareness program, and conduct training to ensure that stakeholders understand risk and to promote a risk-aware culture


NOTE    Throughout the book, the task and knowledge statements are listed in the order they are described in the CRISC Job Practice areas, not necessarily how they are presented in the chapter.

Basic Security Concepts

To successfully sit for the CRISC exam, you should be familiar with some basic security concepts. You can’t be expected to know how to manage risk in a security environment if you don’t understand the basics of security. We’ll assume you have some level of experience already as a security professional since risk management is a significant portion of (and a logical career progression from) the information security profession. You may also have had some level of experience in specific risk management processes during your career. As such, we won’t go into detail on the basic security concepts in the upcoming sections; this chapter will just serve as a quick refresher to remind you of certain security concepts.

The CRISC exam is not a technical exam; it is more of a process- and management-oriented exam, so we won’t delve into firewall configuration rules, protocol filtering, encryption, or any of the other fun stuff that security professionals do. We will, however, discuss a couple of other security concepts that are important to know for the exam since risk affects all of these concepts in different ways.

Goals of Information Security

Traditional security doctrine, as well as fundamental security knowledge you may learn from various training courses and on-the-job experience over the years, teaches that there are three fundamental security goals. These goals are what we’re striving for as security professionals; they are confidentiality, integrity, and availability. You’ll sometimes see these three terms strung together as an acronym, such as the CIA triad or, occasionally, as the AIC triad, depending upon the different security literature you read. In any event, these three goals are what you want to achieve for all of your information systems and data. They are also characteristics that you want all of your systems, processes, procedures, methods, and technologies to have. We will discuss these three items in the next few sections and why they are important to the security profession. We’ll also briefly describe some of the risks associated with these three goals.


The goal of confidentiality is to keep information systems and data from being accessed by people who do not have the authorization, need-to-know, or security clearance to access that information. In other words, confidentiality means that only authorized individuals and entities should be able to access information and systems. Confidentiality can be achieved through a number of security protection mechanisms, such as rights, privileges, permissions, encryption, authentication, and other access controls. If the confidentiality of data or information systems is breached, you get the opposite of confidentiality, which is unauthorized disclosure. Unauthorized disclosure is a risk to data and information systems and one that we as security professionals struggle hard to protect against.


Integrity is the characteristic of data that means the data has not been subject to unauthorized modification or alteration. In other words, it means data is left in the same state as it was when it was stored or transmitted. So, when it is accessed again or received, it should be identical to the data that was originally stored or transmitted. Integrity is achieved in several ways, by using checksums, message digests, and other verification methods. Data alteration is the opposite of integrity, particularly when the modification has not been authorized by the data owner. Data modification or alteration can happen accidentally, such as when it may be inadvertently changed because of human error or faulty transmission media. It can also happen intentionally (which is usually malicious in nature when this modification is unauthorized) by direct interaction with data during storage or transmission, such as during an attack, for example. This risk to data affects whether the data can be trusted as authentic or true, whether it can be read as intended, and whether it is corrupt.


Availability is when data and systems are accessible to authorized users at any time or under any circumstances. Even if data is kept confidential and its integrity remains intact, that does you no good if you can’t access it when you need it to perform critical business functions. Availability ensures you have this data (and the information systems that process it) at your fingertips. Just as confidentiality and integrity have their opposites, data destruction or denial of service is the opposite of availability. This risk to your information systems could prevent authorized consumers of that data or users of that information system from performing their jobs, thus severely impacting your business operations. 
Figure 1-1
 shows the relationships of the three information security goals to one another.

Figure 1-1    The three goals of information security



EXAM TIP    You will need to understand the definitions of the goals of information security well for the exam. Almost everything in information risk management supports these three goals, either directly or indirectly.

Supporting Security Goals

Popular security theory sets forth the three overarching security goals but also provides for auxiliary elements that support these goals in various ways. These are concepts that, both individually and combined, help you as a security professional to maintain data confidentiality, integrity, and availability, as well as protect your systems from unauthorized use or misuse. We’ll discuss these different security elements and other concepts, as well as how they support the three primary goals of security, in the next few sections.

Access Control

As a security professional, you probably already know that a security control is a security measure or protection applied to data, systems, people, facilities, and other resources to protect them from adverse events. Security controls can be broken down and categorized in several ways. Access controls directly support the confidentiality and integrity goals of security and indirectly support the goal of availability. An access control essentially means that you will proactively ensure that only authorized personnel are able to access data or the information systems that process that data. Access controls ensure that only authorized personnel can read, write to, modify, add to, or delete data. They also ensure that only the same authorized personnel can access the different information systems and equipment used to store, process, transmit, and receive sensitive data.

There are several different types of access controls, including identification and authentication methods, encryption, object permissions, and so on. Remember that access controls can be administrative, technical, or physical in nature. Administrative controls are those that are implemented as policies, procedures, rules and regulations, and other types of directives or governance. For example, personnel policies are usually administrative access controls. Technical controls are those that are most often associated with security professionals, such as firewalls, proxy servers, virtual private network (VPN) concentrators, encryption techniques, file and folder permissions, and so on. Physical controls are those used to protect people, equipment, and facilities. Examples of physical controls include fences, closed-circuit television cameras, guards, gates, and restricted areas.

In addition to classifying controls in terms of administrative, technical, and physical, you can also classify access controls in terms of their functions. These functions include preventative controls, detective controls, corrective or remedial controls, deterrent controls, and compensating controls. All of the different controls can be classified as one or more of these different types of functions, depending upon the context and the circumstances in which they are being used.

Data Sensitivity and Classification

Asset is a general, all-encompassing term that could include anything of value to an organization. The term asset can be applied to data, systems, capabilities, people, equipment, facilities, processes, proprietary methods, and so on; it is anything the organization values and desires to protect. Organizations normally determine how important their assets are to them and how much protection should be afforded to those assets. For example, intellectual property is an extremely valuable asset to the organization and is normally well protected. This is really the basic fundamental concept of risk management—how much security or protection a particular system or piece of data requires, based upon how likely it is that something bad will happen to it, balanced with what the organization can really afford to spend on the protection for that asset. To make reasonable decisions on how much security an asset needs, the organization has to decide how much the asset is worth to it. We’ll discuss worth in terms of dollars a bit later in the chapter, but for now let’s look at it from a perspective of asset sensitivity. In terms of sensitivity, you’ll usually see the term data sensitivity in particular, but you could also broadly consider sensitivity for any asset in an organization.

Data (or other asset) sensitivity refers to how much protection the organization feels a particular system or piece of data requires, based upon its value to the organization and the impact if it were lost, stolen, or destroyed. For example, information published on the organization’s public website or in the company newsletter is public knowledge and is usually easily retrievable if, for some reason, the hard disk containing that data fails or is erased. Since the data is public, you may not consider that data to be very sensitive in nature and require little protection for it. On the other hand, customer order data is extremely important to the organization simply because its business operations depend upon that data in order to function and turn a profit. So, it makes reasonable sense that the organization would spend a little bit more time, money, and effort in protecting that particular data. Therefore, its sensitivity, or classification level, would be considered somewhat higher than public data. Generally, the higher the sensitivity of the data, the more protection it is given.

In basic security classes, you typically learn about the different classifications of data found in both commercial organizations and government ones. In commercial organizations, typical data sensitivity labels include Private, Company Sensitive, Proprietary, and so on. In the U.S. government, data sensitivity levels include Confidential, Secret, and Top Secret, and they are classified based upon the level of damage to the security of the United States that could be incurred if data at these various classification levels were disclosed or lost. Remember that data sensitivity is driven by the value of the data to the organization and by the impact if it is lost, stolen, or destroyed, and it is balanced by the commitment of resources the organization is willing to provide to protect that data. Data sensitivity and classification policies specify the different formal levels of sensitivity in the organization and what those levels require in terms of protection.

Identification and Authentication

Identification and authentication are often misunderstood terms. They are related, to be sure, but they are not the same thing and really shouldn’t be used interchangeably by a knowledgeable security professional. Identification refers to the act of an individual or entity presenting valid credentials to a security system in order to assert that they are a specific entity. When you enter a username or password into a system, for example, or insert a debit card into an automated teller machine and enter a personal identification number (PIN), you are identifying yourself. Authentication is the second part of that process, where your identity is verified with a centralized database containing your authentication credentials. If the credentials you have presented match those in the authentication database, you are authenticated and allowed access to the network or resource. If they do not match, you are not authenticated and are denied access.

There are several methods of identification and authentication, including single factor (such as username and password, for example) and multifactor, which consists of two or more of the following: something you know (knowledge factor), something you have (possession factor), or something you are (biometric or inherence factor). Authentication also uses a wide variety of methods and technologies, such as Kerberos and 802.1X, for example.


Authentication to a resource doesn’t automatically guarantee you have full, unrestricted access to a resource. Once you are authenticated, the system or resource defines what actions you are authorized to take on a resource and how you are allowed to interact with that resource. Authorization is what happens once you’ve successfully identified yourself and been authenticated to the network. Authorization dictates what you can or can’t do on the network, in a system, or with a resource. This is usually where permissions, rights, and privileges come in. In keeping with the concept of least privilege, users should be authorized to perform only the minimum actions they need in order to fulfill their position responsibilities. Authorization has a few different components. First, there is need to know. This means there must be a valid reason or need for an individual to access a resource, and only to a certain degree. Second, an individual may have to be trusted, or cleared, to access a resource. This may be accomplished through a security clearance process or nondisclosure agreement, for example.


EXAM TIP    Understand the differences between identification, authentication, and authorization. Remember that identification is simply presenting credentials, while authentication is verifying them. Authorization dictates what actions an individual can take on a system.


Accountability means that a person is going to be held responsible for their actions on a system or with regard to their interaction with data. Accountability is essentially the traceability of a particular action to a particular user. Users must be held responsible for their actions, and there are different ways to do this; it is usually assured through auditing. First, there must be a unique identifier that is tied only to a particular user. This way, the identity of the user who performs an action or accesses a resource can be positively established. Second, auditing must be properly configured and implemented on the system or resource. What you are auditing is a user’s actions on a system or interactions with a resource. For example, if a user named Sam deletes a file on a network share, you want to be able to positively identify which user performed that action, as well as the circumstances surrounding the action (such as the time, date, from which workstation, and so on). This can be accomplished only if you have auditing configured correctly and you take the time to review the audit logs to establish accountability.


NOTE    Although related, accountability is not the same thing as auditing. Accountability uses auditing as just one method to ensure that the actions of users can be traced to them and that they are held responsible for those actions. Other methods, such as nonrepudiation, are used as well.


Nonrepudiation is closely related to accountability. Nonrepudiation ensures that the user cannot deny that they took an action simply because the system is set up such that no one else could have performed the action. The classic example of nonrepudiation is given as the proper use of public key cryptography. If a user sends an e-mail that is digitally signed using their private key, then they cannot later deny that they sent the e-mail, since only they are supposed to have access to the private key. In this case, the user can be held accountable for sending the e-mail, and nonrepudiation is assured.

Figure 1-2
 summarizes the relationships between access controls, the supporting elements of information security, and the three information security goals. Note that there is no hard-and-fast rule about mapping security elements and access controls to security goals; all of these elements and controls can support any one or even more than one goal at a time. For example, encryption, a technical access control, can support both confidentiality and data integrity at the same time.

Figure 1-2    How access controls support security elements and information security goals



NOTE    Although other books may describe the supporting elements of the security goals differently, the basic ones we’ve described here are common and directly support the three goals of confidentiality, integrity, and availability.

Risk Management Concepts

Now that we have framed some of the important information security concepts, such as the security goals and supporting elements, we will explain the basics of how risk is managed with relation to these concepts. As this chapter covers the foundational concepts associated with risk, we’ll cover the different terms you need to know for risk management. Risk management is the overall process of developing a strategy for addressing risk throughout its life cycle and includes several components. These include risk identification, assessment, analysis, evaluation, and response. We’ll talk about each of these different processes later in the chapter, as well as throughout this book. For the exam, you’ll need to know how these basic processes work, and as you proceed through this book, you will learn how to perform each of these risk management steps.

Risk Terms and Definitions

To fully appreciate the overall concepts of risk management and prepare for the exam, you need to be familiar with several key terms and concepts. In the next few sections, we’ll explain several of these key terms and concepts. Understand, however, that risk can be a complex body of knowledge to comprehend, so these are explained only at the basic level during this chapter. We will go far more in-depth on each of these terms and concepts throughout the remainder of this book, including how the terms relate to each other in the overall risk management process.


Vulnerabilities are weaknesses in a system, operation, or facility that would make these resources susceptible to being exploited by a threat. Vulnerabilities can exist in the way a system processes, transmits, or stores data; they can also exist in the technologies that make up a system or even in its design. Even people can have vulnerabilities; one such weakness that affects the people in an organization is complacency. This weakness might prevent them from always following security practices, for example, and allow a security threat to take advantage of that weakness. Facility vulnerabilities could include a lack of physical security controls, a “blind spot” near a doorway to a secure area where an intruder may hide, and so on. One of the first steps in managing risk is to identify all of the vulnerabilities that exist within a system or facility so they can be adequately addressed. This is usually accomplished by conducting a vulnerability assessment, which attempts to thoroughly identify any and all vulnerabilities inherent to a system and its people, operations, policies, procedures, and facilities. We’ll discuss vulnerability assessments more in 
Chapter 2
, but for now keep in mind that while a vulnerability assessment can be conducted as a stand-alone type of assessment, it really doesn’t have as much value unless it is part of a larger risk assessment, where it can be brought into context with other important elements of risk.

Threats and Threat Agents

threat is a danger of harm that can be enacted on an asset. The asset has to be in danger from this threat and, theoretically, if there is no danger, then there is no threat. Threats exploit specific vulnerabilities. A threat must have a matching weakness in a system that it can exploit, or act upon, if it is to be an effective threat. An example of a threat and vulnerability pairing might be the use of a weak encryption algorithm in a system (a vulnerability) and a cryptographic attack against that algorithm (the threat). If the system used a much stronger algorithm, then the vulnerability would not exist, and that particular threat would not be a danger or risk to the system for that specific instance. A threat agent is something that causes or initiates a threat against a vulnerability. In the example given previously, a hacker or malicious actor would be the threat agent that exercises the cryptographic attack (threat) against the weak algorithm (vulnerability). 
Table 1-1
 gives some other examples of threats, vulnerabilities, and threat agents to further emphasize these concepts.


Table 1-1    Examples of Threats, Vulnerabilities, and Threat Agents

As you can see from 
Table 1-1
, a threat is only the presence of something that can exploit a vulnerability; the vulnerability can be a concrete weakness or even the absence of a security control within the system (such as a lack of backup power or data destruction policy, for example) that creates a weakness or vulnerability. The presence of both of these conditions at the same time creates the potential for danger or harm to a system, its data, the people, or the facilities. This potential danger is defined as risk, but we will present a more comprehensive definition of that term in the next few sections. From the table you can also see that both vulnerabilities and threats directly affect the three primary goals of security (confidentiality, integrity, and availability). Both threats and vulnerabilities can also be different combinations of administrative, technical, physical, and operational in nature.

Threat assessments are often conducted to identify matching threat and vulnerability pairings, as well as the threat agents that could exercise a threat. Like a vulnerability assessment, the assessment does not have to necessarily be part of but can definitely support risk management. Threat assessments are conducted using a wide variety of data, including historical trends, statistical analysis, industry data, and other information from sources including the government, vendors, and even the organization.


Impact is what happens to the organization or to the business when a weakness or vulnerability is exploited by a threat. Impact can be expressed as a level of damage to an asset or the organization itself. It can be seen as how the business or operations of an organization are affected by a threat that exercises a vulnerability. Impact can also be cumulative; several smaller impacts that affect different systems within an organization can be additive and create a much larger impact on an organization than any one of them would. Impact can be expressed in terms of revenue lost based upon a complete or partial loss of an asset or process. It can also be expressed in terms of other concrete numbers or, even in subjective terms, based upon how serious the organization determines the effect of the event to be.


Likelihood is the probability of a threat exploiting a particular vulnerability. During threat and vulnerability assessment processes, the organization will normally determine the seriousness of a threat in terms of its impact if it occurs, based upon a certain level of weakness in the system. The organization also routinely determines the likelihood of these threats, given existing security controls and protections for an asset in the organization. For example, the likelihood of an intruder that breaks into an extremely secure facility that has gates, guards, and guns surrounding it, as well as high security fences, might be extremely low. A different facility without all of these security protections might incur a much higher likelihood of the same threat. In addition to security controls protecting an asset, other environmental factors might come into play, such as the facility residing in a “bad” neighborhood, distance from police and other emergency services, motivation of the threat agent, and so on. All of these different factors, which are really unique to the operational environment and asset in question, should be considered when determining the likelihood that a threat could occur. As with impact, likelihood could be measured in statistical percentages or subjective terms.


The four elements just described—vulnerabilities, threats and threat agents, impact, and likelihood—combine to make up the fundamental parts of risk. Risk is sometimes a difficult concept to get your arms around because it can be explained with different definitions, especially within the security community. On one hand, risk is a relative level of danger or harm to an asset. It’s also sometimes defined as the likelihood of a negative event happening to an organization and impacting its business operations. Another way of saying it might be the likelihood of a threat exploiting a vulnerability, causing an impact to an asset.

In any event, risk is a combination of these four factors, and it is a value that can be relatively measured using these factors. For example, impact can be expressed in lost revenue (dollars), lost productivity (labor hours), or even loss of market share (a drop in sales). Likelihood can be measured as a statistical probability (a percentage, for example) or even a subjective measurement, such as high, medium, or low. Threats and vulnerabilities can be a little bit more difficult to assign concrete values to; usually these values are also subjective, such as high, medium, or low designations. Later in this chapter, we’ll discuss how these values can be measured and risk can be expressed, using either quantitative (expressed as numbers) or qualitative (expressed using subjective values) methods. 
Figure 1-3
 attempts to bring together all of these factors to illustrate their relationships, helping you to better grasp the concept of risk.

Figure 1-3    Threats, vulnerabilities, likelihood, and impact


Two terms associated with risk that we will briefly describe here include inherent risk and residual risk. Inherent risk is associated with any endeavor, including risk associated with technologies, business processes, markets, and so on. All endeavors that businesses embark on contain some inherent risk that may be both unique to the particular endeavor and common to a technology or process. Residual risk, which we’ll discuss in depth later in the book, is the risk that remains after we have taken steps to respond to risk, either by reducing it or by mitigating it. It is a commonly accepted fact within the risk management community that risk can never be entirely eliminated; it can only be reduced to a manageable or acceptable level. Residual risk is normally the amount of risk left over after you’ve taken these steps, which must then be accepted. We’ll discuss more about risk response in 
Chapter 5

It’s worth mentioning here that organizations typically maintain data associated with risk, including identified threats and vulnerabilities, as well as their likelihood and impact determinations, in what is known as an enterprise risk management (ERM) program. In addition to being a system that records and assists in analyzing risk management data, ERM is also the formal management program, including processes and methodologies, that the organization uses to manage risk throughout its entire life cycle.


EXAM TIP    Understand the differences and relationships between the four risk elements of threats, vulnerabilities, likelihood, and impact. Threats exploit vulnerabilities, and the level of risk is based upon the likelihood of the threat exploiting a given vulnerability and the impact to the system if it occurs.

Risk Culture, Appetite, and Tolerance

An organization normally has a risk culture, which is essentially how the organization as an entity feels about and deals with risk. This culture is developed from several sources. First, it can come from the organization’s leadership, based upon their business and management philosophies, attitudes, education, and experience. It can also come from the organization’s governance. Remember that governance is essentially the rules and regulations imposed either by external entities (in the form of laws, for example) or internally by organization.

In any case, the culture of the organization really defines how the organization feels about risk and how it treats risk over time. As part of the organization’s risk culture, there are its risk appetite and risk tolerance. These are different terms you also need to know to understand risk. Risk appetite is, in effect, how much risk an organization is willing to deal with in any given endeavor. This is the general level of risk that an organization is willing to accept in the course of its business. An organization’s risk appetite is driven by the corporate risk culture, in other words, by the environment the organization exists in (market, regulation, and other external factors).

Risk tolerance, on the other hand, is the acceptable level of deviation in risk for a particular endeavor or business pursuit. Risk tolerance is how much variation from the expected level of risk the organization is willing to put up with. There’s a certain amount of risk in every business enterprise or pursuit; however, the organization may not be able or willing to tolerate large deviations from what it considers is its acceptable level of risk on an endeavor.


EXAM TIP    Know the differences between risk appetite and risk tolerance; risk appetite involves how much risk the organization is willing to endure, and risk tolerance is how much variation from that amount is acceptable to the business for a particular venture. Risk culture drives both of these factors.

Standards, Frameworks, and Best Practices

Managing risk is not an ad hoc process. It can be a complex effort and involves establishing a formal program with responsible people leading it. It requires developing procedures and processes that are defined, repeatable, and defendable. Fortunately, you don’t have to reinvent the wheel; most of this work has already been done for you in the form of established frameworks, methods, standards, and practices. One of the first things you’ll want to do when establishing a risk program is to understand what type of framework, processes, standards, and practices you will use since there is a variety to choose from. You must try to use the one that fits your organization the best, and you can’t do that unless you have at least a basic understanding of the more defined, standardized ones used in the industry. Let’s take a moment and discuss the difference between frameworks, standards, and practices.

framework is a generally overarching methodology for a set of activities or processes. It may not get into the detailed processes and procedures; instead, it provides for a 500-foot view of the general direction and steps used to build a more detailed program or process. A framework is used as an overall architecture for a larger effort. A framework has characteristics that include defined steps and repeatability and can be tailored based upon the organization’s needs. In terms of a risk management framework, you may have a set of general steps defining how to approach risk management, including listing the processes and activities necessary to build such a program or effort. You would then break down these larger steps into specific supporting procedures for this effort based on the needs of your organization and based on standards (described in a moment). Frameworks are typically selected and adopted at the strategic level of corporate management and governance.

standard is a mandatory set of procedures or processes used by the organization, and standards usually fit into an overall framework. Standards often define more detailed processes or activities used to perform a specific set of tasks. Standards are used for compliance reasons and made mandatory by an organization or its governance. The National Institute for Standards and Technology (NIST) standards are mandatory for use by the U.S. federal government, for instance, but are published as an option for private organizations and industries to adopt if they so choose. If an organization adopts the NIST standards for risk management, for example, then the organization may make them mandatory for use by its personnel. Then all processes and activities for a given effort within the organization would have to use and meet those standards. Some standards define the level of depth or implementation of a security control or measure. The Federal Information Processing Standards (FIPS) for cryptography and encryption are an example of this; they set forth the different levels of encryption strength for various cryptography applications that may be required in certain circumstances. So, if you create security policies and procedures for implementing cryptography within the organization, the FIPS standard could tell you to what level those policies and procedures must be implemented.

practice is a normalized process that has been tried and proven as generally acceptable within a larger community of practice. Practices could also be developed by a standards organization or a recognized authority regarding a particular subject or particular process. Professional industry organizations or vendors often develop practices documents. You might also see “best practices” promulgated by various industries or organizations, for example. Practices are not usually mandatory but could be made mandatory by the corporate management or other governance if they were so inclined.

The next few sections give more detailed examples of some of the formal frameworks and standards you should be familiar with for the exam and in real life as a risk management professional. We recommend you pay particular attention to the ones developed and published by ISACA; these are listed in the exam task and knowledge statements and will likely be present in some form on the exam. Of course, in this book, we will give only a brief overview of each, so you should take the time to review the actual standards and frameworks in-depth before you sit the exam.

NIST Risk Management Framework

The NIST Risk Management Framework (RMF) is a six-step methodology that provides for risk management all the way through the information systems life cycle. The steps for the RMF are briefly described in the following sections.

Step 1: Categorize Information Systems    This step involves inventorying the types of information on target systems and assigning categorization levels to that information based upon the level of impact based upon if the security goals of confidentiality, integrity, and availability were affected or compromised for that particular information on the system. This step uses subjective values of high, medium, and low to assign values to each of the three goals for a particular type of information. Types of information processed on the system could include business-sensitive information, financial information, protected health information, and so on. FIPS 199, as well as NIST Special Publication 800-60, provides detailed guidance on categorizing information systems.

Step 2: Select Security Controls    Based upon these individual values, as well as an aggregate of them, step 2 involves choosing the applicable security controls you would assign to each information system. This step provides baselines of security controls based upon the high, medium, and low values assigned during step 1. If the aggregate value of information or a system has been rated as high, for example, then the high baseline of security controls is employed for that system. Once the security control baseline has been established, the organization has the latitude and flexibility to add or subtract security controls from the baseline as it sees fit based upon different factors including the applicability of some controls, the environment the system operates within, and so on. You can find the selected controls in the supporting NIST Special Publication 800-53, revision 4, which contains a catalog of all of the NIST controls.

Step 3: Implement Security Controls    In this step, the selected controls are applied to the information systems, and data is processed on those systems. This in itself is a large process that can cover a good deal of the life cycle of the system in question, and it may take significant time and resources. In this step, the organization is essentially securing the information system against any validated threats and protecting identified vulnerabilities.

Step 4: Assess Security Controls    This step is where a lot of security professionals who manage certification and accreditation activities or perform risk assessments come into the picture. During this step, the controls that the organization selects for the information system are formally assessed, verifying that they implement them correctly and validating that they perform as they were designed. They are assessed based upon their effectiveness in protecting against the threats they were implemented to protect against. During this step, the system is assessed in its current state, with all existing controls and mitigations in place. Based upon the assessment, there may be recommendations for further controls and mitigations, as well as alterations to existing security posture for the system. In this step, the level of risk to the system and its data is normally analyzed and determined.

Step 5: Authorize Information Systems    Step 5 involves the decision from the entity with the power to authorize a system to be implemented and put into operation. This decision is based upon various factors, including the level of risk assessed during step 4, the risk appetite the organization has settled on, and the tolerance for risk that the organization is willing to accept. The decision to authorize a system for use may also come with caveats, including conditional authorization based upon the continued mitigation and reduction of risk by the system or data owner. This authorization is a formal authority for the system to operate, made by someone with the legal authority to make that decision. It is typically in writing and valid for only a specified period of time, after which the system must be reassessed for risk and control compliance.

Step 6: Monitor Security Controls    Continuous monitoring of security controls defines step 6 in the RMF; just because an authorization decision is rendered doesn’t mean that the system will now be operated forever without continually monitoring its security posture for new or increased risks. Existing controls will be monitored for continued compliance and effectiveness against identified threats, new risks will be occasionally discovered for the system as new threats and vulnerabilities are identified, and the system will have to be reauthorized after a certain period of time. Note that the RMF is a cyclical process; all these steps will be re-accomplished for each system at various times over the system life cycle. 
Figure 1-4
 summarizes and illustrates the NIST Risk Management Framework.

Figure 1-4    The NIST Risk Management Framework (courtesy of NIST, from Special Publication 800-53, revision 4)


As you can see from 
Figure 1-4
, each step of the RMF has associated NIST publications that provide guidance on performing that particular step. Additionally, however, there are also NIST publications that help you manage the overall risk process within the organization. These publications support the RMF by providing more detail on processes and activities, such as managing risk in the organization, implementing the RMF, and even performing risk analysis. The three primary standards that support the RMF are:

•  SP 800-30, Guide for Conducting Risk Assessments

•  SP-800-37, Guide for Applying the Risk Management Framework to Federal Information Systems

•  SP-800-39, Managing Information Security Risk

Keep in mind that there are other standards, however, that support the individual steps of the RMF. These three provide the overall guidance and detail concerning how to implement the RMF’s processes. 
Appendix A
 goes into detail on decomposing the different steps and associated publications with the NIST RMF, so see that part of the book for a complete breakdown of the framework.


Control Objectives for Information and Related Technology (COBIT) is a framework developed by ISACA; it covers several key areas in business governance and IT enterprise management. COBIT covers key areas in auditing, compliance, information assurance, IT operations, and security risk management. This framework has been around for several years and through several iterations; COBIT 5 integrates several other frameworks developed by ISACA into a single unified framework, including the Risk IT, Value (Val) IT, and the IT Assurance Framework (ITAF). It also provides for easy integration of other popular frameworks and standards, including The Open Group Architecture Forum (TOGAF), the Project Management Body of Knowledge (PMBOK), the Information Technology Infrastructure Library (ITIL), Projects In Controlled Environments 2 (PRINCE2), the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the many International Organization for Standardization (ISO) standards. This interoperability enables new users of COBIT to leverage any of these other standards they have already been using in their adoption of COBIT.

COBIT combines the best of tried-and-true standards into its fold; it is compatible with the principles of ISO/IEC 38500:2008, Corporate Governance of Information Technology, for example, and provides strategy and activities supporting those principles. COBIT also is interoperable, to various degrees, with standards such as the ISO/IEC 27000 series of standards and covers similar security and risk management areas under its domains.

COBIT consists of two layers in its model, governance and management, and separates those two layers into five governance processes and four management domains, respectively. These layers further break down into a total of 37 separate processes. 
Table 1-2
 quickly summarizes these layers and domains and the process they decompose into.


Table 1-2    COBIT 5 Layers, Domains, and Processes

Note that while COBIT covers a variety of business and IT processes and areas, those specific to risk management happen at both layers—governance and management—and are tightly integrated with other processes. COBIT in this regard is not a risk management framework per se, as is NIST’s RMF, but offers a broader view of management and governance across all major areas of a business. The next topic we cover, ISACA’s Risk IT Framework, supports COBIT and provides a more granular view of risk management practices and activities.


NOTE    Understand that while COBIT is important to the overall risk discussion, it is not a risk framework itself. It does, however, support management and governance of not only IT but other critical business areas as well. It also leads into a more detailed discussion on the ISACA Risk IT Framework, which does deal with IT risk.

The Risk IT Framework (ISACA)

The Risk IT Framework is a more concise, risk-related set of processes than offered by its related parent framework, COBIT 5. While COBIT covers the “big picture” of governance and management processes that support risk management programs in the organization, the Risk IT Framework gets more into the key processes of risk management, such as risk governance, evaluation, and response. The Risk IT Framework is also a mere summary of ISACA’s The Risk IT Practitioner Guide, available to ISACA members, which is an even more in-depth treatment of the processes and activities encountered during risk management.

The Risk IT Framework comes from traditional risk management principles of various enterprise risk management standards and describes activities and processes thought of as best practices in the industry. It provides a starting place for establishing these processes—sort of a map to navigate from a nonexistent or immature risk management program to a formalized, defined set of processes. The Risk IT Framework focuses more on the business risks of using IT in the organization’s structure and how risk is involved with the gap often found between IT implementation and business goals. 
Table 1-3
 lists the different domains of the Risk IT Framework model, with each of their three major processes.


Table 1-3    The Domains and Processes of ISACA’s Risk IT Framework

Keep in mind that we’ve covered only a few of the risk-related frameworks and standards available in the industry. Also, be aware that we’ve only scratched the surface of these bodies of knowledge in this chapter; a full discussion of every one of them is beyond the scope of this book. You should obtain and review these publications more before you sign up for the exam. There are also many other available frameworks and standards developed and promulgated by other professional organizations, government entities, industries, vendors, and so on. You should be familiar with as many of these as is relevant to your work since they help you turn risk management from “magic” into an art and science for your organization. The frameworks and standards we have described so far are the ones most relevant to your studies for the CRISC exam.


EXAM TIP    While you may not be expected to know the intricate details of each framework described here, it will be helpful to know at least the basic characteristics and descriptions of each. You may be asked to identify a particular characteristic of a framework on the exam.

Business Perspective of IT Risk Management

Up until this point, we have discussed risk strictly from an information security perspective; however, the business aspect of risk management is far more inclusive and broad than the information security focus we have presented so far in this chapter. Although, as an information security professional, you probably tend to look at things through a data protection lens, you must realize that information security risk is really a subset of the risk management considerations that affect the entire organization from a mission or business point of view.

There are several different perspectives of risk in the context of the business environment, most related to legal liability, governance, profitability, market share, and operations sustainability, to name just a few. We could also include risks to intangible elements, such as reputation, consumer confidence, shareholder value, and so on. Opportunity represents potential growth for a business, but opportunity always comes with some level of risk involved. The key to managing this risk is to balance risk of failure with the potential benefits of the business opportunity. Risk tolerance and appetite are factors that figure into this balance for the organization.

In this part of the chapter, we’ll cover the risk of information technology systems from more of an organizational and business perspective. We’ll explain different business and information technology structures and how they affect risk management within the organization. We’ll also cover infrastructure, platforms, and other aspects of technology that can introduce risk into the organization.


CAUTION    Remember that the focus on risk from upper management is usually on business risk, not merely IT risk. IT risk is only a small part of the risks faced by the organization in carrying out its mission and goals. You must sometimes frame risk in terms of the business mission, not only from an information technology perspective.

Business Goals and Objectives

Businesses exist with clear missions, goals, and objectives. The organization is in business for a particular purpose, not merely because people want to come to work every day and socialize. Missions, goals, and objectives directly relate to why the organization is in business in the first place, whether that is to develop and market a product or provide a service. Organizational senior management defines the business’s mission, goals, and objectives, typically on a strategic or long-term level. Senior management also defines the levels of risk tolerance and appetite, based upon factors that include the market space, operational environment, economy, governmental regulation, and so on. These risk levels directly articulate and support the business mission, balancing business opportunity that can generate revenue and move the business forward with potential negative events that may cause the business to fail, or at least have a detrimental impact to the organization.


TIP    Remember that risk appetite and tolerance are directly related to the business mission, although different business pursuits may have varying levels of each. Senior management sets those levels based upon the potential rewards from risky opportunities and the amount of loss the organization could endure if those rewards don’t materialize.

Business Information Criteria

Information is a commodity. Even if the company is in the business of producing goods to bring to market, it still relies on its information and its technology as enablers to produce those goods and deliver them to the market and consumers. Without the ability to generate, process, and otherwise use information, modern businesses would not be able to produce goods or services and compete in market spaces. So, any negative events that affect the organization’s ability to process information directly affect the ability of the organization to survive. Information technology directly supports business goals, objectives, and strategy. All elements of a business endeavor depend upon IT, including the organization’s information or data, its people, its line-of-business applications and systems, and its overall infrastructure, including all of its equipment and processes.

Information technology affects risks to the business enterprise in two ways. First, information technology is used to help protect the enterprise from risk; in other words, it serves to protect the information the business generates and relies on. That’s the purpose of having high-capacity storage, faster networking equipment, redundant systems, and security devices sprinkled throughout the infrastructure. The second way that IT affects risk is that it helps the organization to produce the information needed to fulfill its business goals and objectives in the first place. Without IT, there would be no information processed, no systems designed, and no advanced technologies developed for a business to take to market and compete with. So, IT serves to both protect information and generate it to advance business goals.

The information the business generates and uses has several key characteristics. First, it should be relevant to the processes it supports. It should also be timely; stale information can prevent a business from fulfilling its functions in both the short-term and the long-term. It should also be accurate and complete. This is where information integrity comes in, which is one of the goals of information security. Anything that affects the accuracy and completeness of information is a risk. Information should also be controlled for access. Again, you learned earlier in the chapter that confidentiality is one of the goals of information security; controlled access to information and the systems that process it is a must in order to maintain business function. As you might guess, another characteristic of business information is availability to the users who need it whenever and however they need it. This means that authorized users should have business information on a timely basis and in a format that suits their needs. Risk factors that affect any of these information characteristics, such as relevance, timeliness, integrity, confidentiality, and availability, must be considered in the overall risk management process for the organization. Any detrimental impact on these characteristics presents a risk to the business mission.


EXAM TIP    Many elements of risk management can be traced back to the three information security goals or the security tenets discussed earlier in the chapter. You should be able to examine risk and determine how it can be traced back to (and how it affects) those goals and tenets.

Organizational Structures

How the business is organized can help drive how it deals with risk, in several ways. Most businesses are organized from a functional perspective; in other words, there are departments and other hierarchical structures established to take care of specific functions that contribute to the business goals and objectives. For example, in a production-driven business, there may be a manufacturing or production department, an engineering department, a research and development department, or an assembly line. There will likely be additional departments that cover support functions, such as marketing, accounting and finance, public relations, and so on. A hospital, on the other hand, will be organized according to its specific functions, such as the emergency department, surgery, neurology, radiology, and so on. Businesses in other markets or areas will be organized differently as well. In any case, the organization of the business is structured as its mission and business purposes dictate. There are certain functions that may be found in any business and may deal with information technology, information security, or even legal compliance. These functional areas may have the primary function of dealing with risk, but an important thing to consider is that all different organizational structures, from lower-level work sections to higher-level departments and divisions, have responsibilities regarding risk.

The organization must look at its structure and decide how each individual unit will manage risk at its own level, understanding that risk management must be uniform throughout the entire organization. Another consideration is that risks tend to “roll up,” or be combined at the higher levels of organization. For example, risks that the accounting department incurs are only part of the higher organizational levels’ risks and included in the risk management processes. Each lower-level unit in an organizational hierarchy has risks that are part of the next higher levels’ risk considerations. While individual units may be responsible for only a small piece of the overall organizational risk, their parent units also bear responsibility for managing that risk, as well as the risk of other subordinate units. Another concept relating to organizational structures is that the risk incurred by one part of the organization is borne by all parts of the organization; there is almost no such thing as risk that affects only one small part of the business. Risk ripples across the entire organization in some way.

Each individual unit, whether it is a unit in the lower levels of the business hierarchy or at the highest levels, must take steps to identify, evaluate, and assess risks at their level. Risks may be thought of as tactical, operational, and strategic. Tactical risks are those that are encountered by smaller-level production sections, in other words, those that carry out the day-to-day work of the organization. Operational risks can span several work units and relate to how the business conducts its functions, as well as how the different work units interact with each other. Strategic risk is borne at the higher levels of the organization, including senior management, and involves risks incurred by leading the business toward opportunities and away from decisions that exceed the organization’s capacity for risk appetite and tolerance. Respectively, these three types of risks also correspond to short-term, mid-term, and long-term risks.

Regardless of the level of risk incurred within the organization, there must be an enterprise risk management strategy and program in place to deal with the lower-tier, middle-tier, and higher-tier risks, as well as ensure that all of the risks are managed consistently and uniformly. Governance from the higher levels of the organization affects risk appetite and tolerance and shapes the organization’s risk management strategy throughout all the different hierarchical levels. Organizational structure must support that governance, as well as clearly define lines of authority and responsibility in terms of risk leadership and management.

Information Systems Architecture

The information technology architecture within the organization affects the risk of the business in several ways. Aspects of IT architecture risk include interoperability, supportability, security, maintenance, and how the different pieces and parts of the infrastructure fit into the systems development life cycle. The business views IT as an investment of capital funds, much as it would facilities and other equipment, as a means to an end in supporting the business mission. Information systems represent risk to the business because of the aforementioned interoperability, supportability, security, and other issues. It costs the organization money to maintain and support all of the IT assets within the company, in the form of parts, training for administrators and users, and upgrades. There are also the intangible aspects of IT, such as business value and liability. IT systems affect the bottom line of the organization, so there’s a lot of thought put into managing risk for them. Additionally, you should take care to remember that information technology risk is only a piece of the entire enterprise risk picture. In the next few sections, we’ll talk about different aspects of the information systems architecture and how they contribute to the overall enterprise risk in the organization.


Platforms are the operating systems and distinct architectures the business information systems run on. Businesses could use the Windows and Unix platforms or the Intel and SPARC platforms. Platforms are an element of the IT infrastructure that contributes to the information security and business risk for several reasons. First, it costs to simultaneously maintain different operating systems and environments that come in different platforms. Platforms also introduce risk into the environment in the form of interoperability, security, and supportability. A diverse platform environment (with mixed platforms, such as Windows, Linux, Macs, Unix, and so on) can affect interoperability with other systems because of differing versions of software and different network protocols, security methods, and so on. A diverse environment can also affect supportability because the organization must maintain different skill sets and a wide knowledge base in order to support the diverse platforms.

On the other hand, maintaining a homogeneous environment can reduce costs, ensure interoperability, and allow a more common set of security controls and mechanisms, such as patch management and configuration management. However, there is even risk involved in a homogeneous platform environment because of the likelihood that a vulnerability discovered in one system would also be shared in many others, offering a wider attack vector for a potential malicious actor. It is really a matter of the systems development life cycle (SDLC) as to how and when platforms are developed, introduced into the infrastructure, implemented, maintained, and, eventually, disposed of, and there is risk inherent to all of these different phases, which we’ll discuss more in 
Chapter 2


A network is another aspect of the IT infrastructure that inserts risk into the business environment. While networks are necessary to carry data both within and outside of the organization, these benefits do not come without some degree of risk. Risk can be introduced from a variety of issues, such as unsecured protocols, lack of encryption for data in transit, improper data or system access through weak authentication mechanisms, interception and modification of data, and so on. Networks should be designed to carefully control traffic during all aspects of data transmission, routing, and reception in order for a network to be considered secure.


Applications introduce risk simply because in this day and age they’re so critical to the operations of businesses. Businesses need not only basic word-processing and spreadsheet software but also complex databases, line-of-business applications, specialized software, security software, and other types of applications. Applications have to be managed to their own life cycles as well; they’re constantly being patched, upgraded, superseded, and replaced by better, faster software with more features that usually cost more. Risks that are inherent to managing applications within an organization include supportability, backward compatibility, data format compatibility, licensing, and proper use.

Adding to this complexity are the decisions an organization makes in terms of selecting proprietary software, open source software, general-purpose commercial software, or highly specialized software. All of these different categories incur different levels of cost, supportability, licensing, and feature sets. Interoperability also plays a part in application risk, like it does with other infrastructure components. Applications that do not use common data formats or produce usable output for the organization create risk of expense or additional work that goes into transforming data between incompatible applications. Applications also introduce risk into the business environment with the level of security mechanisms built into them and how effective those security mechanisms are in protecting data residing in the application.

It’s worth mentioning here that web-based applications, in addition to presenting the same risks as normal client-server apps, also have their own unique risks. Security is a definite risk imposed by web-based applications since they often directly connect to unprotected networks, such as the Internet. Other risks include those that come from the wide variety of web programming languages and standards available for developers to use.


Databases, as a subset of applications, impose some of the same risks that applications and other software do. Additionally, databases incur risks associated with data aggregation, compatibility, privacy, and security. Aggregation and inference are risks associated with database systems. Unauthorized access and data loss are also huge risks that databases introduce into the enterprise environment.

Operating Systems

Although we discussed platforms in a previous section, it’s worth mentioning operating systems as their own separate risk element in the IT infrastructure. Platforms and operating systems are sometimes used interchangeably, but truthfully, a platform is more a hardware architecture than an operating system categorization. A platform could be an Intel PC or a tablet chipset, for example, which is designed and architected differently and run on totally different operating systems. Different operating systems, on the other hand, could run on the same platform but still introduce risk into the organization, for the same reasons discussed previously with applications. First, there are interoperability and supportability risks and all of the other issues that go hand-in-hand with the normal operating system life cycle, such as patch and vulnerability management. Licensing, standardization, level of user control, and configuration are also issues that introduce risk into the organizational computing environment.


EXAM TIP    Although information security professions tend to focus more on the technical aspects of IT risks, for the exam keep in mind that all IT risks contribute to the overall business risks in the enterprise as well. Make sure you look at the larger picture beyond the IT realm.

Managing Risk Ownership

It makes sense that the organization owns all of the risk that it incurs, which is definitely true to a certain extent. However, within each organization, there are areas that “own” their own piece of risk; in other words, they are responsible for managing it and responding to it. In some cases, they are also responsible for identifying, analyzing, and evaluating risk as it pertains to their functional or defined area. Risk ownership is an effort that requires risk owners to take responsibility for their areas of risk and ensure that they are properly managed throughout its life cycle. In this section, we’ll cover risk ownership in-depth and how it relates to the concepts of risk tolerance and appetite that we discussed earlier in the chapter.

Another related area to risk ownership is that of risk awareness training. The reason this is related to risk ownership is that everyone in the organization, including those responsible for managing risk, must be aware of how risk is identified, evaluated, managed, and responded to throughout the organization. They should also be made aware of the risk management strategy the organization uses and their role in that strategy. This section will also cover risk awareness training and how to implement it within the organization.

Risk Ownership

Risk ownership is a concept that provides a focal point for responsibility and accountability for managing risk throughout its life cycle, including identifying it, assessing and evaluating it, responding to it, and monitoring it. Risk owners take responsibility for risk in their own functional domains within an organization, although you should understand that the risk from several areas is usually “rolled up” into overall organizational risk and is owned by the senior executives or board members who are legally responsible for the organization. There are several components to risk ownership.

The first component is governance. Governance, remember, can be external laws and regulations that the organization is required to comply with. It can also be internal regulations and requirements set by senior leadership within the organization. As part of governance, the organization should set a formal risk strategy and risk management plan, which should detail how risk ownership is defined within the organization. Risk ownership may be defined by functional area, hierarchy within the organization, or any number of other factors.

Other components of risk ownership include responsibility, accountability, and the ability to control the resources that can effectively manage risk (people, funding, equipment, supplies, facilities, and so on). Responsibility means someone has been given the formal authority to manage risk, either by position or by specific appointment from the organization’s leaders. A risk owner may have responsibility for a specific area of risk. Responsibility also means that the risk owner bears the burden of being held accountable for their actions in risk management. Accountability means that risk owners must be prepared to take the consequences for success or failure of the risk management efforts. Finally, risk owners must be given the resources and the authority to control those resources in order to effectively manage risk within their area of responsibility. If they have the responsibility and accountability but don’t have any control over resources to help manage risk, they will be quite ineffective and won’t be able to meet their responsibilities.


EXAM TIP    Remember that regardless of what area within the organization is considered a risk owner, ultimately the responsibility for owning and managing risk belongs to the highest level within the organization. This would likely be either the person or the group that has legal liability and responsibility for the organization, such as the chief executive officer (CEO) or the board of directors, as appropriate.

Risk ownership is directly affected by appetite and tolerance. Since these two factors are derived from the organization, they are defined by senior leaders and management, boards of directors, shareholders, and other key entities within the organization. Governance can also help drive risk appetite and tolerance; the organization may establish rules and regulations that strictly limit or are less restrictive toward taking and managing risk. The organization’s take on appetite and tolerance directly affects risk ownership because risk owners must manage the risk within their areas based upon these two factors in order to be in line with the organization. Senior leaders, shareholders, and boards of directors must establish the organizational risk culture in order to give boundaries to risk owners within the organization. They may also require that risk owners consult and validate risk decisions with senior management, based upon different threshold or tolerance levels.


EXAM TIP    Remember that risk acceptance and tolerance come from the senior management levels of the organization and drive the organization’s risk culture. They also drive how risk ownership is defined and structured within the organization.

Risk Awareness

Risk awareness is a necessary part of risk management. It can’t be viewed as simply just another two-hour training session to check a box for management or compliance. Risk awareness is essential because it helps form and maintain the organization’s risk culture. It also educates personnel at all levels of the organization, including employees, managers, and senior leadership, on the organization’s risk strategy, its appetite and tolerance levels for risk, its risk management plan, and other relevant topics necessary to manage risk in the organization. Beyond the education on organizational governance and risk management processes, awareness training can give all members of the organization the knowledge they need to better identify, assess and evaluate, and respond to risk. Risk awareness training may be required for compliance with governance in some cases, but even if it’s not, it should be considered critical to the overall risk management strategy in the organization and given its due consideration in the organizational priority list. The next two sections will discuss the different tools and techniques used in risk awareness training and how to develop a risk awareness program within an organization.

Risk Awareness Tools and Techniques

Like most training, risk awareness training should meet several criteria. First, it should be geared toward specific groups of audiences. This might include basic employee training that everyone receives, more advanced training for managers or senior leaders, and in-depth training for those personnel with assigned risk management responsibilities, such as risk owners, risk analysts, and so on. Second, training shouldn’t be a one-time event. Periodic, recurring training is a good idea simply because it can be used to reinforce and refresh stale knowledge and bring trainees up-to-date on the latest tools, techniques, and risk considerations. Finally, risk awareness training should be well organized and conducted by knowledgeable instructors, both from inside and outside the organization. Internal trainers can give the benefit of the organization’s specific views on risk culture, appetite, and tolerance, while external trainers bring the benefit of objective knowledge and risk management methods from industry.

The subject of the training depends upon the audience, of course. The basics may include familiarization training with rules and regulations regarding risk within the organization, as well as the basic steps of risk management. Basic concepts and definitions may also be provided in familiarization training. Specific training on risk management techniques and tools may be reserved for those employees who have direct risk management responsibilities. There also may need to be training for senior leadership on how to develop risk management strategy and plans for the organization.

There are several ways that an organization can deliver risk awareness training; different combinations of all of them should probably be used to deliver an effective training program. Classroom training is, of course, one standard method. Other methods might include individual-based training that comes from reading, computer-based training, and so on. Employees might also be required to read a risk management handbook that defines the different rules and regulations covering risk within the organization. Specialized training on risk management might have to be provided by an external training provider for those individuals with defined risk management responsibilities.

Developing an Organization Risk Awareness Program

Establishing a risk awareness program in an organization can be a challenge. One way organizations fail is to simply direct someone to develop a training program when the organization has not even established its risk management strategy or plans. Developing the organization’s take on risk is an essential first step before implementing risk awareness training. The organization has to develop, formally if possible, its stance on risk appetite and tolerance, as well as its risk management strategy. It should decide what risk management methodologies it will use, as well as what standards and frameworks. Only then can a training program be developed based upon a good solid risk management framework within the organization.

Establishing the risk awareness training program also requires buy-in from management at all levels. The program should be adequately funded, and allowances should be made for employees to be able to take part in the training. Management should be committed to risk awareness training as part of its overall risk management strategy. Sufficiently trained and experienced instructors or a training program manager should be selected in order to develop and maintain the program. Finally, the training program should articulate not only the risk culture of the organization but also the different risk management needs the organization has. These might include its specific risk factors, threats, vulnerabilities, and so on, taken into account when the training is developed. Employees who participate in risk awareness training should be able to easily put into practice the concepts, tools, and techniques they learn. Additionally, the training program should be periodically evaluated for effectiveness, as well as updated with current risks, governance, tools, and techniques.

Beyond initial or recurring risk awareness training, ongoing communication within the organization is a must for effectively managing risk awareness. Employees in general, but also specifically those with key risk management duties, should be given information on an ongoing basis regarding organizational risks and how to manage and deal with them. Obviously, some information would be restricted from the general organizational population, but specific instances of threats and vulnerabilities, risk factors, and so on, should be provided to risk managers in key areas so they can keep updated on the most current risk posture for the organization.

Exercise 1-1: Developing a Risk Awareness Program

Review any risk awareness training programs, procedures, or documents within your organization. How often is training conducted? Is it geared toward both the general population of the organization and the specific key roles and responsibilities? Does it cover not only regulations but also risk management methodologies and frameworks? What suggestions could you make to your organization regarding the improvement of its risk awareness training program?


TIP    While training programs are sometimes the first things that are cut from the budget or the last things to be developed in a program, don’t underestimate the importance of risk awareness training within the overall risk management strategy. Not only can training make the risk management process within the organization more effective, but it can also help reduce or mitigate risks by itself since it also has the effect of educating people on risk and this alone may even help minimize it.

Legal and Governance

An organization’s way of dealing with risk—how it formulates strategy, risk management plans, risk response methods, and so forth—comes from a desire to succeed in its business, mission, and goals, of course. But risk management can also be compulsory and not just a smart way of doing business. How an organization manages risk is often directive in nature and can come from different types of governance. Governance includes laws, regulations, and statutes, of course, but it also includes organizational directives. Policies, as well as the procedures and standards that support them, are also considered governance. Depending on its source, different types of governance may be legally binding or not. Obviously, laws and statutes are legally binding, while organizational policy may not necessarily be so.

As a risk manager, you should know something about the various laws and regulations that require an organization to engage in a definitive, coherent risk management strategy and process. While a detailed legal discussion of the dozens of laws and regulations that compel an organization to establish a risk management program are beyond the scope of this book, you should have an understanding of some of the key directives that govern risk management with regard to information protection. This section will discuss a few of those key regulations, as well as how to identify the governance that applies to your organization and how that governance drives your risk management strategy.

Laws, Regulations, and Standards

Many of the different laws and regulations that govern risk management in organizations are business sector and data specific; that is, they specifically apply to a particular area or type of data. For instance, the Health Information Portability and Accountability Act (HIPAA) requires hospitals, doctors, clinics, and other healthcare providers to establish a risk management program to protect sensitive healthcare information. HIPAA wouldn’t apply to a bank or financial company, although other laws would. We’ll discuss some of these in the upcoming paragraphs.

One of the most common laws requiring risk management within the information technology world is the Federal Information Security Management Act (FISMA) of 2002. FISMA applies to all U.S. federal government agencies, requiring them to establish information security programs for all federal systems, as well as report risk management and compliance information on an annual basis. FISMA is implemented using various programs within the federal government, depending upon the agency. For example, the U.S. Department of Defense implemented FISMA using the Defense Information Assurance Certification and Accreditation Program (DIACAP) as its vehicle for IT risk management in 2006 but has since replaced it (in March 2014) with NIST’s Risk Management Framework. The RMF, as described earlier, provides a risk management process for use in all federal agencies.

The aforementioned HIPAA applies to healthcare providers in the United States and specifically requires that a formal risk management program be established in its Security Rule subsections. The rule further states that risk assessments be performed on all systems that process electronic protected health information (EPHI). Healthcare providers are subject to periodic audits to verify that the provisions requiring risk management are followed.

The Payment Card Industry Data Security Standards (PCI-DSS) were developed by the members of the payment card industry, such as Visa, MasterCard, and so on, to establish a recognized set of standards for information security that applies across all industry partners (for example, banks, retailers, and card issuers). While more technical in nature, the standards require information security policies, vulnerability management, and other risk-based security controls to protect cardholder data.

Financial institutions (banks, brokerage companies, and so on) are the primary focus of the Gramm-Leach-Bliley Act (GLBA), although it also applies to some extent to other organizations. GLBA requires periodic risk analysis performed on processes that deal with nonpublic financial information and personal financial data. While GLBA was primarily designed to allow certain types of financial institutions to merge and interoperate, important risk management requirements were also put into place with this law, such as the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Protection. These rules were included in this legislation to protect consumer privacy, establish information security safeguards (including risk management and analysis), and guard against social engineering attacks, respectively.

Identifying Legal and Governance Requirements in the Organization

Regardless of the type of market or segment in which your organization is involved, there are likely requirements levied by the law, regulations, contract requirements, and even internal organizational policies that require some type of risk management program to be developed and put into place. Obviously, if your organization is a federal agency, a healthcare provider, or some type of financial institution, then you probably fall under the requirements from one of the laws described earlier. Additionally, if you process any type of consumer credit cards or maintain financial information on individuals, they likely fall under at least the PCI-DSS, if not others. However, even if your organization does not fall under one of the previous categories, you may have legal or regulatory requirements to maintain a risk management program. Often, businesses are members of the industry associations or professional organizations that require risk management as a condition of membership. Additionally, contractual agreements with other organizations often have stipulations built in that require risk management.

Some of these nonregulatory requirements may include requirements for the organization to have a risk management program, for the organization to perform risk assessments and analysis, and for the organization to demonstrate due care and diligence in reducing or mitigating risk. While some of these requirements might not be specifically stated as “risk management” activities, they may come in the form of requirements to maintain security policies, require separation of duties or data, implement standard safeguards (such as strong authentication and encryption methods, for example), and periodically test systems for vulnerabilities. Regardless of how they are stated in policies or contracts, these requirements can be legally used to determine liability for an organization in the event its risk management activities are ever questioned.

When determining legal or regulatory requirements for risk management activities, you should consult with both your organization’s legal representatives, as well as its executive management. You should also research any requirements levied by external organizations or contractual obligations. You must take these requirements into account when developing a risk management program, as well as when developing an information security program. These requirements will likely impact the organization’s stance on risk, as well as its levels of risk appetite and tolerance.

Exercise 1-2: Identifying Legal, Regulatory, and Contractual Requirements

For this exercise, you should attempt to identify and record any legal, regulatory, or other requirements levied on your organization that require a risk management program or activities. You could consult your legal department, talk to senior management, or even perform research on similar organizations. In your attempt to identify these requirements, you may actually uncover other sources that could require risk management activities within your organization. How do these requirements affect your business? Do they influence the organization’s risk appetite and tolerance levels? How are information security programs developed and implemented to meet the requirements for risk management levied by these laws, regulations, or contract requirements?

Chapter Review

In this first chapter, we discussed fundamental concepts of both security and risk management. The three goals of security, known as the CIA triad, are confidentiality, integrity, and availability. Supporting these three goals are other elements of security, such as access control, data sensitivity and classification, identification, authentication, authorization, accountability, and, finally, nonrepudiation.

Risk management is the overall process of developing a strategy for addressing risk throughout its life cycle and includes several components, including risk identification, evaluation, and assessment. We discussed the different concepts associated with risk management, including the threat agents, threats, and vulnerabilities that are associated with assets. We also looked at the variables that affect how these elements create risk: likelihood and impact. The relationships between these elements are what define risk. We also looked at the organizational culture and examined the definitions for risk appetite and risk tolerance.

We then defined standards, frameworks, and practices, and we detailed some of the ones relevant to risk management. We looked at the NIST Risk Management Framework, COBIT 5, and the Risk IT Framework.

We then looked at the business perspectives of IT risk management and discussed how risk from the IT perspective is only a subset of the overall enterprise risk. We examined how business views risk from a mission perspective and covered the criteria business information must meet in order to support that mission. Organizational structures also affect the overall business risk since how the business is organized affects how it incurs and manages risk. We also looked at various elements of information systems architecture and some of the inherent risks involved with those elements. Platforms, networks, applications, databases, and operating systems are all elements of the infrastructure that contribute not only to the IT risk but also to the overall enterprise risk.

We then examined concepts of risk ownership and risk awareness. Risk ownership, while ultimately held by the senior levels of the organization, is also shared by people who have responsibilities and accountability to manage risk within their areas of control. Risk awareness is an educational program that should be implemented to provide the right level of risk-related training to both employees and managers. Risk awareness training can actually help reduce risk throughout the organization. A risk awareness also means keeping the members of an organization informed on the current risk environment.

Finally, we concluded this chapter with a discussion of legal, regulatory, and contractual requirements levied on organizations that make risk management programs and activities mandatory. We discussed a few examples of common laws, such as HIPAA, GLBA, and FISMA, as well as the PCI-DSS; they require organizations to implement and maintain formalized risk management activities.

Archived NIST Technical Series Publication

The attached publication has been archived (withdrawn), and is provided solely for historical purposes.
It may have been superseded by another publication (indicated below).

Archived Publication



Publication Date(s):

Withdrawal Date:

Withdrawal Note:

Superseding Publication(s)

The attached publication has been superseded by the following publication(s):




Publication Date(s):


Additional Information (if applicable)


Latest revision of the

attached publication:

Related information:

announcement (link):

Date updated: June 9, 2015

NIST Special Publication 800-30

Risk Management Guide for Information Technology Systems

July 2002
September 2012

SP 800-30 is superseded in its entirety by the publication of
SP 800-30 Revision 1 (September 2012).

NIST Special Publication 800-30 Revision 1

Guide for Conducting Risk Assessments

Joint Task Force Transformation Initiative

September 2012

Computer Security Division (Information Technology Lab)

SP 800-30 Revision 1 (as of June 19, 2015)





National Institute of
Standards and Technology

Technology Administration

U.S. Department of Commerce

NIST Special Publication

Risk Management Guide
for Information Technology
Recommendations ofthe National Institute

of Standards and Technology

Gary Stoneburner, Alice Goguen, and

Alexis Feringa


rhe National Institute of Standards and Teciinology was established in 1988 by Congress to “assist
industry in the development of technology . . . needed to improve product quality, to modernize manufacturing

processes, to ensure product reliability . . . and to facilitate rapid commercialization …of products based on new scientific


NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry’s

competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the

agency’s basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide

the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and

education with the standards adopted or recognized by the Federal Government.

As an agency of the U.S. Commerce Department’s Technology Administration, NIST conducts basic and

applied research in the physical sciences and engineering, and develops measurement techniques, test

methods, standards, and related services. The Institute does generic and precompetitive work on new and

advanced technologies. NIST’s research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303.
Major technical operating units and their principal activities are listed below. For more information contact the Publications

and Program Inquiries Desk, 301-975-3058.

Office of the Director

• National Quality Program
• International and Academic Affairs

Technology Services
• Standards Services

• Technology Partnerships
• Measurement Services
• Information Services

Advanced Technology Program
• Economic Assessment
• Information Technology and Applications

• Chemistry and Life Sciences

• Materials and Manufacturing Technology

• Electronics and Photonics Technology

Manufacturing Extension Partnership

• Regional Programs

• National Programs
• Program Development

Electronics and Electrical Engineering

• Microelectronics

• Law Enforcement Standards
• Electricity

• Semiconductor Electronics

• Radio-Frequency Technology

• Electromagnetic Technology’

• Optoelectronics’

Materials Science and Engineering

• Theoretical and Computational Materials Science
• Materials Reliability’

• Ceramics

• Polymers
• Metallurgy

• NIST Center for Neutron Research

Chemical Science and Technology

• Biotechnology

• Physical and Chemical Properties’
• Analytical Chemistry

• Process Measurements
• Surface and Microanalysis Science

Physics Laboratory
• Electron and Optical Physics

• Atomic Physics
• Optical Technology
• Ionizing Radiation

• Time and Frequency’
• Quantum Physics’

Manufacturing Engineering

• Precision Engineering

• Automated Production Technology
• Intelligent Systems

• Fabrication Technology
• Manufacturing Systems Integration

Building and Fire Research Laboratory
• Applied Economics
• Structures

• Building Materials

• Building Environment
• Fire Safety Engineering

• Fire Science

Information Technology Laboratory
• Mathematical and Computational Sciences^

• Advanced Network Technologies
• Computer Security
• Information Access and User Interfaces
• High Performance Systems and Services
• Distributed Computing and Information Services
• Software Diagnostics and Conformance Testing
• Statistical Engineering

‘At Boulder, CO 80303.
Some elements at Boulder, CO.

NisT Special Publication 800-30 Risk Management Guide
for Information Technology
Recommendations ofthe National Institute

of Standards and Technology

Gary Stoneburner, Alice Goguen, and

Alexis Feringa


Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

July 2002

U.S. Department of Commerce

Donald L. Evans, Secretary

Technology Administration

Phillip J. Bond, Under Secretary of Commercefor Technology

National Institute of Standards and Technology

Arden L. Bement, Jr., Director

Reports on Information Security Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST)

promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement

and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept

implementations, and technical analyses to advance the development and productive use of information

technology. ITL’s responsibilities include the development of technical, physical, administrative, and

management standards and guidelines for the cost-effective security and privacy of sensitive unclassified

information in Federal computer systems. This Special Publication 800-series reports on ITL’s research,

guidance, and outreach efforts in computer security, and its collaborative activities with industry, government,

and academic organizations.

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommendation or

endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,

materials, or equipment are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 800-30
Natl. Inst. Stand. Technol. Spec. Publ. 800-30, 54 pages (July 2002)



For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: — Phone: (202) 5 1 2- 1 800 — Fax: (202) 5 1 2-2250
Mail: Stop SSOP Washington, DC 20402-0001


The authors, Gary Stonebumer from NIST and Ahce Goguen and Alexis Feringa from Booz
Allen Hamilton, wish to express their thanks to their colleagues at both organizations who
reviewed drafts of this document. In particular, Timothy Grance, Marianne Swanson, and Joan

Hash from NIST and Debra L. Banning, Jeffrey Confer, Randall K. Ewell, and Waseem
Mamlouk from Booz Allen Hamilton, provided valuable insights that contributed substantially to
the technical content of this document. Moreover, we gratefully acknowledge and appreciate the
many comments from the public and private sectors whose thoughtful and constructive
comments improved the quality and utility of this publication.

SP 800-30 Page iii



1.1 Authority
1.2 Purpose

1.3 Objective

1.4 Target Audience
1.5 Related References
1.6 Guide Structure


2.1 Importance of Risk Management
2.2 Integration of Risk Management into SDLC ..
2.3 Key Roles


3.1 Step 1 : System Characterization

3.1.1 System-Related Information

3.1.2 Information-Gathering Techniques

3.2 Step 2: Threat Identification
3.2.1 Threat-Source Identification

3.2.2 Motivation and Threat Actions

3.3 Step 3: Vulnerability Identification

3.3.1 Vulnerability Sources

3.3.2 System Security Testing ,

3.3.3 Development ofSecurity Requirements Checklist .

3.4 Step 4: Control Analysis
3.4.1 Control Methods

3.4.2 Control Categories

3.4.3 Control Analysis Technique

3.5 Step 5 : Likelihood Determination

3.6 Step 6: Impact Analysis

3.7 Step?: Risk Determination

3.7.1 Risk-Level Matrix

3.7.2 Description ofRisk Level

3.8 Step 8: Control Recommendations
3.9 Step 9: Results Documentation


4.1 Risk Mitigation Options

4.2 Risk Mitigation Strategy
4.3 Approach for Control Implementation ,
4.4 Control Categories

4.4.1 Technical Security Controls

4.4.2 Management Security Controls

4.4.3 Operational Security Controls

4.5 Cost-Benefit Analysis

4.6 Residual Risk


5.1 Ciood Security Practice

5.2 Keys for Success

Appendix A—Sample Interview Questions A-
Appendix B—Sample Risk Assessment Report Outline B-

SP 800-30 Page

Appendix C—Sample Implementation Safeguard Plan Summary Table C-1
Appendix D—Acronyms D-1
Appendix E—Glossary E-1
Appendix F—References F-



Figure 3-1 Risk Assessment Methodology Flowchart 9

Figure 4-1 Risk Mitigation Action Points 28

Figure 4-2 Risk Mitigation Methodology Flowchart 3


Figure 4-3 Technical Security Controls 33

Figure 4-4 Control Implementation and Residual Risk 40


Table 2-1 Integration of Risk Management to the SDLC 5

Table 3-1 Human Threats: Threat-Source, Motivation, and Threat Actions 14

Table 3-2 Vulnerability/Threat Pairs 15

Table 3-3 Security Criteria 18

Table 3-4 Likelihood Definitions 21

Table 3-5 Magnitude of Impact Definitions 23

Table 3-6 Risk-Level Matrix 25

Table 3-7 Risk Scale and Necessary Actions 25

SP 800-30 Page v




Every organization has a mission. In this digital era, as organizations use automated information

technology (IT) systems^ to process their information for better support of their missions, risk

management plays a critical role in protecting an organization’s information assets, and therefore

its mission, from IT-related risk.

An effective risk management process is an important component of a successful IT security
program. The principal goal of an organization’s risk management process should be to protect

the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk

management process should not be treated primarily as a technical function carried out by the IT

experts who operate and manage the IT system, but as an essential management function of the


This document has been developed by NIST in furtherance of its statutory responsibilities under
the Computer Security Act of 1987 and the Information Technology Management Reform Act of
1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline within

the meaning of 15 U.S.C 278 g-3 (a)(3).

These guidelines are for use by Federal organizations which process sensitive information.

They are consistent with the requirements of 0MB Circular A-130, Appendix HI.

The guidelines herein are not mandatory and binding standards. This document may be used by
non-governmental organizations on a voluntary basis. It is not subject to copyright.

Nothing in this document should be taken to contradict standards and guidelines made
mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing

authorities of the Secretary of Commerce, the Director of the Office of Management and Budget,

or any other Federal official.


Risk is the net negative impact of the exercise of a vulnerability, considering both the probability

and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,

and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the

development of an effective risk management program, containing both the definitions and the

practical guidance necessary for assessing and mitigating risks identified within IT systems. The

ultimate goal is to help organizations to better manage IT-related mission risks.

1 The term “IT system” refers to a general support system (e.g., mainframe computer, mid-range computer, local

area network, agencywide backbone) or a major application that can run on a general support system and whose

use of information resources satisfies a specific set of user requirements.

SP 800-30 Page 1

In addition, this guide provides information on the selection of cost-effective security controls.^

These controls can be used to mitigate risk for the better protection of mission-critical

information and the IT systems that process, store, and carry this information.

Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission



The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational

information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in

authorizing (or accrediting) the IT systems-^ on the basis of the supporting documentation

resulting from the performance of risk management.


This guide provides a common foundation for experienced and inexperienced, technical, and
non-technical personnel who support or use the risk management process for their IT systems.

These personnel include

• Senior management, the mission owners, who make decisions about the IT security

• Federal Chief Information Officers, who ensure the implementation of risk
management for agency IT systems and the security provided for these IT systems

• The Designated Approving Authority (DAA), who is responsible for the final
decision on whether to allow operation of an IT system

• The IT security program manager, who implements the security program

• Information system security officers (ISSO), who are responsible for IT security

• IT system owners of system software and/or hardware used to support IT functions.

• Information owners of data stored, processed, and transmitted by the IT systems

• Business or functional managers, who are responsible for the IT procurement process

• Technical support personnel (e.g., network, system, application, and database

administrators; computer specialists; data security analysts), who manage and
administer security for the IT systems

• IT system and application programmers, who develop and maintain code that could
affect system and data integrity

The terms “safeguards” and “controls” refer to risk-reducing measures; these terms are used interchangeably in

this guidance document.

Office of Management and Budget’s November 2000 Circular A-130, the Computer Security Act of 1987, and the
Government Information Security Reform Act of October 2000 require that an IT system be authorized prior to

operation and reauthorized at least every 3 years thereafter.

SP 800-30 Page 2

• IT quality assurance personnel, who test and ensure the integrity of the IT systems
and data

• Information system auditors, who audit IT systems

• IT consultants, who support clients in risk management.


This guide is based on the general concepts presented in National Institute of Standards and

Technology (NIST) Special Publication (SP) 800-27, Engineering Principlesfor IT Security,

along with the principles and practices in NIST SP 800-14, Generally Accepted Principles and
Practicesfor Securing Information Technology Systems. In addition, it is consistent with the

policies presented in Office of Management and Budget (0MB) Circular A-130, Appendix III,
“Security of Federal Automated Information Resources”; the Computer Security Act (CSA) of

1987; and the Government Information Security Reform Act of October 2000.


The remaining sections of this guide discuss the following:

• Section 2 provides an overview of risk management, how it fits into the system
development life cycle (SDLC), and the roles of individuals who support and use this

• Section 3 describes the risk assessment methodology and the nine primary steps in

conducting a risk assessment of an IT system.

• Section 4 describes the risk mitigation process, including risk mitigation options and

strategy, approach for control implementation, control categories, cost-benefit

analysis, and residual risk.

• Section 5 discusses the good practice and need for an ongoing risk evaluation and

assessment and the factors that will lead to a successful risk management program.

This guide also contains six appendixes. Appendix A provides sample interview questions.
Appendix B provides a sample outline for use in documenting risk assessment results. Appendix
C contains a sample table for the safeguard implementation plan. Appendix D provides a list of
the acronyms used in this document. Appendix E contains a glossary of terms used frequently in
this guide. Appendix F lists references.

SP 800-30 Page 3


This guide describes the risk management methodology, how it fits into each phase of the SDLC,
and how the risk management process is tied to the process of system authorization (or


Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation

and assessment. Section 3 of this guide describes the risk assessment process, which includes

identification and evaluation of risks and risk impacts, and recommendation of risk-reducing

measures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, and

maintaining the appropriate risk-reducing measures recommended from the risk assessment

process. Section 5 discusses the continual evaluation process and keys for implementing a

successful risk management program. The DAA or system authorizing official is responsible for
determining whether the remaining risk is at an acceptable level or whether additional security

controls should be implemented to further reduce or eliminate the residual risk before

authorizing (or accrediting) the IT system for operation.

Risk management is the process that allows IT managers to balance the operational and

economic costs of protective measures and achieve gains in mission capability by protecting the

IT systems and data that support their organizations’ missions. This process is not unique to the

IT environment; indeed it pervades decision-making in all areas of our daily lives. Take the case

of home security, for example. Many people decide to have home security systems installed and
pay a monthly fee to a service provider to have these systems monitored for the better protection

of their property. Presumably, the homeowners have weighed the cost of system installation and

monitoring against the value of their household goods and their family’s safety, a fundamental

“mission” need.

The head of an organizational unit must ensure that the organization has the capabilities needed

to accomplish its mission. These mission owners must determine the security capabilities that

their IT systems must have to provide the desired level of mission support in the face of real-

world threats. Most organizations have tight budgets for IT security; therefore, IT security

spending must be reviewed as thoroughly as other management decisions. A well-structured risk
management methodology, when used effectively, can help management identify appropriate

controls for providing the mission-essential security capabilities.


Minimizing negative impact on an organization and need for sound basis in decision making are

the fundamental reasons organizations implement a risk management process for their IT

systems. Effective risk management must be totally integrated into the SDLC. An IT system’s
SDLC has five phases: initiation, development or acquisition, implementation, operation or
maintenance, and disposal. In some cases, an IT system may occupy several of these phases at
the same time. However, the risk management methodology is the same regardless of the SDLC
phase for which the assessment is being conducted. Risk management is an iterative process that

can be performed during each major phase of the SDLC. Table 2-1 describes the characteristics

SP 800-30 Page 4

of each SDLC phase and indicates how risk management can be performed in support of each

Table 2-1 Integration of Risk Management into the SDLC

SDLC Phases Phase Characteristics Support from Risl(
l/lanagement Activities

Phase 1—Initiation The need for an IT system is
expressed and the purpose and
scope of the IT system is

• Identified risks are used to

support the development of the
system requirements, including

security requirements, and a
security concept of operations


Phase 2—Development or

The IT system is designed,
purchased, programmed,
developed, or otherwise


• The risks identified during this
phase can be used to support

the security analyses of the IT

system that may lead to
architecture and design trade-
offs during system


Phase 3—Implementation The system security features
should be configured, enabled,

tested, and verified

• The risk management process
supports the assessment of the

system implementation against

its requirements and within its

modeled operational
environment. Decisions

regarding risks identified must

be made prior to system

Phase 4—Operation or

The system performs its
functions. Typically the system is

being modified on an ongoing

basis through the addition of

hardware and software and by

changes to organizational

processes, policies, and

• Risk management activities are
performed for periodic system

reauthorization (or

reaccreditation) or whenever
major changes are made to an
IT system in its operational,

production environment (e.g.,

new system interfaces)

Phase 5—Disposal This phase may involve the
disposition of information,

hardware, and software.
Activities may include moving,
archiving, discarding, or

destroying information and

sanitizing the hardware and


• Risk management activities
are performed for system

components that will be
disposed of or replaced to

ensure that the hardware and

software are properly disposed

of, that residual data is

appropriately handled, and that

system migration is conducted

in a secure and systematic

SP 800-30 Page 5


Risk management is a management responsibility. This section describes the key roles of the
personnel who should support and participate in the risk management process.

• Senior Management. Senior management, under the standard of due care and
ultimate responsibility for mission accomplishment, must ensure that the necessary

resources are effectively applied to develop the capabilities needed to accomplish the

mission. They must also assess and incorporate results of the risk assessment activity
into the decision making process. An effective risk management program that
assesses and mitigates IT-related mission risks requires the support and involvement

of senior management.

• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT
planning, budgeting, and performance including its information security components.

Decisions made in these areas should be based on an effective risk management

• System and Information Owners. The system and information owners are
responsible for ensuring that proper controls are in place to address integrity,

confidentiality, and availability of the IT systems and data they own. Typically the

system and information owners are responsible for changes to their IT systems. Thus,

they usually have to approve and sign off on changes to their IT systems (e.g., system

enhancement, major changes to the software and hardware). The system and

information owners must therefore understand their role in the risk management

process and fully support this process.

• Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk

management process. These managers are the individuals with the authority and

responsibility for making the trade-off decisions essential to mission accomplishment.

Their involvement in the risk management process enables the achievement of proper

security for the IT systems, which, if managed properly, will provide mission

effectiveness with a minimal expenditure of resources.

• ISSO. IT security program managers and computer security officers are responsible

for their organizations’ security programs, including risk management. Therefore,

they play a leading role in introducing an appropriate, structured methodology to help

identify, evaluate, and minimize risks to the IT systems that support their

organizations’ missions. ISSOs also act as major consultants in support of senior

management to ensure that this activity takes place on an ongoing basis.

• IT Security Practitioners. IT security practitioners (e.g., network, system,

application, and database administrators; computer specialists; security analysts;

security consultants) are responsible for proper implementation of security

requirements in their IT systems. As changes occur in the existing IT system

environment (e.g., expansion in network connectivity, changes to the existing

infrastructure and organizational policies, introduction of new technologies), the IT

security practitioners must support or use the risk management process to identify and

assess new potential risks and implement new security controls as needed to

safeguard their IT systems.

SP 800-30 Page 6

• Security Awareness Trainers (Security/Subject Matter Professionals). The

organization’s personnel are the users of the IT systems. Use of the IT systems and

data according to an organization’s policies, guidelines, and rules of behavior is

critical to mitigating risk and protecting the organization’s IT resources. To minimize
risk to the IT systems, it is essential that system and application users be provided

with security awareness training. Therefore, the IT security trainers or

security/subject matter professionals must understand the risk management process so

that they can develop appropriate training materials and incorporate risk assessment

into training programs to educate the end users.

SP 800-30 Page 7


Risk assessment is the first process in the risk management methodology. Organizations use risk

assessment to determine the extent of the potential threat and the risk associated with an IT

system throughout its SDLC. The output of this process helps to identify appropriate controls for

reducing or eliminating risk during the risk mitigation process, as discussed in Section 4.

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential

vulnerability, and the resulting impact of that adverse event on the organization.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed

in conjunction with the potential vulnerabilities and the controls in place for the IT system.

Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a

vulnerability. The level of impact is governed by the potential mission impacts and in turn

produces a relative value for the IT assets and resources affected (e.g., the criticality and

sensitivity of the IT system components and data). The risk assessment methodology

encompasses nine primary steps, which are described in Sections 3.1 through 3.9

• Step 1—System Characterization (Section 3.1)
• Step 2—^Threat Identification (Section 3.2)
• Step 3—^Vulnerability Identification (Section 3.3)
• Step A—Control Analysis (Section 3.4)
• Step 5—Likelihood Determination (Section 3.5)
• Step 6—Impact Analysis (Section 3.6)
• Step 7—Risk Determination (Section 3.7)
• Step 8—Control Recommendations (Section 3.8)
• Step 9—Results Documentation (Section 3.9).

Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has been completed. Figure 3-1

depicts these steps and the inputs to and outputs from each step.

SP 800-30 Pages

Input Risk Assessment Activities Output

• Hardware

• Software

• System interfaces

• Data and information

• People

^» System mission

‘ History of system attack

‘ Data from intelligence

agencies, NIPC, OIG.

FedCIRC, mass media.

• Reports from prior risk


• Any audit comments
• Security requirements

• Security test results

> Current controls

‘ Planned controls

• Threat-source motivation

• Threat capacity

• Nahire of vulnerability

• Current controls

• Mission impact analysis

• Asset criticality assessment

• Data criticality

• Data sensitivity

‘ Likelihood of threat


‘ Magnitude of impact

‘ Adequacy of plaimed or
current controls

Step 1.

System Characterization

Step 2.

Threat Identification

Step 3.

->| Vulnerability Identification

Step 4. Control Analysis


Step 6. Impact Analysis

• Loss of Integrity

• Loss of Availability

• Loss of Confidentiality

Step 7. Risk Determination

Step 9.

Results Documentation

• System Boundary

• System Functions

• System and Data


• System and Data


Threat Statement

List of Potential


List of Current and

Planned Controls

Step 5.

Likelihood Determination

Likelihood Rating

Impact Rating

Risks and

Associated Risk



Step 8. — Recommended
Control Recommendations Controls

Risk Assessment


Figure 3-1. Risk Assessment Methodology Flowchart

SP 800-30 Page 9


In assessing risks for an IT system, the first step is to define the scope of the effort. In this step,

the boundaries of the IT system are identified, along with the resources and the information that

constitute the system. Characterizing an IT system establishes the scope of the risk assessment

effort, delineates the operational authorization (or accreditation) boundaries, and provides

information (e.g., hardware, software, system connectivity, and responsible division or support

personnel) essential to defining the risk.

Section 3.1.1 describes the system-related information used to characterize an IT system and its

operational environment. Section 3.1.2 suggests the information-gathering techniques that can

be used to solicit information relevant to the IT system processing environment.

The methodology described in this document can be applied to assessments of single or multiple,
interrelated systems. In the latter case, it is important that the domain of interest and all interfaces

and dependencies be well defined prior to applying the methodology.

3.1.1 System-Related Information

Identifying risk for an IT system requires a keen understanding of the system’s processing

environment. The person or persons who conduct the risk assessment must therefore first collect
system-related information, which is usually classified as follows:

• Hardware

• Software

• System interfaces (e.g., internal and external connectivity)

• Data and information

• Persons who support and use the IT system

• System mission (e.g., the processes performed by the IT system)

• System and data criticality (e.g., the system’s value or importance to an organization)

• System and data sensitivity.^

Additional information related to the operational environmental of the IT system and its data

includes, but is not limited to, the following:

• The functional requirements of the IT system

• Users of the system (e.g., system users who provide technical support to the IT
system; application users who use the IT system to perform business functions)

• System security policies governing the IT system (organizational policies, federal

requirements, laws, industry practices)

• System security architecture

^ The level of protection required to maintain system and data integrity, confidentiality, and availability.

SP 800-30 Page 10

• Current network topology (e.g., network diagram)

• Information storage protection that safeguards system and data availability, integrity,

and confidentiality

• Flow of information pertaining to the IT system (e.g., system interfaces, system input

and output flowchart)

• Technical controls used for the IT system (e.g., built-in or add-on security product

that supports identification and authentication, discretionary or mandatory access

control, audit, residual information protection, encryption methods)

• Management controls used for the IT system (e.g., rules of behavior, security

• Operational controls used for the IT system (e.g., personnel security, backup,

contingency, and resumption and recovery operations; system maintenance; off-site

storage; user account establishment and deletion procedures; controls for segregation

of user functions, such as privileged user access versus standard user access)

• Physical security environment of the IT system (e.g., facility security, data center


• Environmental security implemented for the IT system processing environment (e.g.,

controls for humidity, water, power, pollution, temperature, and chemicals).

For a system that is in the initiation or design phase, system information can be derived from the

design or requirements document. For an IT system under development, it is necessary to define

key security rules and attributes planned for the future IT system. System design documents and

the system security plan can provide useful information about the security of an IT system that is

in development.

For an operational IT system, data is collected about the IT system in its production

environment, including data on system configuration, connectivity, and documented and

undocumented procedures and practices. Therefore, the system description can be based on the

security provided by the underlying infrastructure or on future security plans for the IT system.

3.1.2 Information-Gathering Techniques

Any, or a combination, of the following techniques can be used in gathering information relevant

to the IT system within its operational boundary:

• Questionnaire. To collect relevant information, risk assessment personnel can

develop a questionnaire concerning the management and operational controls planned

or used for the IT system. This questionnaire should be distributed to the applicable

technical and nontechnical management personnel who are designing or supporting
the IT system. The questionnaire could also be used during on-site visits and


• On-site Interviews. Interviews with IT system support and management personnel

can enable risk assessment personnel to collect useful information about the IT

system (e.g., how the system is operated and managed). On-site visits also allow risk

SP 800-30 Page 1


assessment personnel to observe and gather information about the physical,

environmental, and operational security of the IT system. Appendix A contains
sample interview questions asked during interviews with site personnel to achieve a

better understanding of the operational characteristics of an organization. For

systems still in the design phase, on-site visit would be face-to-face data gathering

exercises and could provide the opportunity to evaluate the physical environment in

which the IT system will operate.

• Document Review. Policy documents (e.g., legislative documentation, directives),
system documentation (e.g., system user guide, system administrative manual,

system design and requirement document, acquisition document), and security-related

documentation (e.g., previous audit report, risk assessment report, system test results,

system security plan^, security policies) can provide good information about the

security controls used by and planned for the IT system. An organization’s mission
impact analysis or asset criticality assessment provides information regarding system

and data criticality and sensitivity.

• Use of Automated Scanning Tool. Proactive technical methods can be used to
collect system information efficiently. For example, a network mapping tool can

identify the services that run on a large group of hosts and provide a quick way of
building individual profiles of the target IT system(s).

Information gathering can be conducted throughout the risk assessment process, from Step 1

(System Characterization) through Step 9 (Results Documentation).

Outputfrom Step 1—Characterization ofthe IT system assessed, a goodpicture ofthe IT
system environment, and delineation ofsystem boundary


A threat is the potential for a particular threat-source to successfully exercise a particular
vulnerability. A vulnerability is a weakness that can
be accidentally triggered or intentionally exploited. A
threat-source does not present a risk when there is no

vulnerability that can be exercised. In determining the

likelihood of a threat (Section 3.5), one must consider

threat-sources, potential vulnerabilities (Section 3.3),

and existing controls (Section 3.4).

Threat: The potential for a threat-

source to exercise (accidentally trigger

or intentionally exploit) a specific


3.2.1 Threat-Source Identification

The goal of this step is to identify the potential

threat-sources and compile a threat statement

listing potential threat-sources that are applicable

to the IT system being evaluated.

Threat-Source: Either (1) intent and method

targeted at the intentional exploitation of a

vulnerability or (2) a situation and method

that may accidentally trigger a vulnerability.

^ During the initial phase, a risk assessment could be used to develop the initial system security plan.

SP 800-30 Page 12

A threat-source is defined as any
circumstance or event with the

potential to cause harm to an IT

system. The common threat-
sources can be natural, human, or


In assessing threat-sources, it is

important to consider all potential

threat-sources that could cause

harm to an IT system and its

processing environment. For

example, although the threat

statement for an IT system

located in a desert may not
include “natural flood” because

of the low likelihood of such an event’s occurring, environmental threats such as a bursting pipe

can quickly flood a computer room and cause damage to an organization’s IT assets and
resources. Humans can be threat-sources through intentional acts, such as deliberate attacks by
malicious persons or disgruntled employees, or unintentional acts, such as negligence and errors.

A deliberate attack can be either (1) a malicious attempt to gain unauthorized access to an IT
system (e.g., via password guessing) in order to compromise system and data integrity,

availability, or confidentiality or (2) a benign, but nonetheless purposeful, attempt to circumvent

system security. One example of the latter type of deliberate attack is a programmer’s writing a
Trojan horse program to bypass system security in order to “get the job done.”

3.2.2 Motivation and Tlireat Actions

Motivation and the resources for carrying out an attack make humans potentially dangerous

threat-sources. Table 3-1 presents an overview of many of today’s common human threats, their
possible motivations, and the methods or threat actions by which they might carry out an attack.

This information will be useful to organizations studying their human threat environments and
customizing their human threat statements. In addition, reviews of the history of system break-
ins; security violation reports; incident reports; and interviews with the system administrators,

help desk personnel, and user community during information gathering will help identify human
threat-sources that have the potential to harm an IT system and its data and that may be a concern
where a vulnerability exists.

Common Threat-Sources

Natural Threats—^Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such


« Human Threats—^Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network

based attacks, malicious software upload, unauthorized

access to confidential information),

Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

SP800-30 Page 13

Table 3-1. Human Threats: Threat-Source, Motivation, and Threat Actions

Threat-Source Motivation Threat Actions

Hacker, cracker




• Hacking

• Social engineering

• System intrusion, break-ins

• Unauthorized system access

Computer criminal

Destruction of information

lllonf)! information Hicolociiro

Monetary gain

Unauthorized data alteration

• Computer crime (e.g., cyber

• Fraudulent act (e.g., replay,

impersonation, interception)

• Information bribery

• Spoofing

• System intrusion






• Bomb/Terrorism

• Information warfare

• System attack (e.g., distributed
denial of service)

• System penetration

• System tampering

Industrial espionage

(companies, foreign
novprnmpnt^ nthprUWUI 1 II 1 1^1 IIO, V/il Iwl
government interests)

Competitive advantage

Economic espionage

• Economic exploitation

• Information theft

• Intrusion on personal privacy

• Social engineering

• System penetration

• Unauthorized system access

(access to classified, proprietary,

and/or technology-related


Insiders (poorly trained,

disgruntled, malicious,

negligent, dishonest, or

terminated employees)




Monetary gain


Unintentional errors and
omissions (e.g., data entry

error, programming error)

• Assault on an employee

• Blackmail

• Browsing of proprietary


• Computer abuse

• Fraud and theft

• Information bribery

• Input of falsified, corrupted data

• Interception

• Malicious code (e.g., virus, logic
bomb, Trojan horse)

• Sale of personal information

• System bugs

• System intrusion

• System sabotage

• Unauthorized system access

An estimate of the motivation, resources, and capabilities that may be required to carry out a
successful attack should be developed after the potential threat-sources have been identified, in

order to determine the likelihood of a threat’s exercising a system vulnerability, as described in

Section 3.5.

SP 800-30 Page 14



The threat statement, or the list of potential threat-sources, should be tailored to the individual

organization and its processing environment (e.g., end-user computing habits). In general,

information on natural threats (e.g., floods, earthquakes, storms) should be readily available.

Known threats have been identified by many government and private sector organizations.
Intrusion detection tools also are becoming more prevalent, and government and industry

organizations continually collect data on security events, thereby improving the ability to

realistically assess threats. Sources of information include, but are not limited to, the following:

• Intelligence agencies (for example, the Federal Bureau of Investigation’s National

Infrastructure Protection Center)

• Federal Computer Incident Response Center (FedCIRC)

• Mass media, particularly Web-based resources such as,,, and

Outputfrom Step 2—A threat statement containing a list ofthreat-sources that could exploit
system vulnerabilities


The analysis of the threat to an IT system

must include an analysis of the

vulnerabilities associated with the system

environment. The goal of this step is to

develop a list of system vulnerabilities

(flaws or weaknesses) that could be

exploited by the potential threat-sources.

Table 3-2 presents examples of vulnerability/threat pairs.

Table 3-2. Vulnerability/Threat Pairs

Vulnerability Threat-Source Threat Action

Terminated employees’ system

identifiers (ED) are not removed

from the system

Terminated employees Dialing into the company’s

network and accessing

company proprietary data

Company firewall allows inbound
telnet, and guest YD is enabled on

XYZ server

Unauthorized users (e.g.,

hackers, terminated

employees, computer

criminals, terrorists)

Using telnet to XYZ server
and browsing system files

with the guest ID

The vendor has identified flaws in

the security design of the system;

however, new patches have not
been applied to the system

Unauthorized users (e.g.,

hackers, disgruntled

employees, computer

criminals, terrorists)

Obtaining unauthorized

access to sensitive system

files based on known
system vulnerabilities

Vulnerability: A flaw or weakness in system
security procedures, design, implementation, or

internal controls that could be exercised

(accidentally triggered or intentionally exploited)

and result in a security breach or a violation of the

system’s security poUcy.

SP 800-30 Page 15

Vulnerability Threat-Source Threat Action

Data center uses water sprinklers

to suppress fire; tarpaulins to

protect hardware and equipment

from water damage are not in


Fire, negligent persons Water sprinklers being

turned on in the data center

Recommended methods for identifying system vulnerabilities are the use of vulnerability
sources, the performance of system security testing, and the development of a security

requirements checklist.

It should be noted that the types of vulnerabilities that will exist, and the methodology needed to

determine whether the vulnerabilities are present, will usually vary depending on the nature of

the IT system and the phase it is in, in the SDLC:

• If the IT system has not yet been designed, the search for vulnerabilities should focus

on the organization’s security policies, planned security procedures, and system

requirement definitions, and the vendors’ or developers’ security product analyses

(e.g., white papers).

• If the IT system is being implemented, the identification of vulnerabilities should be

expanded to include more specific information, such as the planned security features

described in the security design documentation and the results of system certification

test and evaluation.

• If the IT system is operational, the process of identifying vulnerabilities should

include an analysis of the IT system security features and the security controls,

technical and procedural, used to protect the system.

3.3.1 Vulnerability Sources

The technical and nontechnical vulnerabilities associated with an IT system’s processing

environment can be identified via the information-gathering techniques described in Section

3.1.2. A review of other industry sources (e.g., vendor Web pages that identify system bugs and
flaws) will be useful in preparing for the interviews and in developing effective questionnaires to

identify vulnerabilities that may be applicable to specific IT systems (e.g., a specific version of a
specific operating system). The Internet is another source of information on known system
vulnerabilities posted by vendors, along with hot fixes, service packs, patches, and other

remedial measures that may be applied to eliminate or mitigate vulnerabilities. Documented
vulnerability sources that should be considered in a thorough vulnerability analysis include, but

are not limited to, the following:

• Previous risk assessment documentation of the IT system assessed

• The IT system’s audit reports, system anomaly reports, security review reports, and

system test and evaluation reports

• Vulnerability lists, such as the NIST I-CAT vulnerability database

SP 800-30 Page 16

• Security advisories, such as FedCIRC and the Department of Energy’s Computer
Incident Advisory Capability bulletins

• Vendor advisories

• Commercial computer incident/emergency response teams and post lists (e.g., forum mailings)

• Information Assurance Vulnerability Alerts and bulletins for military systems

• System software security analyses.

3.3.2 System Security Testing

Proactive methods, employing system testing, can be used to identify system vulnerabilities

efficiently, depending on the criticality of the IT system and available resources (e.g., allocated

funds, available technology, persons with the expertise to conduct the test). Test methods


• Automated vulnerability scanning tool

• Security test and evaluation (ST&E)

• Penetration testing.*^

The automated vulnerability scanning tool is used to scan a group of hosts or a network for

known vulnerable services (e.g., system allows anonymous File Transfer Protocol [FTP],
sendmail relaying). However, it should be noted that some of the potential vulnerabilities

identified by the automated scanning tool may not represent real vulnerabilities in the context of
the system environment. For example, some of these scanning tools rate potential vulnerabilities

without considering the site’s environment and requirements. Some of the “vulnerabilities”
flagged by the automated scanning software may actually not be vulnerable for a particular site
but may be configured that way because their environment requires it. Thus, this test method
may produce false positives.

ST&E is another technique that can be used in identifying IT system vulnerabilities during the
risk assessment process. It includes the development and execution of a test plan (e.g., test

script, test procedures, and expected test results). The purpose of system security testing is to

test the effectiveness of the security controls of an IT system as they have been applied in an

operational environment. The objective is to ensure that the applied controls meet the approved

security specification for the software and hardware and implement the organization’s security

policy or meet industry standards.

Penetration testing can be used to complement the review of security controls and ensure that

different facets of the IT system are secured. Penetration testing, when employed in the risk

assessment process, can be used to assess an IT system’s ability to withstand intentional attempts

to circumvent system security. Its objective is to test the IT system from the viewpoint of a

threat-source and to identify potential failures in the IT system protection schemes.

The NIST SP draft 800-42, Network Security Testing Overview, describes the methodology for network system

testing and the use of automated tools.

SP 800-30 Page 17

The results of these types of optional security testing will help identify a system’s vulnerabilities.

3.3.3 Development of Security Requirements Cliecklist

During this step, the risk assessment personnel determine whether the security requirements

stipulated for the IT system and collected during system characterization are being met by

existing or planned security controls. Typically, the system security requirements can be

presented in table form, with each requirement accompanied by an explanation of how the
system’s design or implementation does or does not satisfy that security control requirement.

A security requirements checklist contains the basic security standards that can be used to
systematically evaluate and identify the vulnerabilities of the assets (personnel, hardware,

software, information), nonautomated procedures, processes, and information transfers

associated with a given IT system in the following security areas:

• Management

• Operational

• Technical.

Table 3-3 lists security criteria suggested for use in identifying an IT system’s vulnerabilities in

each security area.

Table 3-3. Security Criteria

Security Area Security Criteria

Management Security
• Assignment of responsibilities

• Continuity of support

• Incident response capability

• Periodic review of security controls

• Personnel clearance and background investigations

• Risk assessment

• Security and technical training

• Separation of duties

• System authorization and reauthorization

• System or application security plan

Operational Security
• Control of air-borne contaminants (smoke, dust, chemicals)

• Controls to ensure the quality of the electrical power supply

• Data media access and disposal

• External data distribution and labeling

• Facility protection (e.g., computer room, data center, office)

• Humidity control

• Temperature control

• Workstations, laptops, and stand-alone personal computers

SP 800-30 Page 18

Security Area Security Criteria

Technical Security
• Communications (e.g., dial-in, system interconnection, routers)

• Cryptography

• Discretionary access control

• Identification and authentication

• Intrusion detection

• Object reuse

• System audit

The outcome of this process is the security requirements checklist. Sources that can be used in

compiUng such a checklist include, but are not limited to, the following government regulatory

and security directives and sources applicable to the IT system processing environment:

• CSA of 1987

• Federal Information Processing Standards Publications

• OMB November 2000 Circular A-130

• Privacy Act of 1974

• System security plan of the IT system assessed

• The organization’s security policies, guidelines, and standards

• Industry practices.

The NIST SP 800-26, Security Self-Assessment Guidefor Information Technology Systems,
provides an extensive questionnaire containing specific control objectives against which a

system or group of interconnected systems can be tested and measured. The control objectives

are abstracted directly from long-standing requirements found in statute, policy, and guidance on

security and privacy.

The results of the checklist (or questionnaire) can be used as input for an evaluation of

compliance and noncompliance. This process identifies system, process, and procedural

weaknesses that represent potential vulnerabilities.

Outputfrom Step 3—A list ofthe system vulnerabilities (observations)”^ that could be exercised
by the potential threat-sources


The goal of this step is to analyze the controls that have been implemented, or are planned for

implementation, by the organization to minimize or eliminate the likelihood (or probability) of a

threat’s exercising a system vulnerability.

Because the risk assessment report is not an audit report, some sites may prefer to address the identified
vulnerabiUties as observations instead of findings in the risk assessment report.

SP 800-30 Page 19

To derive an overall likelihood rating that indicates the probability that a potential vulnerability
may be exercised within the construct of the associated threat environment (Step 5 below), the
implementation of current or planned controls must be considered. For example, a vulnerability

(e.g., system or procedural weakness) is not likely to be exercised or the likelihood is low if there

is a low level of threat-source interest or capability or if there are effective security controls that

can eliminate, or reduce the magnitude of, harm.

Sections 3.4.1 through 3.4.3, respectively, discuss control methods, control categories, and the

control analysis technique.

3.4.1 Control Methods

Security controls encompass the use of technical and nontechnical methods. Technical controls

are safeguards that are incorporated into computer hardware, software, or firmware (e.g., access

control mechanisms, identification and authentication mechanisms, encryption methods,

intrusion detection software). Nontechnical controls are management and operational controls,

such as security policies; operational procedures; and personnel, physical, and environmental


3.4.2 Control Categories

The control categories for both technical and nontechnical control methods can be further

classified as either preventive or detective. These two subcategories are explained as follows:

• Preventive controls inhibit attempts to violate security policy and include such

controls as access control enforcement, encryption, and authentication.

• Detective controls warn of violations or attempted violations of security policy and

include such controls as audit trails, intrusion detection methods, and checksums.

Section 4.4 further explains these controls from the implementation standpoint. The

implementation of such controls during the risk mitigation process is the direct result of the

identification of deficiencies in current or planned controls during the risk assessment process

(e.g., controls are not in place or controls are not properly implemented).

3.4.3 Control Analysis Technique

As discussed in Section 3.3.3, development of a security requirements checklist or use of an

available checklist will be helpful in analyzing controls in an efficient and systematic manner.

The security requirements checklist can be used to validate security noncompliance as well as

compliance. Therefore, it is essential to update such checklists to reflect changes in an

organization’s control environment (e.g., changes in security policies, methods, and

requirements) to ensure the checklist’s validity.

Outputfrom Step 4—List ofcurrent orplanned controls usedfor the IT system to mitigate the
likelihood ofa vulnerability’s being exercised and reduce the impact ofsuch an adverse event

SP 800-30 Page 20


To derive an overall likelihood rating that indicates the probability that a potential vulnerability
may be exercised within the construct of the associated threat environment, the following
governing factors must be considered:

• Threat-source motivation and capability

• Nature of the vulnerability

• Existence and effectiveness of current controls.

The likelihood that a potential vulnerability could be exercised by a given threat-source can be

described as high, medium, or low. Table 3-4 below describes these three likelihood levels.

Table 3-4. Likelihood Definitions

Likelihood Level Likelihood Definition

High The threat-source is highly motivated and sufficiently capable, and controls to
prevent the vulnerability from being exercised are ineffective.

Medium The threat-source is motivated and capable, but controls are in place that may
impede successful exercise of the vulnerability.

Low The threat-source lacks motivation or capability, or controls are in place to
prevent, or at least significantly impede, the vulnerability from being exercised.

Outputfrom Step 5—Likelihood rating (High, Medium, Low)


The next major step in measuring level of risk is to determine the adverse impact resulting from

a successful threat exercise of a vulnerability. Before beginning the impact analysis, it is

necessary to obtain the following necessary information as discussed in Section 3.1.1:

• System mission (e.g., the processes performed by the IT system)

• System and data criticality (e.g., the system’s value or importance to an organization)

• System and data sensitivity.

This information can be obtained from existing organizational documentation, such as the

mission impact analysis report or asset criticality assessment report. A mission impact analysis
(also known as business impact analysis [BIA] for some organizations) prioritizes the impact
levels associated with the compromise of an organization’s information assets based on a

qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset
criticality assessment identifies and prioritizes the sensitive and critical organization information

assets (e.g., hardware, software, systems, services, and related technology assets) that support the

organization’s critical missions.

SP 800-30 Page 21

If this documentation does not exist or such assessments for the organization’s IT assets have not

been performed, the system and data sensitivity can be determined based on the level of

protection required to maintain the system and data’s availability, integrity, and confidentiality.

Regardless of the method used to determine how sensitive an IT system and its data are, the
system and information owners are the ones responsible for determining the impact level for

their own system and information. Consequently, in analyzing impact, the appropriate approach
is to interview the system and information owner(s).

Therefore, the adverse impact of a security event can be described in terms of loss or degradation

of any, or a combination of any, of the following three security goals: integrity, availability, and

confidentiality. The following list provides a brief description of each security goal and the

consequence (or impact) of its not being met:

• Loss of Integrity. System and data integrity refers to the requirement that

information be protected from improper modification. Integrity is lost if unauthorized

changes are made to the data or IT system by either intentional or accidental acts. If
the loss of system or data integrity is not corrected, continued use of the contaminated

system or corrupted data could result in inaccuracy, fraud, or erroneous decisions.

Also, violation of integrity may be the first step in a successful attack against system
availability or confidentiality. For all these reasons, loss of integrity reduces the

assurance of an IT system.

• Loss of Availability. If a mission-critical IT system is unavailable to its end users,

the organization’s mission may be affected. Loss of system functionality and
operational effectiveness, for example, may result in loss of productive time, thus
impeding the end users’ performance of their functions in supporting the

organization’s mission.

• Loss of Confidentiality. System and data confidentiality refers to the protection of

information from unauthorized disclosure. The impact of unauthorized disclosure of

confidential information can range from the jeopardizing of national security to the

disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional

disclosure could result in loss of public confidence, embarrassment, or legal action

against the organization.

Some tangible impacts can be measured quantitatively in lost revenue, the cost of repairing the
system, or the level of effort required to correct problems caused by a successful threat action.

Other impacts (e.g., loss of public confidence, loss of credibility, damage to an organization’s

interest) cannot be measured in specific units but can be qualified or described in terms of high,

medium, and low impacts. Because of the generic nature of this discussion, this guide designates

and describes only the qualitative categories—high, medium, and low impact (see Table 3.5).

SP 800-30 Page 22

Table 3-5. Magnitude of Impact DeHnitions

Magnitude of

impact Definition

Exercise of tlie vulnerability (1) may result in the highly costly loss of
major tangible assets or resources; (2) may significantly violate, harm, or
impede an organization’s mission, reputation, or interest; or (3) may result
in human death or serious injury.

Exercise of the vulnerability (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm, or impede an organization’s
mission, reputation, or interest; or (3) may result in human injury.

Exercise of the vulnerability (1) may result in the loss of some tangible
assets or resources or (2) may noticeably affect an organization’s
mission, reputation, or interest.

Quantitative versus Qualitative Assessment

In conducting the impact analysis, consideration should be given to the advantages and

disadvantages of quantitative versus qualitative assessments. The main advantage of the

qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate

improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is

that it does not provide specific quantifiable measurements of the magnitude of the impacts,

therefore making a cost-benefit analysis of any recommended controls difficult.

The major advantage of a quantitative impact analysis is that it provides a measurement of the

impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls.

The disadvantage is that, depending on the numerical ranges used to express the measurement,

the meaning of the quantitative impact analysis may be unclear, requiring the result to be
interpreted in a qualitative manner. Additional factors often must be considered to determine the

magnitude of impact. These may include, but are not limited to

• An estimation of the frequency of the threat-source’s exercise of the vulnerability
over a specified time period (e.g., 1 year)

• An approximate cost for each occurrence of the threat-source’s exercise of the

• A weighted factor based on a subjective analysis of the relative impact of a specific
threat’s exercising a specific vulnerability.

Outputfrom Step 6—Magnitude ofimpact (High, Medium, or Low)

SP 800-30 Page 23


The purpose of this step is to assess the level of risk to the IT system. The determination of risk

for a particular threat/vulnerability pair can be expressed as a function of

• The likelihood of a given threat-source’s attempting to exercise a given vulnerability

• The magnitude of the impact should a threat-source successfully exercise the

• The adequacy of planned or existing security controls for reducing or eliminating


To measure risk, a risk scale and a risk-level matrix must be developed. Section 3.7.1 presents a
standard risk-level matrix; Section 3.7.2 describes the resulting risk levels.

3.7.1 Risk-Level Matrix

The final determination of mission risk is derived by multiplying the ratings assigned for threat

likelihood (e.g., probability) and threat impact. Table 3.6 below shows how the overall risk
ratings might be determined based on inputs from the threat likelihood and threat impact

categories. The matrix below is a 3 x 3 matrix of threat likelihood (High, Medium, and Low)
and threat impact (High, Medium, and Low). Depending on the site’s requirements and the

granularity of risk assessment desired, some sites may use a4x4ora5x5 matrix. The latter
can include a Very Low /Very High threat likelihood and a Very Low/Very High threat impact to
generate a Very LowA^ery High risk level. A “Very High” risk level may require possible
system shutdown or stopping of all IT system integration and testing efforts.

The sample matrix in Table 3-6 shows how the overall risk levels of High, Medium, and Low are
derived. The determination of these risk levels or ratings may be subjective. The rationale for
this justification can be explained in terms of the probability assigned for each threat likelihood

level and a value assigned for each impact level. For example,

• The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for

Medium, 0.1 for Low

• The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for


SP 800-30 Page 24

Table 3-6. Risk-Level Matrix









High{^.0) Low Medium High

10X1.0 = 10 50 X 1 .0 = 50 100 X 1.0 = 100

Medium (0.5) Low Medium Medium

10X0.5 = 5 50 X 0.5 = 25 100X0.5 = 50

Low (0.1) Low Low Low

10X0.1 = 1 50X0.1 = 5 100X0.1 = 10

Risk Scale: High (>50 to 100); Medium (>10to 50); Low (1 to 10)^

3.7.2 Description of Risk Level

Table 3-7 describes the risk levels shown in the above matrix. This risk scale, with its ratings of

High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or

procedure might be exposed if a given vulnerability were exercised. The risk scale also presents

actions that senior management, the mission owners, must take for each risk level.

Table 3-7. Risk Scale and Necessary Actions

Risk Level Risk Description and Necessary Actions


If an observation or finding is evaluated as a higli risk, there is a

strong need for corrective measures. An existing systenn may
continue to operate, but a corrective action plan must be put in place

as soon as possible.

If an observation is rated as medium risk, corrective actions are
needed and a plan must be developed to incorporate these actions
within a reasonable period of time.

If an observation is described as low risk, the system’s DAA must
determine whether corrective actions are still required or decide to

accept the risk.

Outputfrom Step 7—Risk level (High, Medium, Low)

If the level indicated on certain items is so low as to be deemed to be “negligible” or non significant (value is <1

on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for
management action. This will make sure that they are not overlooked when conducting the next periodic risk
assessment. It also establishes a complete record of all risks identified in the analysis. These risks may move to a
new risk level on a reassessment due to a change in threat likelihood and/or impact and that is why it is critical
that their identification not be lost in the exercise.

SP 800-30 Page 25


During this step of the process, controls that could mitigate or eliminate the identified risks, as

appropriate to the organization’s operations, are provided. The goal of the recommended
controls is to reduce the level of risk to the IT system and its data to an acceptable level. The
following factors should be considered in recommending controls and alternative solutions to
minimize or eliminate identified risks:

• Effectiveness of recommended options (e.g., system compatibility)

• Legislation and regulation

• Organizational policy

• Operational impact

• Safety and reliability.

The control recommendations are the results of the risk assessment process and provide input to
the risk mitigation process, during which the recommended procedural and technical security
controls are evaluated, prioritized, and implemented.

It should be noted that not all possible recommended controls can be implemented to reduce loss.

To determine which ones are required and appropriate for a specific organization, a cost-benefit
analysis, as discussed in Section 4.6, should be conducted for the proposed recommended

controls, to demonstrate that the costs of implementing the controls can be justified by the

reduction in the level of risk. In addition, the operational impact (e.g., effect on system

performance) and feasibility (e.g., technical requirements, user acceptance) of introducing the

recommended option should be evaluated carefully during the risk mitigation process.

Outputfrom Step 8—Recommendation ofcontrol(s) and alternative solutions to mitigate risk


Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks

assessed, and recommended controls provided), the results should be documented in an official

report or briefing.

A risk assessment report is a management report that helps senior management, the mission
owners, make decisions on policy, procedural, budget, and system operational and management

changes. Unlike an audit or investigation report, which looks for wrongdoing, a risk assessment

report should not be presented in an accusatory manner but as a systematic and analytical

approach to assessing risk so that senior management will understand the risks and allocate

resources to reduce and correct potential losses. For this reason, some people prefer to address

the threat/vulnerability pairs as observations instead of findings in the risk assessment report.

Appendix B provides a suggested outline for the risk assessment report.

Outputfrom Step 9—Risk assessment report that describes the threats and vulnerabilities,
measures the risk, andprovides recommendationsfor control implementation

SP 800-30 Page 26 I


Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and

implementing the appropriate risk-reducing controls recommended from the risk assessment


Because the elimination of all risk is usually impractical or close to impossible, it is the

responsibility of senior management and functional and business managers to use the least-cost

approach and implement the most appropriate controls to decrease mission risk to an acceptable

level, with minimal adverse impact on the organization’s resources and mission.

This section describes risk mitigation options (Section 4.1), the risk mitigation strategy (Section

4.2), an approach for control implementation (Section 4.3), control categories (Section 4.4), the

cost-benefit analysis used to justify the implementation of the recommended controls (Section

4.5), and residual risk (Section 4.6).


Risk mitigation is a systematic methodology used by senior management to reduce mission risk.

Risk mitigation can be achieved through any of the following risk mitigation options:

• Risk Assumption. To accept the potential risk and continue operating the IT system
or to implement controls to lower the risk to an acceptable level

• Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence
(e.g., forgo certain functions of the system or shut down the system when risks are

• Risk Limitation. To limit the risk by implementing controls that minimize the
adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting,

preventive, detective controls)

• Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes,
implements, and maintains controls

• Research and Acknowledgment. To lower the risk of loss by acknowledging the
vulnerability or flaw and researching controls to correct the vulnerability

• Risk Transference. To transfer the risk by using other options to compensate for the
loss, such as purchasing insurance.

The goals and mission of an organization should be considered in selecting any of these risk

mitigation options. It may not be practical to address all identified risks, so priority should be
given to the threat and vulnerability pairs that have the potential to cause significant mission

impact or harm. Also, in safeguarding an organization’s mission and its IT systems, because of

each organization’s unique environment and objectives, the option used to mitigate the risk and

the methods used to implement controls may vary. The “best of breed” approach is to use
appropriate technologies from among the various vendor security products, along with the
appropriate risk mitigation option and nontechnical, administrative measures.

SP 800-30 Page 27


Senior management, the mission owners, knowing the potential risks and recommended controls,
may ask, “When and under what circumstances should I take action? When shall I implement
these controls to mitigate the risk and protect our organization?”

The risk mitigation chart in Figure 4-1 addresses these questions. Appropriate points for
implementation of control actions are indicated in this figure by the word YES.


Risk 3

Figure 4-1. Risk Mitigation Action Points

This strategy is further articulated in the following rules of thumb, which provide guidance on

actions to mitigate risks from intentional human threats:

• When vulnerability (or flaw, weakness) exists — implement assurance techniques
to reduce the likelihood of a vulnerability’s being exercised.

• When a vulnerability can be exercised — apply layered protections, architectural
designs, and administrative controls to minimize the risk of or prevent this


• When the attacker’s cost is less than the potential gain -> apply protections to
decrease an attacker’s motivation by increasing the attacker’s cost (e.g., use of system

controls such as limiting what a system user can access and do can significantly

reduce an attacker’s gain).

• When loss is too great — apply design principles, architectural designs, and
technical and nontechnical protections to limit the extent of the attack, thereby

reducing the potential for loss.

The strategy outlined above, with the exception of the third list item (“When the attacker’s cost

is less than the potential gain”), also applies to the mitigation of risks arising from environmental

SP 800-30 Page 28

or unintentional human threats (e.g., system or user errors). (Because there is no “attacker,” no

motivation or gain is involved.)


When control actions must be taken, the following rule applies:

Address the greatest risks and strivefor sufficient risk mitigation at the lowest cost, with

minimal impact on other mission capabilities.

The following risk mitigation methodology describes the approach to control implementation:

• Step 1—Prioritize Actions
Based on the risk levels presented in the risk assessment report, the implementation

actions are prioritized. In allocating resources, top priority should be given to risk

items with unacceptably high risk rankings (e.g., risk assigned a Very High or High

risk level). These vulnerability/threat pairs will require immediate corrective action

to protect an organization’s interest and mission.

Outputfrom Step 1—Actions rankingfrom High to Low

• Step 2—Evaluate Recommended Control Options
The controls recommended in the risk assessment process may not be the most
appropriate and feasible options for a specific organization and IT system. During

this step, the feasibility (e.g., compatibility, user acceptance) and effectiveness (e.g.,

degree of protection and level of risk mitigation) of the recommended control options

are analyzed. The objective is to select the most appropriate control option for

minimizing risk.

Outputfrom Step 2—List offeasible controls

• Step 3—Conduct Cost-Benefit Analysis
To aid management in decision making and to identify cost-effective controls, a cost-
benefit analysis is conducted. Section 4.5 details the objectives and method of

conducting the cost-benefit analysis.

Outputfrom Step 3—Cost-benefit analysis describing the cost and benefits of
implementing or not implementing the controls

• Step 4—Select Control
On the basis of the results of the cost-benefit analysis, management determines the
most cost-effective control(s) for reducing risk to the organization’s mission. The

controls selected should combine technical, operational, and management control

elements to ensure adequate security for the IT system and the organization.

Outputfrom Step 4—Selected control(s)

SP 800-30 Page 29

• Step 5—Assign Responsibility
Appropriate persons (in-house personnel or external contracting staff) who have the
appropriate expertise and skill-sets to implement the selected control are identified,

and responsibility is assigned.

Outputfrom Step 5—List ofresponsible persons

• Step 6—Develop a Safeguard Implementation Plan
During this step, a safeguard implementation plan^ (or action plan) is developed. The
plan should, at a minimum, contain the following information:

– Risks (vulnerability/threat pairs) and associated risk levels (output from risk
assessment report)

– Recommended controls (output from risk assessment report)

– Prioritized actions (with priority given to items with Very High and High risk


– Selected planned controls (determined on the basis of feasibility, effectiveness,

benefits to the organization, and cost)

– Required resources for implementing the selected planned controls

– Lists of responsible teams and staff

– Start date for implementation

– Target completion date for implementation

– Maintenance requirements.

The safeguard implementation plan prioritizes the implementation actions and

projects the start and target completion dates. This plan will aid and expedite the risk

mitigation process. Appendix C provides a sample summary table for the safeguard
implementation plan.

Outputfrom Step 6—Safeguard implementation plan

• Step 7—^Implement Selected Control(s)
Depending on individual situations, the implemented controls may lower the risk
level but not eliminate the risk. Residual risk is discussed in Section 4.6.

Outputfrom Step 7—Residual risk

Figure 4-2 depicts the recommended methodology for risk mitigation.

^ NIST Interagency Report 4749, Sample Statements of Workfor Federal Computer Security Services: For Use In-

House or Contracting Out. December 1991.

SP 800-30 Page 30

Input Risk Mitisation Activities Output

• Risk levels from the

risk assessment


r N

• Risk assessment



Step 1.

Prioritize Actions

Step 2.

Evaluate Recommended
Control Options

• Feasibility

• Effectiveness

Step 3.

Conduct Cost-Benefit Analysis

• Impact of implanaiting

• Impact of not implementing

• Associated costs

Step 5.

Assign Responsibility

Step 6. Develop Safeguard

Implementation Plan

• Risks and Associated Risk Levels

• Prioritized Actions

• Recommended Controls

• Selected Planned Controls

• Responsible Persons

• Start Date

• Target Completion Date

• Maintenance Requirements

Step 7.

Implement Selected

Actions ranking from

High to Low

List of possible




Selected Controls

List of

responsible persons


implementation plan

Residual Risks

Figure 4-2. Risk Mitigation Methodology Flowchart

SP 800-30 Page 31


In implementing recommended controls to mitigate risk, an organization should consider

technical, management, and operational security controls, or a combination of such controls, to

maximize the effectiveness of controls for their IT systems and organization. Security controls,

when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s

The control recommendation process will involve choosing among a combination of technical,
management, and operational controls for improving the organization’s security posture. The

trade-offs that an organization will have to consider are illustrated by viewing the decisions

involved in enforcing use of complex user passwords to minimize password guessing and

cracking. In this case, a technical control requiring add-on security software may be more
complex and expensive than a procedural control, but the technical control is likely to be more

effective because the enforcement is automated by the system. On the other hand, a procedural
control might be implemented simply by means of a memorandum to all concerned individuals
and an amendment to the security guidelines for the organization, but ensuring that users

consistently follow the memorandum and guideline will be difficult and will require security
awareness training and user acceptance.

This section provides a high-level overview of some of the control categories. More detailed
guidance about implementing and planning for IT controls can be found in NIST SP 800-18,
Guidefor Developing Security Plansfor Information Technology Systems, and NIST SP 800-12,
An Introduction to Computer Security: The NIST Handbook.

Sections 4.4.1 through 4.4.3 provide an overview of technical, management, and operational

controls, respectively.

4.4.1 Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of

threats. These controls may range from simple to complex measures and usually involve system
architectures; engineering disciplines; and security packages with a mix of hardware, software,

and firmware. All of these measures should work together to secure critical and sensitive data,

information, and IT system functions. Technical controls can be grouped into the following

major categories, according to primary purpose:

• Support (Section Supporting controls are generic and underlie most IT

security capabilities. These controls must be in place in order to implement other


• Prevent (Section Preventive controls focus on preventing security breaches

from occurring in the first place.

• Detect and Recover (Section These controls focus on detecting and

recovering from a security breach.

Figure 4-3 depicts the primary technical controls and the relationships between them.

SP 800-30 Page 32


Cryptographic Key Managonicnl

Seciiritv Administration i

System Protections

(least privilege, ohject reuse, process separalion, etc.)

Figure 4-3. Technical Security Controls Supporting Technical Controls

Supporting controls are, by their very nature, pervasive and interrelated with many other
controls. The supporting controls are as follows:

• Identification. This control provides the ability to uniquely identify users, processes,

and information resources. To implement other security controls (e.g., discretionary
access control [DAC], mandatory access control [MAC], accountability), it is

essential that both subjects and objects be identifiable.

• Cryptographic Key Management. Cryptographic keys must be securely managed
when cryptographic functions are implemented in various other controls.
Cryptographic key management includes key generation, distribution, storage, and


• Security Administration. The security features of an IT system must be configured

(e.g., enabled or disabled) to meet the needs of a specific installation and to account

for changes in the operational environment. System security can be built into

operating system security or the application. Commercial off-the-shelf add-on

security products are available.

SP 800-30 Page 33

• System Protections. Underlying a system’s various security functional capabilities
is a base of confidence in the technical implementation. This represents the quality of

the implementation from the perspective both of the design processes used and of the

manner in which the implementation was accomplished. Some examples of system
protections are residual information protection (also known as object reuse), least
privilege (or “need to know”), process separation, modularity, layering, and

minimization of what needs to be trusted. Preventive Technical Controls

These controls, which can inhibit attempts to violate security policy, include the following:

• Authentication. The authentication control provides the means of verifying the
identity of a subject to ensure that a claimed identity is valid. Authentication

mechanisms include passwords, personal identification numbers, or PESfs, and

emerging authentication technology that provides strong authentication (e.g., token,

smart card, digital certificate, Kerberos).

• Authorization. The authorization control enables specification and subsequent
management of the allowed actions for a given system (e.g., the information owner or
the database administrator determines who can update a shared file accessed by a
group of online users).

• Access Control Enforcement. Data integrity and confidentiality are enforced by

access controls. When the subject requesting access has been authorized to access
particular processes, it is necessary to enforce the defined security policy (e.g., MAC
or DAC). These policy-based controls are enforced via access control mechanisms

distributed throughout the system (e.g., MAC sensitivity labels; DAC file permission
sets, access control lists, roles, user profiles). The effectiveness and the strength of

access control depend on the correctness of the access control decisions (e.g., how the
security rules are configured) and the strength of access control enforcement (e.g., the

design of software or hardware security).

• Nonrepudiation. System accountability depends on the ability to ensure that senders

cannot deny sending information and that receivers cannot deny receiving it.

Nonrepudiation spans both prevention and detection. It has been placed in the

prevention category in this guide because the mechanisms implemented prevent the

successful repudiation of an action (e.g., the digital certificate that contains the

owner’s private key is known only to the owner). As a result, this control is typically

applied at the point of transmission or reception.

• Protected Communications. In a distributed system, the ability to accomplish

security objectives is highly dependent on trustworthy communications. The

protected communications control ensures the integrity, availability, and

confidentiality of sensitive and critical information while it is in transit. Protected

communications use data encryption methods (e.g., virtual private network, Internet

Protocol Security [IPSEC] Protocol), and deployment of cryptographic technologies

(e.g.. Data Encryption Standard [DES], Triple DES, RAS, MD4, MD5, secure hash
standard, and escrowed encryption algorithms such as Clipper) to minimize network

threats such as replay, interception, packet sniffing, wiretapping, or eavesdropping.



SP 800-30 Page 34


• Transaction Privacy. Both government and private sector systems are increasingly

required to maintain the privacy of individuals. Transaction privacy controls (e.g.,

Secure Sockets Layer, secure shell) protect against loss of privacy with respect to

transactions performed by an individual. Detection and Recovery Technical Controls

Detection controls warn of violations or attempted violations of security policy and include such

controls as audit trails, intrusion detection methods, and checksums. Recovery controls can be

used to restore lost computing resources. They are needed as a complement to the supporting

and preventive technical measures, because none of the measures in these other areas is perfect.

Detection and recovery controls include

• Audit. The auditing of security-relevant events and the monitoring and tracking of

system abnormalities are key elements in the after-the-fact detection of, and recovery

from, security breaches.

• Intrusion Detection and Containment. It is essential to detect security breaches

(e.g., network break-ins, suspicious activities) so that a response can occur in a timely

manner. It is also of little use to detect a security breach if no effective response can

be initiated. The intrusion detection and containment control provides these two


• Proof of Wholeness. The proof-of-wholeness control (e.g., system integrity tool)

analyzes system integrity and irregularities and identifies exposures and potential

threats. This control does not prevent violations of security policy but detects

violations and helps determine the type of corrective action needed.

• Restore Secure State. This service enables a system to return to a state that is

known to be secure, after a security breach occurs.

• Virus Detection and Eradication. Virus detection and eradication software installed

on servers and user workstations detects, identifies, and removes software viruses to

ensure system and data integrity.

4.4.2 Management Security Controls

Management security controls, in conjunction with technical and operational controls, are

implemented to manage and reduce the risk of loss and to protect an organization’s mission.

Management controls focus on the stipulation of information protection policy, guidelines, and

standards, which are carried out through operational procedures to fulfill the organization’s goals

and missions.

Management security controls—preventive, detection, and recovery—that are implemented to
reduce risk are described in Sections through

SP 800-30 Page 35 Preventive Management Security Controls

These controls include the following:

• Assign security responsibility to ensure that adequate security is provided for the

mission-critical IT systems

• Develop and maintain system security plans to document current controls and address
planned controls for IT systems in support of the organization’s mission

• Implement personnel security controls, including separation of duties, least privilege,

and user computer access registration and termination

• Conduct security awareness and technical training to ensure that end users and system

users are aware of the rules of behavior and their responsibilities in protecting the

organization’s mission. Detection Management Security Controls

Detection management controls are as follows:

• Implement personnel security controls, including personnel clearance, background

investigations, rotation of duties

• Conduct periodic review of security controls to ensure that the controls are effective

• Perform periodic system audits

• Conduct ongoing risk management to assess and mitigate risk

• Authorize IT systems to address and accept residual risk. Recovery Management Security Controls

These controls include the following:

• Provide continuity of support and develop, test, and maintain the continuity of

operations plan to provide for business resumption and ensure continuity of

operations during emergencies or disasters

• Establish an incident response capability to prepare for, recognize, report, and

respond to the incident and return the IT system to operational status.

4.4.3 Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure
that security procedures governing the use of the organization’s IT assets and resources are

properly enforced and implemented in accordance with the organization’s goals and mission.

Management plays a vital role in overseeing policy implementation and in ensuring the

establishment of appropriate operational controls.

SP 800-30 Page 36

Operational controls, implemented in accordance with a base set of requirements (e.g., technical

controls) and good industry practices, are used to correct operational deficiencies that could be

exercised by potential threat-sources. To ensure consistency and uniformity in security

operations, step-by-step procedures and methods for implementing operational controls must be

clearly defined, documented, and maintained. These operational controls include those presented

in Sections and below. Preventive Operational Controls

Preventive operational controls are as follows:

• Control data media access and disposal (e.g., physical access control, degaussing


• Limit external data distribution (e.g., use of labeling)

• Control software viruses

• Safeguard computing facility (e.g., security guards, site procedures for visitors,

electronic badge system, biometrics access control, management and distribution of

locks and keys, barriers and fences)

• Secure wiring closets that house hubs and cables

• Provide backup capability (e.g., procedures for regular data and system backups,

archive logs that save all database changes to be used in various recovery scenarios)

• Establish off-site storage procedures and security

• Protect laptops, personal computers (PC), workstations

• Protect IT assets from fire damage (e.g., requirements and procedures for the use of

fire extinguishers, tarpaulins, dry sprinkler systems, halon fire suppression system)

• Provide emergency power source (e.g., requirements for uninterruptible power

supplies, on-site power generators)

• Control the humidity and temperature of the computing facility (e.g., operation of air

conditioners, heat dispersal). Detection Operational Controls

Detection operational controls include the following:

• Provide physical security (e.g., use of motion detectors, closed-circuit television

monitoring, sensors and alarms)

• Ensure environmental security (e.g., use of smoke and fire detectors, sensors and



To allocate resources and implement cost-effective controls, organizations, after identifying all
possible controls and evaluating their feasibility and effectiveness, should conduct a cost-benefit

SP 800-30 Page 37

analysis for each proposed control to determine which controls are required and appropriate for

their circumstances.

The cost-benefit analysis can be qualitative or quantitative. Its purpose is to demonstrate that the
costs of implementing the controls can be justified by the reduction in the level of risk. For

example, the organization may not want to spend $1,000 on a control to reduce a $200 risk.

A cost-benefit analysis for proposed new controls or enhanced controls encompasses the

• Determining the impact of implementing the new or enhanced controls

• Determining the impact of not implementing the new or enhanced controls

• Estimating the costs of the implementation. These may include, but are not limited
to, the following:

– Hardware and software purchases

– Reduced operational effectiveness if system performance or functionality is
reduced for increased security

– Cost of implementing additional policies and procedures

– Cost of hiring additional personnel to implement proposed policies, procedures, or


– Training costs

– Maintenance costs

• Assessing the implementation costs and benefits against system and data criticality to

determine the importance to the organization of implementing the new controls, given
their costs and relative impact.

The organization will need to assess the benefits of the controls in terms of maintaining an

acceptable mission posture for the organization. Just as there is a cost for implementing a

needed control, there is a cost for not implementing it. By relating the result of not
implementing the control to the mission, organizations can determine whether it is feasible to

forgo its implementation.

Cost-Benefit Analysis Example: System X stores and processes mission-critical and sensitive
employee privacy information; however, auditing has not been enabled for the system. A cost-
benefit analysis is conducted to determine whether the audit feature should be enabled for

System X.

Items (1) and (2) address the intangible impact (e.g., deterrence factors) for implementing or not

implementing the new control. Item (3) lists the tangibles (e.g., actual cost).

(1) Impact of enabling system audit feature: The system audit feature allows the system security

administrator to monitor users’ system activities but will slow down system performance and i

therefore affect user productivity. Also the implementation will require additional resources, as

described in Item 3.


SP 800-30 Page 38

(2) Impact of not enabling system audit feature: User system activities and violations cannot be

monitored and tracked if the system audit function is disabled, and security cannot be maximized

to protect the organization’s confidential data and mission.

(3) Cost estimation for enabling the system audit feature:

Cost for enabling system audit feature—No cost, built-in feature $ 0
Additional staff to perform audit review and archive, per year $ xx,xxx
Training (e.g., system audit configuration, report generation) $ x,xxx
Add-on audit reporting software $ x,xxx
Audit data maintenance (e.g., storage, archiving), per year $ x,xxx

Total Estimated Costs $ xx,xxx

The organization’s managers must determine what constitutes an acceptable level of mission

risk. The impact of a control may then be assessed, and the control either included or excluded,
after the organization determines a range of feasible risk levels. This range will vary among
organizations; however, the following rules apply in determining the use of new controls:

• If control would reduce risk more than needed, then see whether a less expensive

alternative exists

• If control would cost more than the risk reduction provided, then find something else

• If control does not reduce risk sufficiently, then look for more controls or a different


• If control provides enough risk reduction and is cost-effective, then use it.

Frequently the cost of implementing a control is more tangible than the cost of not implementing

it. As a result, senior management plays a critical role in decisions concerning the

implementation of control measures to protect the organizational mission.


Organizations can analyze the extent of the risk reduction generated by the new or enhanced
controls in terms of the reduced threat likelihood or impact, the two parameters that define the

mitigated level of risk to the organizational mission.

Implementation of new or enhanced controls can mitigate risk by

• Eliminating some of the system’s vulnerabilities (flaws and weakness), thereby

reducing the number of possible threat-source/vulnerability pairs

• Adding a targeted control to reduce the capacity and motivation of a threat-source

For example, a department determines that the cost for installing and maintaining

add-on security software for the stand-alone PC that stores its sensitive files is not
justifiable, but that administrative and physical controls should be implemented to

SP 800-30 Page 39

make physical access to that PC more difficult (e.g., store the PC in a locked room,
with the key kept by the manager).

• Reducing the magnitude of the adverse impact (for example, limiting the extent of a

vulnerability or modifying the nature of the relationship between the IT system and

the organization’s mission).

The relationship between control implementation and residual risk is graphically presented in
Figure 4-4.

Figure 4-4. Implemented Controls and Residual Risk

The risk remaining after the implementation of new or enhanced controls is the residual risk.
Practically no IT system is risk free, and not all implemented controls can eliminate the risk they

are intended to address or reduce the risk level to zero.

As mandated by 0MB Circular A-130, an organization’s senior management or the DAA, who
are responsible for protecting the organization’s IT asset and mission, must authorize (or

accredit) the IT system to begin or continue to operate. This authorization or accreditation must

occur at least every 3 years or whenever major changes are made to the IT system. The intent of

this process is to identify risks that are not fully addressed and to determine whether additional

controls are needed to mitigate the risks identified in the IT system. For federal agencies, after

the appropriate controls have been put in place for the identified risks, the DAA will sign a
statement accepting any residual risk and authorizing the operation of the new IT system or the

continued processing of the existing IT system. If the residual risk has not been reduced to an

acceptable level, the risk management cycle must be repeated to identify a way of lowering the

residual risk to an acceptable level.

SP 800-30 Page 40


In most organizations, the network itself will continually be expanded and updated, its

components changed, and its software applications replaced or updated with newer versions. In

addition, personnel changes will occur and security policies are likely to change over time.

These changes mean that new risks will surface and risks previously mitigated may again
become a concern. Thus, the risk management process is ongoing and evolving.

This section emphasizes the good practice and need for an ongoing risk evaluation and

assessment and the factors that will lead to a successful risk management program.


The risk assessment process is usually repeated at least every 3 years for federal agencies, as

mandated by OMB Circular A- 130. However, risk management should be conducted and
integrated in the SDLC for IT systems, not because it is required by law or regulation, but
because it is a good practice and supports the organization’s business objectives or mission.

There should be a specific schedule for assessing and mitigating mission risks, but the

periodically performed process should also be flexible enough to allow changes where

warranted, such as major changes to the IT system and processing environment due to changes

resulting from policies and new technologies.


A successful risk management program will rely on (1) senior management’s commitment; (2)
the full support and participation of the IT team (see Section 2.3); (3) the competence of the risk

assessment team, which must have the expertise to apply the risk assessment methodology to a

specific site and system, identify mission risks, and provide cost-effective safeguards that meet

the needs of the organization; (4) the awareness and cooperation of members of the user

community, who must follow procedures and comply with the implemented controls to
safeguard the mission of their organization; and (5) an ongoing evaluation and assessment of the

IT-related mission risks.

SP 800-30 Page 41


APPENDIX A: Sample Interview Questions

Interview questions should be tailored based upon where the IT system assessed is in the SDLC.
Sample questions to be asked during interviews with site personnel to gain an understanding of

the operational characteristics of an organization may include the following:

• Who are valid users?

• What is the mission of the user organization?

• What is the purpose of the system in relation to the mission?

• How important is the system to the user organization’s mission?

• What is the system-availability requirement?

• What information (both incoming and outgoing) is required by the organization?

• What information is generated by, consumed by, processed on, stored in, and
retrieved by the system?

• How important is the information to the user organization’s mission?

• What are the paths of information flow?

• What types of information are processed by and stored on the system (e.g., financial,
personnel, research and development, medical, command and control)?

• What is the sensitivity (or classification) level of the information?

• What information handled by or about the system should not be disclosed and to

• Where specifically is the information processed and stored?

• What are the types of information storage?

• What is the potential impact on the organization if the information is disclosed to
unauthorized personnel?

• What are the requirements for information availability and integrity?

• What is the effect on the organization’s mission if the system or information is not

• How much system downtime can the organization tolerate? How does this downtime
compare with the mean repair/recovery time? What other processing or
communications options can the user access?

• Could a system or security malfunction or unavailability result in injury or death?

SP 800-30 Page A-1




I. Introduction

• Purpose

• Scope of this risk assessment

Describe the system components, elements, users, field site locations (if any), and any other

details about the system to be considered in the assessment.

II. Risk Assessment Approach

Briefly describe the approach used to conduct the risk assessment, such as

• The participants (e.g., risk assessment team members)

• The technique used to gather information (e.g., the use of tools, questionnaires)

• The development and description of risk scale (e.g., a3x3, 4×4, or 5×5 risk-level

in. System Characterization

Characterize the system, including hardware (server, router, switch), software (e.g., application,

operating system, protocol), system interfaces (e.g., communication link), data, and users.

Provide connectivity diagram or system input and output flowchart to delineate the scope of this

risk assessment effort.

IV. Threat Statement

Compile and list the potential threat-sources and associated threat actions applicable to the

system assessed.

V. Risk Assessment Results

List the observations (vulnerability/threat pairs). Each observation must include

• Observation number and brief description of observation (e.g.. Observation 1: User

system passwords can be guessed or cracked)

• A discussion of the threat-source and vulnerability pair
• Identification of existing mitigating security controls

• Likelihood discussion and evaluation (e.g.. High, Medium, or Low likelihood)
• Impact analysis discussion and evaluation (e.g.. High, Medium, or Low impact)
• Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level)
• Recommended controls or alternative options for reducing the risk.

VI. Summary

Total the number of observations. Summarize the observations, the associated risk levels, the

SP 800-30 PageB-1

recommendations, and any comments in a table format to facilitate the
implementation of

recommended controls during the risk mitigation process.

SP 800-30
Page B-2

. . a






1 V O

C« PL, U

^ .2 ‘E

a o

0) .S£i

S 3

^ – 3 cr
^, – W O “O « CD

Q. (/} (/} CO 0) n]


(0 Q. is (n

o oo o


1- CM

> E isX o o

en ca


io— —

OT C ^ W= C CD “F

CD CO Q-.t
^ E p E E

O CD 0?

3 .ii’ c«
CDo c ^



T- 2: CO CO


o c
CO ^
b c


0 0

0 = x:

CO o
Q ^ O



O Q C3)




^ CO~ c
O 0

*- ^ CO
CO 0) (0 0
«0 £ CO O




I 18

>- 5 Jo 2 ^ ^
S 0 w ^ o 9

•— O O O ~ CO J


^0 ^

Q)^ CO

0 !c:

M ° o

0 £
> *-

CO “300 =

5 >^

-Q Q.

c Q
“J z:


E 05
O O)


C 6 c
(U cj gj

§ §

52 S >-|C D (1)

•c a

c P


2 ? .sM c3
J 55 S

SP 800-30 Page C-1




AES Advanced Encryption Standard

CSA Computer Security Act

DAA Designated Approving Authority

DAC Discretionary Access Control

DBS Data Encryption Standard

FedCIRC Federal Computer Incident Response Center

FTP File Transfer Protocol

ID Identifier

IPSEC Internet Security Protocol

ISSO Information system security officer

IT Information Technology

ITL Information Technology Laboratory

MAC Mandatory Access Control

NIPC National Infrastructure Protection Center

NIST National Institute of Standards and Technology

OIG Office of Inspector General

0MB Office of Management and Budget

PC Personal Computer

SDLC System Development Life Cycle

SP Special Publication

ST&E Security Test and Evaluation

SP 800-30








Denial of Service

Due Care



The security goal that generates the requirement for actions of an entity to

be traced uniquely to that entity. This supports nonrepudiation, deterrence,

fault isolation, intrusion detection and prevention, and after-action recovery

and legal action.

Grounds for confidence that the other four security goals (integrity,

availability, confidentiality, and accountability) have been adequately met

by a specific implementation. “Adequately met” includes (1) functionality

that performs correctly, (2) sufficient protection against unintentional errors

(by users or software), and (3) sufficient resistance to intentional penetration

or bypass.

The security goal that generates the requirement for protection against

• Intentional or accidental attempts to (1) perform unauthorized deletion

of data or (2) otherwise cause a denial of service or data

• Unauthorized use of system resources.

The security goal that generates the requirement for protection from

intentional or accidental attempts to perform unauthorized data reads.

Confidentiality covers data in storage, during processing, and in transit.

The prevention of authorized access to resources or the delaying of time-

critical operations.

Managers and their organizations have a duty to provide for information

security to ensure that the type of control, the cost of control, and the

deployment of control are appropriate for the system being managed.

The security goal that generates the requirement for protection against either

intentional or accidental attempts to violate data integrity (the property that

data has when it has not been altered in an unauthorized manner) or system
integrity (the quality that a system has when it performs its intended
function in an unimpaired manner, free from unauthorized manipulation).

SP 800-30 Page E-1

IT-Related Risk

IT Security Goal


Risk Assessment

Risk Management


Security Goals



Threat Analysis


SP 800-30

The net mission impact considering (1) the probability that a particular
threat-source will exercise (accidentally trigger or intentionally exploit) a

particular information system vulnerability and (2) the resulting impact if

this should occur. IT-related risks arise from legal liability or mission loss

due to

1 . Unauthorized (malicious or accidental) disclosure, modification, or

destruction of information

2. Unintentional errors and omissions

3. IT disruptions due to natural or man-made disasters
4. Failure to exercise due care and diligence in the implementation and

operation of the IT system.

See Security Goals

Within this document, synonymous with IT-Related Risk.

The process of identifying the risks to system security and determining the
probability of occurrence, the resulting impact, and additional safeguards

that would mitigate this impact. Part of Risk Management and synonymous
with Risk Analysis.

The total process of identifying, controlling, and mitigating information

system-related risks. It includes risk assessment; cost-benefit analysis; and

the selection, implementation, test, and security evaluation of safeguards.

This overall system security review considers both effectiveness and

efficiency, including impact on the mission and constraints due to policy,

regulations, and laws.

Information system security is a system characteristic and a set of

mechanisms that span the system both logically and physically.

The five security goals are integrity, availability, confidentiality,

accountability, and assurance.

The potential for a threat-source to exercise (accidentally trigger or

intentionally exploit) a specific vulnerability.

Either (1) intent and method targeted at the intentional exploitation of a

vulnerability or (2) a situation and method that may accidentally trigger a

The examination of threat-sources against system vulnerabilities to

determine the threats for a particular system in a particular operational


A flaw or weakness in system security procedures, design, implementation,
or internal controls that could be exercised (accidentally triggered or

intentionally exploited) and result in a security breach or a violation of the

system’s security policy.

Page E-2


Computer Systems Laboratory Bulletin. Threats to Computer Systems: An Overview.
March 1994.

NIST Interagency Reports 4749. Sample Statements of Workfor Federal Computer Security

Services: For Use In-House or Contracting Out. December 1991.

NIST Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook.
October 1995.

NIST Special Publication 800-14. Generally Accepted Principles and Practicesfor Securing

Information Technology Systems. September 1996. Co-authored with Barbara Guttman.

NIST Special Publication 800-18. Guide For Developing Security Plans for Information
Technology Systems. December 1998. Co-authored with Federal Computer Security Managers’

Forum Working Group.

NIST Special Publication 800-26, Security Self-Assessment Guidefor Information Technology
Systems. August 2001.

NIST Special Publication 800-27. Engineering Principles for IT Security . June 2001.

0MB Circular A- 130. Management ofFederal Information Resources. Appendix HI.
November 2000.

SP 800-30 Page F-1


Technical Publications


Journal of Research of the National Institute of Standards and Technology—Reports NIST research
and development in those disciplines of the physical and engineering sciences in which the Institute is

active. These include physics, chemistry, engineering, mathematics, and computer sciences. Papers cover a

broad range of subjects, with major emphasis on measurement methodology and the basic technology

underlying standardization. Also included from time to time are survey articles on topics closely related to

the Institute’s technical and scientific programs. Issued six times a year.


Monographs—Major contributions to the technical literature on various subjects related to the Institute’s
scientific and technical activities.

Handbooks—Recommended codes of engineering and industrial practice (including safety codes)
developed in cooperation with interested industries, professional organizations, and regulatory bodies.

Special Publications—Include proceedings of conferences sponsored by NIST, NIST annual reports, and
other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.

National Standard Reference Data Series—Provides quantitative data on the physical and chemical
properties of materials, compiled from the world’s literature and critically evaluated. Developed under a

worldwide program coordinated by NIST under the authority of the National Standard Data Act (Public
Law 90-396). NOTE: The Journal of Physical and Chemical Reference Data (JPCRD) is published
bimonthly for NIST by the American Institute of Physics (AIP). Subscription orders and renewals are
available from AIP, P.O. Box 503284, St. Louis, MO 63150-3284.
Building Science Series—Disseminates technical information developed at the Institute on building
materials, components, systems, and whole structures. The series presents research results, test methods,
and performance criteria related to the structural and environmental functions and the durability and safety

characteristics of building elements and systems.

Technical Notes—Studies or reports which are complete in themselves but restrictive in their treatment of
a subject. Analogous to monographs but not so comprehensive in scope or definitive in treatment of the

subject area. Often serve as a vehicle for final reports of work performed at NIST under the sponsorship of
other government agencies.

Voluntary Product Standards—Developed under procedures published by the Department of Commerce
in Part 10, Title 15, of the Code of Federal Regulations. The standards establish nationally recognized
requirements for products, and provide all concerned interests with a basis for common understanding of
the characteristics of the products. NIST administers this program in support of the efforts of private-sector
standardizing organizations.

Order the following NISTpublications—FIPS and NISTIRs—from the National Technical Information
Service, Springfield, VA 22161.

Federal Information Processing Standards Publications (FIPS PUB)—Publications in this series
collectively constitute the Federal Information Processing Standards Register. The Register serves as the
official source of information in the Federal Government regarding standards issued by NIST pursuant to
the Federal Property and Administrative Services Act of 1949 as amended. Public Law 89-306 (79 Stat.
1127), and as implemented by Executive Order 11717 (38 FR 12315, dated May 11, 1973) andPart6of
Title 15 CFR (Code of Federal Regulations).
NIST Interagency or Internal Reports (NISTIR)—The series includes interim or final reports on work
performed by NIST for outside sponsors (both goverrunent and nongovernment). In general, initial
distribution is handled by the sponsor; public distribution is handled by sales through the National

Technical Information Service, Springfield, VA 22161, in hard copy, electronic media, or microfiche form.
NISTIR’ s may also report results of NIST projects of transitory or limited interest, including those that will
be published subsequently in more comprehensive form.

o on

C >

O (t

  • SP800-30
  • nistspecialpublication800-30



The Defi nitive Cybersecurity Guide

for Directors and Offi cers

Published by

Navigating the Digital Age: The Defi nitive
Cybersecurity Guide for Directors and
Offi cers

Publisher: Tim Dempsey

Editor: Matt Rosenquist

Design and Composition: Graphic World, Inc.

Printing and Binding: Transcontinental Printing

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
is published by:
Caxton Business & Legal, Inc.
27 North Wacker Drive, Suite 601
Chicago, IL 60606
Phone: +1 312 361 0821
Email: [email protected]

First published: 2015
ISBN: 978-0-9964982-0-3

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
© October 2015

Cover illustration by Tim Heraldo

Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.


Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers (the Guide) contains
summary information about legal and regulatory aspects of cybersecurity governance and is current as of

the date of its initial publication (October 2015). Although the Guide may be revised and updated at some

time in the future, the publishers and authors do not have a duty to update the information contained in

the Guide, and will not be liable for any failure to update such information. The publishers and authors

make no representation as to the completeness or accuracy of any information contained in the Guide.

This guide is written as a general guide only. It should not be relied upon as a substitute for specifi c

professional advice. Professional advice should always be sought before taking any action based on the

information provided. Every effort has been made to ensure that the information in this guide is correct at

the time of publication. The views expressed in this guide are those of the authors. The publishers and

authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility

to verify any information contained in the Guide before relying upon it.

iii ■

New York Stock Exchange – Tom Farley, President

No issue today has created more concern within corporate
C-suites and boardrooms than cybersecurity risk. With
the ability to shatter a company’s reputation with their
customers and draw criticism from shareholders, lawsuits
from affected parties, and attention from the media, the
threat of cyber risk is ubiquitous and insidious. No com-
pany, region, or industry is immune, which makes the
responsibility to oversee, manage, and mitigate cyber risk
a top-down priority in every organization.

The New York Stock Exchange has long advocated that
exemplary governance and risk oversight is fundamental
to the health of individual companies, as well as to the
sound operation of our capital markets. In other words,
we too take the threat very seriously. Today, managing
cybersecurity risk has expanded far beyond the realm of
IT; it has become a business continuity necessity to ensure
shareholder value remains intact and that privacy and
corporate intellectual property is protected. Accordingly,
those responsibilities are weighing heavily on corporate
executives and directors, making it vital for them to better
understand and prepare for the evolving cybersecurity

Cyber risk ultimately poses a threat to confi dence, a
foundational aspect of U.S. corporate issuers and markets.
We are taking a leadership role on many fronts, such as
reducing market fragmentation and complexity, as well
as increasing effi ciency through the highest levels of
intelligence, analytics, and technology. Confi dence in the
integrity and security of our assets is concurrent with our
success—as it is for every other company operating in the
public markets today.

Moreover, because the public markets have become
increasingly reliant on interdependent technology sys-
tems, the threat looms even larger. As we witnessed dur-
ing the 2008 fi nancial crisis, rarely does any failure happen
in a vacuum; therefore, the threat of systemic disruption
has taken on an even higher level of prominence and
concern among regulators and policymakers worldwide.

It is important that companies remain vigilant, taking
steps to proactively and intelligently address cybersecurity

■ iv


risk within their organizations. Beyond the
technological solutions developed to defend
and combat breaches, we can accomplish
even more through better training, aware-
ness, and insight on human behavior.
Confi dence, after all, is not a measure of
technological systems, but of the people who
are entrusted to manage them.

With insights from the preeminent
authorities on cybersecurity today, this
groundbreaking, practical guide to cyberse-
curity has been developed to refl ect a body
of knowledge that is unsurpassed on this
topic. At the heart of effective risk manage-
ment must be a thorough understanding of
the risks as well as pragmatic solutions.
Thank you for your continued partnership
with the New York Stock Exchange, and we
look forward to continuing to support your
requirements in this dynamic landscape.

v ■

Visa Inc. – Charles W. Scharf, CEO

For years, cybersecurity was an issue that consumers,
executive management, and boards of directors took for
granted. They were able to do so because the technolo-
gists did not. The technologists worked every day to
protect their systems from attack, and they were quite
effective for many years. We sit here today in a very dif-
ferent position. The threats are bigger than ever before
and growing in frequency and severity every day.
Cybersecurity is now something everyone needs to think
about, whether it’s in your personal or professional life.
What worked in the past is not enough to protect us in the
present and future.

So what has changed?
First of all, the technology platforms of today are big-

ger targets than ever given the breadth and criticality of
items they control. Second, the amount and value of the
data that we all produce and store has grown exponen-
tially. The data is a gold mine for criminals. Third, the
interconnectedness of the world just makes it easier for
more people—regardless of geography—to be able to
steal or disrupt. And fourth, the perpetrators are more
sophisticated, better organized, better funded, and harder
to bring to justice than ever before.

So the problem is different, and what we all do about it
is different.

This is not simply an IT issue. It is a business prob-
lem of the highest level. Protecting our data and our
systems is core to business today. And that means that
having an outstanding cybersecurity program also
can’t detract from our objectives around innovation,
speed, and performance.

Security has been a top priority at Visa for decades. It
is foundational to delivering our brand promise. To be
the best way to pay and be paid, we must be the most
secure way to pay and be paid. We cannot ask people to
use our products unless they believe that we are just that.
Thus we must guard carefully both the security of our
own network and company and the security of the broader
payments ecosystem.

■ vi

accounts had been compromised—a pivotal
moment for our industry.

The losses experienced by our clients,
combined with the impact on consumer con-
fi dence, galvanized our industry to take
actions that, we believe, will have a mean-
ingful and lasting effect on how the world
manages sensitive consumer data—not just

We are taking action as an ecosystem, to
collaborate and share information across
industries and with law enforcement and
governments and to develop new technolo-
gies that will allow us to prevent attacks and
respond to threats in the future.

� Protect payments at physical retailers.
Fraudsters have targeted the point-of-
sale environment at leading U.S. retailers,
capturing consumer account information
and forcing the reissuance of millions
of payment cards. As an industry we
are rapidly introducing EMV (Europay,
MasterCard, and Visa) chip payment
technology in the United States. Chip-
enabled payment cards and terminals
work in concert to generate dynamic
data with each transaction, rendering the
transaction data useless to fraudsters.

� Protect online payments. Consumer
purchases online and with mobile devices
are growing at a signifi cant rate. In order
to prevent cyberattacks and fraudulent
use of consumer accounts online, Visa and
the global payments industry adopted
a new payment standard for online
payments. The new standard replaces the
16-digit account number with a digital
token that is used to process online
payments without exposing consumer
account information.

� Collaborate and share information.
Sharing threat intelligence is a necessity
rather than a “nice to have,” allowing
merchants, fi nancial institutions, and
payment networks like Visa to rapidly
detect and respond to cyberattacks.
Public and private partnerships are
also critical to creating the most robust

There are several elements that we have
found to be critical to ensuring an effective
security program at Visa.

� Be open and honest about the effectiveness
of your security program and regularly
share an honest assessment of your security
posture with the executive team and board.

We use a data-driven approach that scores
our program across fi ve categories: risk
intelligence, malware prevention, vulner-
ability management, identity and access
management, and detection and response.
Scores move up and down not only as our
defenses improve or new vulnerabilities
are discovered but also as threats change.
The capabilities of the adversaries are
growing, and you need a dynamic
approach to measurement.

� Invest in security before investing
elsewhere. A well-controlled environment
gives you the license to do other things.
Great and innovative products and
services will only help you win if you
have a well-protected business.

� Don’t leave the details to others. Active,
hands-on engagement by the executive
team and the board is required. The risk
is existential. Nothing is more important.
Your involvement will produce better
results as well as make sure the whole
organization understands just how
important the issue is.

� Never think you’ve done enough. The
bad guys are smart and getting smarter.
They aren’t resting, and they have more
resources than ever. Assume they will

Defending against cyberthreats is not some-
thing that we can solve for our company in a
vacuum. At Visa, we must protect not only
our own network but the whole payments
ecosystem. This came to life for us in late
2013 when some of the largest U.S. retailers
and fi nancial institutions in the U.S. reported
data breaches. Tens of millions of consumer


vii ■


community of threat intelligence, so we
also work closely with law enforcement
and governments. At the heart of Visa’s
security strategy is the concept of “cyber
fusion,” which is centered on the principle
of shared intelligence—a framework to
collect, analyze, and leverage cyberthreat
intelligence, internally and externally,
to build a better defense for the whole

Championing security is one of Visa’s six
strategic goals. This is an area where there
are no grades—it is pass or fail, and pass is
the only option. Cybersecurity needs to be
part of the fabric of every company and
every industry, integrated into every busi-
ness process and every employee action.
And it begins and ends at the top. It is job
number one.

■ viii


New York Stock Exchange — Tom Farley, President

Visa Inc. — Charles W. Scharf, CEO

Introductions — The cyberthreat in the digital age

Palo Alto Networks Inc. — Mark McLaughlin, CEO

The Chertoff Group — Michael Chertoff, Executive Chairman
and Former United States Secretary of Homeland Security and Jim
Pfl aging, Principal

Georgia Institute of Technology, Institute for Information
Security & Privacy — Jody R. Westby, Esq., Adjunct Professor

Institutional Shareholder Services Inc. — Patrick McGurn,
ISS Special Counsel and Martha Carter, ISS Global Head
of Research

World Economic Forum — Elena Kvochko, co-author of
Towards the Quantifi cation of Cyber Threats report and Danil
Kerimi, Director, Center for Global Industries

Internet Security Alliance — Larry Clinton, CEO

Former CIO of The United States Department
of Energy — Robert F. Brese

I. Cyber risk and the board of directors

Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner


ix ■


Fish & Richardson P.C. — Gus P. Coldebella, Principal
and Caroline K. Simons, Associate

Internet Security Alliance and National Association
of Corporate Directors — Larry Clinton, CEO of ISA
and Ken Daly, President and CEO of NACD

Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing

Dell SecureWorks — Mike Cote, CEO

II. Cyber risk corporate structure

Palo Alto Networks Inc. — Davis Hake, Director
of Cybersecurity Strategy

Coalfi re — Larry Jones, CEO and Rick Dakin, CEO

III. Cybersecurity legal and regulatory

Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Dean Forbes, Senior Associate, Agatha O’Malley,
Senior Associate, Jaqueline Cooney, Lead Associate and
Waiching Wong, Associate

Data Risk Solutions: BuckleySandler LLP & Treliant Risk
Advisors LLC — Elizabeth McGinn, Partner; Rena Mears,
Managing Director; Stephen Ruckman, Senior Associate;
Tihomir Yankov, Associate; and Daniel Goldstein, Senior

■ x


Baker & McKenzie — David Lashway, Partner; John Woods,
Partner; Nadia Banno, Counsel, Dispute Resolution; and
Brandon H. Graves, Associate

K&L Gates LLP — Roberta D. Anderson, Partner

Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa
Ventrone, Partner and Lindsay Nickle, Partner

Fish & Richardson P.C. — Gus P. Coldebella, Principal

Latham & Watkins LLP — Jennifer Archie, Partner

Kaye Scholer LLP — Adam Golodner, Partner

Pillsbury Winthrop Shaw Pittman LLP — Brian Finch,

Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group

IV: Comprehensive approach to

Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate

Booz Allen Hamilton — Bill Stewart, Executive Vice President;
Jason Escaravage, Vice President; and Christian Paredes,

xi ■

V. Design best practices

Intercontinental Exchange & New York Stock
Exchange — Jerry Perullo, CISO

Palo Alto Networks Inc.

VI. Cybersecurity beyond your network

Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior Associate;
and Laura Eise, Lead Associate

Covington & Burling LLP — David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate

Delta Risk LLC — Thomas Fuhrman, President

The Chertoff Group — Mark Weatherford, Principal

VII. Incident response

U.S. Department of Justice — CCIPS Cybersecurity Unit

Booz Allen Hamilton — Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior Associate;
and Katie Stefanich, Lead Associate

Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist

Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
and Ryan Vela, Regional Director, Northeastern North America
Cybersecurity Services


■ xii


Rackspace Inc. — Brian Kelly, Chief Security Offi cer

BakerHostetler — Theodore J. Kobus, Partner and Co-Leader,
Privacy and Data Protection; Craig A. Hoffman, Partner;
and F. Paul Pittman, Associate

Sard Verbinnen & Co — Scott Lindlaw, Principal

VIII. Cyber risk management
investment decisions

Axio Global, LLC — Scott Kannry, CEO and David White,
Chief Knowledge Offi cer

Lockton Companies Inc. — Ben Beeson, Senior Vice President,
Cybersecurity Practice

IX. Cyber risk and workforce development

NYSE Governance Services — Adam Sodowick, President

Wells Fargo & Company — Rich Baich, CISO

Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez,
Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew
Smallwood, Lead Associate

Korn Ferry — Jamey Cummings, Senior Client Partner;
Joe Griesedieck, Vice Chairman and Co-Leader, Board and
CEO Services; and Aileen Alexander, Senior Client Partner

Egon Zehnder — Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick


Electronic version of this guide and additional content available at:

Introductions — The
cyberthreat in the digital age

3 ■

Palo Alto Networks Inc. – Mark McLaughlin, CEO

Prevention: Can it be done?

Frequent headlines announcing the latest cyber breach of
a major company, government agency, or organization are
the norm today, begging the questions of why and will it
ever end?

The reason cybersecurity is ingrained in news cycles,
and receives extraordinary investments and focus from
businesses and governments around the world, is the
growing realization that these breaches are putting our
very digital lifestyle at risk. This is not hyperbole. More
and more, we live in the digital age, in which things that
used to be real and tangible are now machine-generated or
only exist as bits and bytes. Consider your bank account
and total absence of tangible money or legal tender that
underlies it; you trust that the assets exist because you can
“see” them when you log in to your account on the fi nan-
cial institution’s website. Or the expectation you have that
light, water, electricity, and other utility services will work
on command, despite your having little to no idea of how
the command actually results in the outcome. Or the com-
fort in assuming that of the 100,000 planes traversing the
globe on an average day, all will fl y past each other at safe
distances and take off and land at proper intervals. Now,
imagine that this trust, reliance, and comfort could not be
taken for granted any longer and the total chaos that
would ensue. This is the digital age; and with all the effi –
ciencies and productivity that has come with it, more and
more we trust that it will just “work.”

This reliance on digital systems is why the tempo of
concern due to cyberattacks is rising so rapidly. Business
leaders, government leaders, education leaders, and mili-
tary leaders know that there is a very fi ne line separating
the smoothly functioning digital society built on trust and
the chaotic breakdown in society resulting from the ero-
sion of that trust. And it is eroding quickly. Why is that,
and do we have any analogies? And, more importantly,
can it be fi xed?

■ 4


attack, responses are highly manual in
nature. Unfortunately, humans facing off
against machines have little to no leverage,
and cyber expertise is increasingly hard to
come by in the battle for talent. Flipping the
cost curve on its head with automation and
a next-generation, natively integrated secu-
rity platform is required if there is any hope
of reducing the “breach du jour” headlines.
(See Figure 2.)

It is unlikely that the number of attacks
will abate over time. On the contrary, there is
every reason to expect that their number will
continue to grow. In fact, we can also expect
that the “attack surface” and potential tar-
gets will also continue to grow as we con-
stantly increase the connections of various
things to the Internet.

An understandable but untenable
response to this daunting threat environ-
ment is to assume that prevention is impos-
sible, so we must simply detect and respond
to all intrusions. The fundamental problem
with this approach is that without signifi cant
prevention no combination of people, pro-
cess, and technology can prioritize and
respond to every intrusion that could signifi –
cantly impact a network and those who rely
on it. The math problem is simply insur-
mountable. Quite simply, detection and
response should be supplements to, instead
of substitutes for, prevention.

■ Machine vs. human
At the heart of the cybersecurity battle is a
math problem. It is relatively simple to
understand, but hard to correct. One of the
negative offshoots of the ever-decreasing
cost of computing power is the ability for
cyber criminals and adversaries to launch
increasingly numerous and sophisticated
attacks at lower and lower costs. Today,
bad actors without the capability to develop
their own tools can use existing malware
and exploits that are often free or inex-
pensive to obtain online. Similarly,
advanced hackers, criminal organizations,
and nation-states are able to use these
widely available tools to launch successful
intrusions and obscure their identity. These
sophisticated adversaries are also develop-
ing and selectively using unique tools that
could cause even greater harm. This all
adds up to tremendous leverage for the
attackers. (See Figure 1.)

In the face of this increasing onslaught in
the sheer number of attacks and levels of
sophistication, the defender is generally
relying on decades-old core security tech-
nology, often cobbled together in multiple
layers of point products; there is no true
visibility of the situation, nor are the point
products designed to communicate with
each other. As a result, to the extent attacks
are detected or lessons are learned from an

The attack math

Number of
successful attacks

Cost of launching a
successsful attack

FIGURE As computing power becomes less
expensive,the cost for launching automated
attacks decreases. This allows the number

of attacks to increase at a given cost.

5 ■


U.S. Suddenly, the very way of life in the
Western world was deemed, appropriately
so, at risk. The comfort and confi dence of
living in a well-protected and prosperous
environment was shattered as citizens lost
trust in their ability to follow their daily rou-
tines and way of life. It appeared as though
there was an insurmountable technological
lead, and everywhere people turned there
was anxiety and cascading bad news.

In the years immediately following
Sputnik, the main focus was on how to sur-
vive a post–nuclear-war world. Items like
backyard bomb shelters and nonperishable
food items were in great demand, and
schools were teaching duck-and-cover drills.
In other words, people were assuming
attacks could not be prevented and were
preparing for remediation of their society

However, this fatalistic view was tempo-
rary. America relied on diplomacy and tradi-
tional forms of deterrence while devoting
technological innovation and ingenuity to
breakthroughs such as NASA’s Mercury
program. While it took a decade of resourc-
es, collaboration, trial, and effort, eventually
the Mercury program and succeeding efforts
changed the leverage in the equation. The
space-based attack risk was not eliminated,
but it was compartmentalized to the point of
fading into the background as a possible but

So, the strategy must be to signifi cantly
decrease the likelihood, and increase the
cost, required for an attacker to perform a
successful attack. To be more specifi c, we
should not assume that attacks are going
away or that all attacks can be stopped.
However, we should assume, and be very
diligent in ensuring, that the cost of a suc-
cessful attack can be dramatically increased
to the point where the incidence of a success-
ful attack will sharply decline.

When this point is reached, and it will not
come overnight, then we will be able to
quantify and compartmentalize the risk to
something acceptable and understood. It’s at
that point that cyber risks will be real and
persistent but that they will leave the head-
lines and fade into the background of every-
day life, commerce, communications, and
interaction. This should be our goal. Not to
eliminate all risk, but to reduce it to some-
thing that can be compartmentalized. There
is a historical analogy to this problem and an
approach to solve it.

■ Sputnik analogy
The analogy, which is imperfect but helpful,
is the space race. In 1957 the Soviet Union
launched Sputnik. The result was panic at
the prospect that this technology provided
the Soviets with an overwhelming advan-
tage to deliver a nuclear attack across the

FIGURE Harnessing automation and integrated
intelligence can continually raise the cost

of making an attack successful, eventually
decreasing the number of successful attacks.

The attack math
Cost of launching a
successsful attack

Number of
successsful attacks

■ 6


not probable event. It was at this stage that
the panic and confusion receded from the
headlines and daily reporting. We will know
we are in good shape in the cyber battle
when we have reached this point. So, how
do we get there?

As with all things in life, ideas and phi-
losophy matter. This is true because if you
do not know what you are trying to get
done, it’s unlikely that you will get it done.
In the space race analogy, the philosophy
shifted over time from one that primarily
assumed an attack was imminent and
unstoppable with the majority of planning
and resources geared toward life in the post-
attack world, to one of prevention where the
majority of resources and planning were
geared to reduce the probability and effec-
tiveness of an attack.

Importantly, the risk of an attack was not
eliminated, but the probability of occurrence
and success was reduced by vastly increas-
ing the cost of a successful attack. It was
previously noted that no analogy is perfect,
so the analogy of “cost” here for space-based
attacks and cyberattacks is, of course, meas-
ured in different ways. Most notably,
cyberthreats are not the sole purview of
superpower nations, and the technological
innovation most likely to reverse the cost of
successful attacks is most likely to come
from industry, not governments. However,
the principle is the same in that a prevention
philosophy is much more likely to result in
prevention capabilities being developed, uti-
lized, and continually refi ned over time.

■ Is prevention possible?
The obvious question then is whether pre-
vention is possible. I think that most security
professionals and practitioners would agree
that total prevention is not possible. This is
disheartening but also no different from any
other major risk factor that we have ever
dealt with over time. So, the real question is
whether prevention is possible to the point
where the incidence of successful attacks is
reduced to something manageable from a
risk perspective. I believe that this is possible
over time. In order to achieve this outcome,

it is an imperative that cost leverage is
gained in the cyber battle. This leverage can
be attained by managing the cyber risk to an
organization through the continual improve-
ment and coordination of several key ele-
ments: technology, process and people, and
intelligence sharing.

It is very apparent that traditional or legacy
security technology is failing at an alarming
rate. There are three primary reasons for this:

� The fi rst is that networks have been
built up over a long period of time and
often are very complicated in nature,
consisting of security technology that
has been developed and deployed in a
point product, siloed approach. In other
words, a security “solution” in traditional
network architecture of any size consists
of multiple point products from many
different vendors all designed to do one
specifi c task, having no ability to inform
or collaborate with other products. This
means that the security posture of the
network is only as “smart” overall as the
least smart device or offering. Also, to the
extent that any of the thousands of daily
threats is successfully detected, protection
is highly manual in nature because there is
no capability to automatically coordinate
or communicate with other capabilities in
the network, let alone with other networks
not in your organization. That’s a real
problem because defenders are relying
more and more on the least leverageable
resource they have—people—to fi ght
machine-generated attacks.

� Second, these multiple point solutions are
often based on decades-old technology,
like stateful inspection, which was useful
in the late 1990s but is totally incapable of
providing security capabilities for today’s
attack landscape.

� And third, the concept of a “network”
has morphed continues to do so at a
rapid pace into something amorphous
in nature: the advent of software as a
service (SaaS) providers, cloud computing,

7 ■


successful leaders understand the need to
assess organizational risk and to allocate
resources and effort based on prioritized
competing needs. Given the current threat
environment and the math behind success-
ful attacks, leaders need to understand both
the value and vulnerabilities residing on
their networks and prioritize prevention
and response efforts accordingly.

Under executive leadership, it is also
very important that there is continued
improvement in processes used to manage
the security of organizations. People must
be continually trained on how to identify
cyberattacks and on the appropriate steps to
take in the event of an attack. Many of the
attacks that are being reported today start or
end with poor processes or human error. For
example, with so much personal informa-
tion being readily shared on social network-
ing, it is simple for hackers to assemble very
accurate profi les of individuals and their
positions in companies and launch socially
engineered attacks or campaigns. These
attacks can be hard to spot in the absence of
proper training for individuals, and diffi cult
to control in the absence of good processes
and procedures regardless of how good the
technology is that is deployed to protect an

A common attack on organizations to
defraud large amounts of money via wire
transfers counts on busy people being poor-
ly trained and implementing spotty pro-
cesses. In such an attack, the attacker uses
publicly available personal information
gleaned off social networking sites to iden-
tify an individual who has the authority to
issue a wire transfer in a company. Then the
attacker uses a phishing attack, a carefully
constructed improper email address that
looks accurate on a cursory glance, seem-
ingly from this person’s manager at the
company telling the person to send a wire
transfer right away to the following coordi-
nates. If the employee is not trained to look
for proper email address confi guration, or
the company does not have a good process
in place to validate wire transfer requests,
like requiring two approvals, then this attack

mobility, the Internet of Things, and other
macrotechnology trends that have the
impact of security professionals having
less and less control over data.

In the face of these challenges, it is critical
that a few things are true in the security
architecture of the future:

� First is that advanced security systems
designed on defi nitive knowledge of
what and who is using the network be
deployed. In other words, no guessing.

� Second is that these capabilities be as
natively integrated as possible into
a platform such that any action by
any capability results in an automatic
reprogramming of the other capabilities.

� Third is that this platform must also
be part of a larger, global ecosystem
that enables a constant and near-real-time
sharing of attack information that can be
used to immediately apply protections
preventing other organizations in the
ecosystem from falling victim to the same
or similar attacks.

� Last is that the security posture is
consistent regardless of where data
resides or the deployment model of the
“network.” For example, the advanced
integrated security and automated
outcomes must be the same whether the
network is on premise, in the cloud, or has
data stored off the network in third-party
applications. Any inconsistency in the
security is a vulnerability point as a general
matter. And, as a matter of productivity,
security should not be holding back high-
productivity deployment scenarios based
on the cloud, virtualization, SDN, NFV,
and other models of the future.

Process and people
Technology alone is not going to solve the
problem. It is incumbent upon an executive
team to ensure their technical experts are
managing cybersecurity risk to the organi-
zation. Most of today’s top executives did
not attain their position due to technological
and cybersecurity profi ciency. However, all

■ 8


often succeeds. It is important that technol-
ogy, process, and people are coordinated,
and that training is done on a regular basis.

Intelligence sharing
Given the increasing number and sophistica-
tion of cyberattacks, it is diffi cult to imagine
that any one company or organization will
have enough threat intelligence at any one
time to be able to defeat the vast majority of
attacks. However, it is not hard to imagine
that if multiple organizations were sharing
what they are seeing from an attack perspec-
tive with each other in close to real time, that
the combined intelligence would limit suc-
cessful attacks to a small number of the
attempted attacks. This is the outcome we
should strive for, as getting to this point
would mean that the attackers would need
to design and develop unique attacks every
single time they want to attack an organiza-
tion, as opposed to today where they can use
variants of an attack again and again against
multiple targets. Having to design unique
attacks every time would signifi cantly drive
up the cost of a successful attack and force
attackers to aggregate resources in terms of
people and money, which would make them
more prone to be visible to defenders, law
enforcement, and governments.

The network effect of defense is why
there is such a focus and attention on threat
intelligence information sharing. It is early
days on this front, but all progress is good
progress, and, importantly, organizations are
now using automated systems to share
threat intelligence. At the same time, analyti-
cal capabilities are being rapidly developed
to make use and sense of all the intelligence
in ways that will result in advanced plat-
forms being able to reprogram prevention
capabilities in rapid fashion such that con-
nected networks will be constantly updating
threat capabilities in an ever-increasing eco-
system. This provides immense leverage in
the cybersecurity battle.

■ Conclusion
There is understandable concern and atten-
tion on the ever-increasing incidence of
cyberattacks. However, if we take a longer
view of the threat and adopt a prevention-
fi rst mindset, the combination of next-
generation technology, improvements in
processes and training, and real-time shar-
ing of threat information with platforms
that can automatically reconfi gure the secu-
rity posture, can vastly reduce the number
of successful attacks and restore the digital
trust we all require for our global economy.

9 ■

The Chertoff Group — Michael Chertoff, Executive
Chairman and Former United States Secretary
of Homeland Security, and Jim Pfl aging, Principal

The three Ts of the cyber economy

Thanks to rapid advances in technology and thinking, over
the last decade we have seen entire industries and countries
reinvented in large part because of the power of the Internet
and related innovations. Naturally, these developments cre-
ated new opportunities and risks, and none is greater than
cybersecurity. Today, business leaders, academics, small
business owners, and school kids know about hackers,
phishing, identify theft, and even “bad actors.”

In late 2014, the Sony Pictures Entertainment breach
led to debates over data security, free speech, and corpo-
rate management as well as the details of celebrity feuds
and paychecks. The idea of cybersecurity is rising to the
fore of our collective consciousness. Notable cybersecuri-
ty breaches, including those at Target, Anthem BlueCross,
and the U.S. Offi ce of Personnel Management, have dem-
onstrated that no organization or individual is immune to
cyberthreat. In short, the cybersecurity environment has
changed dramatically over the past several years, and
many of us have struggled to keep up. Many fi rms now
fi nd themselves in an environment where one of their
greatest business risks is cyber risk, a risk that has rapidly
risen from an afterthought to primary focus.

How do we create more opportunity and a safer world
while protecting privacy in an interconnected world? This
question is not just for policy makers in government and
leaders of global Fortune 500 businesses. It affects the
neighborhood small business, the academic community,
investors and, of course, our children.

Answering that question requires an understanding of
the three Ts—technology, threat, and trust. Why? Because
these are big interrelated ideas that have a signifi cant
effect on business strategy, policy, and public opinion. For
starters, you need to know about the three Ts, think about

■ 10


technology and are thriving. Still, the advan-
tage lies with the fi rms who not only
embraced the Internet but also built their
entire business around it: Amazon, Google,
and Uber. Finally, there is Apple, which
came of age with the Internet and morphed
into a wildly successful global leader with
the introduction of the iPhone.

There have been applications for these
technologies, with signifi cant impact, in a
variety of industries. In transportation, Uber
is a great example of transforming a perva-
sive but sedentary sector into a newly reimag-
ined market. Uber used emerging technolo-
gies to disrupt seemingly distinct segments
such as auto rental and even automotive
manufacturing. In the electrical sector, smart
meters, transformers, and switches have
given utilities greater control over their distri-
bution networks while their customers have
gained greater control of their consumption.

However, the golden age of innovation
has a dark side. A new class of “bad guys”
has emerged and is taking advantage of
“holes” in these new technologies and our
online behavior to create new risks. This
leads us to the second T—Threat.

■ Threat
It is almost cliché to talk about the pervasive-
ness and escalating impact of cybersecurity
attacks. However, it is useful to provide a
map that can help us better understand
where we may be heading to help us prepare
and to develop more lasting defenses.

Using a simple x-y graph, we can create an
instructive map, in which x represents the
severity of the impact and y the “actor” or
perpetrator. Impact can be divided into the
following stages: embarrassment, theft,
destruction to a target fi rm or asset, and wide-
spread destruction. The actors also can be
grouped into four escalating stages: individu-
als, hacktivists, cyber organized crime, and
nation-states. See Figure 1. Given the impor-
tance of understanding threat, business lead-
ers should understand how the map applies
to their business. To aid in this understand-
ing, it is useful to cover a few examples that
illustrate various stages of these threats.

them, and decide how you are going to
embrace the fi rst, deal with the second, and
shape the last.

■ Technology
Today we live in a golden age of innovation
driven by technologies that dominate
headlines—cloud computing, mobility, big
data, social media, open source software, vir-
tualization, and, most recently, the Internet of
Things. These tectonic shifts allow individu-
als, government, and companies to innovate
and reinvent how they interact with each
other. These forces mandate that we redefi ne
what, how, and where we manage any busi-
ness. We need to challenge core assumptions
about markets, company culture, and the art
of the possible. The winners will be those
who leverage these innovations to reduce
costs and deliver better, lower-priced prod-
ucts. Take Table 1 below, for example:

It is easy to see the relationship between
innovation and valuation. Some companies,
such as Kodak, did not react fast enough
and lost their market as a result. Others,
such as AT&T, have invested heavily in new


A good reputation

TABLE Market capitalization
(or private estimates, USD

in millions)

3/31/2005 3/31/2015

Amazon $13,362 $207,275

Apple $30,580 $752,160

Google $64,180 $378,892

Uber N/A $41,000

AT&T $78,027 $175,108

Citigroup $244,346 $165,488


$388,007 $274,771

Kodak $6,067 $794

Sources: Capital IQ, Fortune

11 ■


work of criminals operating in Eastern
Europe, netted 40 million credit and debit
card numbers and 70 million customer
records and was largely responsible for the
company’s 46 percent drop in profi t in Q4 of
2013 when compared to 2012.2 The attack
also resulted in a serious decline in the com-
pany’s stock price and led the company’s
board to fi re their CEO. The attack is esti-
mated to have netted its perpetrators
approximately $54 million in profi t from the
sale of stolen card details on black market
sites—quite the motivation for a criminal

Another high-profi le attack, directed
against Sony Pictures Entertainment, is
alleged to have been the work of hackers sup-
ported by the government of North Korea.
The attackers managed to secure not only a
copy of The Interview, which had offended
and motivated the North Korean state, but
also a vast trove of data from the corporate
network, including the personal and salary

In 2011, a high-profi le attack was under-
taken by Anonymous, the prominent
“hacktivist” collective, in which it attacked
the security services fi rm HBGary Federal.
The attack was precipitated by HBGary’s
CEO, Aaron Barr, claiming in a Financial
Times article that his fi rm had uncovered
the identities of Anonymous leaders and
planned on releasing these fi ndings at a
security conference in San Francisco the fol-
lowing week.1 Anonymous responded by
hacking into HBGary’s networks, eventually
posting archives of company executives’
emails on fi le-sharing websites, releasing a
list of the company’s customers, and taking
over the fi rm’s website. Although the attack
did affect HBGary fi nancially, Anonymous’
primary motivation was to embarrass
Aaron Barr and HBGary.

More recent attacks have been perpetrat-
ed by better-organized criminal gangs and
have had a greater impact. For instance, the
Target breach, believed to have been the






Embarrass Steal


operations and
destroy property

business and

future earnings


and destruction




R JPMorganChase



Saudi Aramco




■ 12


■ Trust
One of the greatest casualties in the ever-
increasing torrent of cyberthreats is trust—
specifi cally, the trust consumers have in
business, the trust citizens and business
have in government, and the trust govern-
ment has in business. This should be trou-
bling for all corporate executives and gov-
ernment leaders because trust is precious to
all relationships and is critical to effective
workings of commerce and government. As
we know, it takes years to build, but it is easy
to lose. For instance, a single data breach can
undo years of effort and cause immediate
and lasting reputation loss.

Measuring trust
Recent consumer surveys suggest that con-
sumers are tired of dealing with fraudulent
charges and are raising their expectations for
how their favorite brands and websites pro-
tect consumer data and personally identifi a-
ble information. In May 2015, Pew Research
released a study in which 74 percent of
Americans said it was “very important” to
be “in control of who can get info about
you.” Edelman, one of the world’s largest
public relations fi rms, does an annual study
called The Trust Barometer. The 2015 edition
of this survey showed a huge jump in the
importance consumers place in privacy of
their personal data. The study revealed that
80 percent of consumers, across dozens of
countries and industries, listed this as a top
issue in evaluating brands they trust. Finally,
HyTrust, an emerging technology company,
published a study on the impact of a cyber
breach on customer loyalty and trust. Of the
2,000 consumers surveyed, 52 percent said a
breach would cause them to take their busi-
ness elsewhere.3 What business can afford to
lose 50 percent of its customers?

What these numbers make clear is that con-
sumers are paying attention to cybersecurity
issues and that failure to address these con-
cerns comes at a company’s own risk. Recent
attacks have served as learning moments for
many companies and consumers, allowing
them to gain a fi rmer understanding of just

details of tens of thousands of employees,
internal email traffi c, and other highly sensi-
tive information. The attack led the company
to delay the release of its big-budget fi lm, and
it generated weeks of headlines. The attack
also forced the company to take a variety of
computer systems offl ine. Although the long-
term impact of the attack is unclear, it has had
a dramatic impact on the studio’s reputation,
stock price, and earnings.

What is next? In the future, we can expect
a continued rise in the severity of cyberthreats.
Well-fi nanced criminal gangs and well-
resourced nation-states appear to be increas-
ingly capable and willing to engage in attacks
that cause signifi cant damage.

Boards and risk
After the initial shock of “how is this possi-
ble,” every business leader has to consider
what it means for his or her business. Just a
few years ago, many viewed cybersecurity
threats as a technical problem best left to the
company CIO or CISO. Increasingly, CEOs
and boards are coming to the realization
cybersecurity threats are a business risk that
demands C-level and board scrutiny.

Corporate boards have begun to look at
cybersecurity risk in much the same way
they would look at other risks to their busi-
ness, applying risk management frame-
works while evaluating the likelihood and
impact of cyber risk. Boards also have begun
to look at ways to transfer their risk, leading
insurance companies to offer cybersecurity
insurance products. In their evaluation of
cyber risk, companies are also taking a hard
look at the second order effects of a cyberat-
tack, notably the ability for a successful
attack to undermine customers’ trust in the
company. A successful attack often leads to
the revelation of sensitive, personally identi-
fi able information on customers, eroding
consumer confi dence in the fi rm. Many of
the commonly understood risk management
frameworks and related insurance products
now being used recognize this and make it
clear that corporate boards must have a thor-
ough understanding of the third T, Trust.

13 ■


develop cyber risk mitigation products. Many
of the insurance industry’s largest players,
including Allstate, Travelers, Marsh, and
Tennant, have moved to offer companies
cyber insurance products, although the imma-
turity of the market has created complications
for insurers and potential customers. Insurers
have had a hard time calculating their risk and
thus appropriate premiums for potential cus-
tomers, while customers have sometimes
found their insurance quotes too expensive.
Fortunately, time and the accompanying set-
tling of industry standards and actuarial data
will help to mature and grow this market.

Role of government
Effective risk management—for govern-
ments or private enterprises—starts with an
honest understanding of the situation and
recognition that information sharing with
partners is essential. Information sharing, of
course, starts with agreeing on common val-
ues, and then trusting vetted, capable, and
reliable partners. Information sharing can be,
and must be, something that takes place at
and across all levels. The Constitution charg-
es the federal government with the responsi-
bility of providing for the defense of the
nation while protecting the privacy and civil
liberties of our citizens, a diffi cult balance
that requires trust in the government and
processes by which we reach that balance.

As we discuss the role of government in
information sharing and building trust, we
have to acknowledge the impact the
Snowden revelations have had on public
trust in government. Fundamentally, we
have to determine what we want the role of
government to be and engage in legal
reforms that refl ect that role. Laws such as
the Computer Fraud and Abuse Act, enacted
in 1986 and amended fi ve times since then,
and the Electronic Controls Privacy Act
(ECPA), which dates to 1986, have to be
updated to refl ect the signifi cant changes in
technology and practice that have occurred
since they were envisioned.

Beyond these efforts, we need to establish
or reinforce agreed-upon rules and programs

how damaging such an attack can be. However,
with this knowledge comes increased expecta-
tions for how companies safeguard their data
and that of their consumers.

Role of industry
Fortunately, industry is moving in this direc-
tion, and many companies have begun to
consider cyber risk in their corporate plan-
ning. In 2014, the National Association of
Corporate Directors issued a call to action,
which included fi ve steps that its members
should take to ensure their enterprises prop-
erly address cyber risk. These include the

� Treating cyber risk as an enterprise risk
� Understanding the legal implications of

cyber risks
� Discussion of cyber risk at board

meetings, giving cyber risk equal footing
with other risks

� Requiring management to have a
measureable cybersecurity plan

� The development of a plan at the board
level on how to address cyber risks,
including which risks should be avoided,
accepted, mitigated, or transferred via

Although this guidance is an excellent start,
we at The Chertoff Group believe that indus-
try has to go further and move toward a
common cyber risk management framework
that allows everyone to understand the
cyber risks to a business and how the com-
pany intends to address them. This model
would be a corollary to the General Accepted
Accounting Principles (GAAP), the standard
accounting guidelines and framework that
underlies the fi nancials and planning of
almost any business. The emergence of
GAAP in the 1950s made it signifi cantly
easier for investors, regulators, and other
stakeholders to gain a clear understanding
of a business and its fi nancials, allowing for
comparisons across industries and sectors.

In parallel, banks, insurers, and other pro-
viders of risk mitigation are scrambling to

■ 14


for government data collection on citizens
and the legal frameworks that manage the
transfer of that data between governments
for judicial and law enforcement purposes.
Importantly, this initiative must provide for
mutual accountability for all participants.
These initiatives have to lay out clearly the
roles of all participants and, in our opinion,
reinforce and strengthen the role for NSA in
helping this nation deal with the adversaries
that are using information technology to
harm us.

On the international front, in response to
mounting concerns over data privacy, data
security and the rise of online surveillance,
governments around the world have been
seeking to pass new data protection rules.
Several governments, including Germany,
Indonesia, and Brazil, have considered
enacting “data localization” laws that would
require the storage, analysis, and processing
of citizen and corporate data to occur only
within their borders.

However, many of these proposals are
likely to impose economic harm and sow
seeds of distrust. For example, several of the
proposals under consideration would force
companies to build servers in locations
where the high price of local energy and the
lack of trained engineers could translate into
higher costs and reduced effi ciencies.
Furthermore, requiring that data reside in a
server based in Germany instead of one in
Ireland will do little to prevent spies from
accessing that data if they are determined
and capable.

So, what should we do? It is critical that
policymakers and technology providers
work together to develop solutions that keep
online services available to all who rely on
them. We must develop principles that can
serve as a framework for coordinated multi-
lateral action between states and across the
public and private sectors. We must be pre-
pared to lead abroad and at home with effec-
tive ideas.

Public private partnerships (PPPs) are
important pieces of the solution and are
good models of trust that we should lever-
age going forward. First, the formation of

Information Sharing and Analysis Centers
(ISACs) was a Clinton Administration initia-
tive to build PPPs across critical infrastruc-
ture sectors. These sector-by-sector ISACs
have proven to be models of trust. The
Financial Services ISAC has truly epito-
mized these ideas and is considered by
many to be the leading ISAC in sharing
threat information. This model has been rep-
licated in other industries and led President
Obama to call for an expansion of the infor-
mation sharing model to smaller groups of
companies through Information Sharing and
Analysis Organizations (ISAOs). Another
example is a U.S. government-industry ini-
tiative to combat botnets, in which the gov-
ernment is working with the Industry Botnet
Group to identify botnets and minimize
their impacts on personal computers.

■ Technology, threat, and trust in the

What do the three Ts of the cyber economy
mean for you? Here are just a few of the
questions every leader has to consider:

� Are we using technology for competitive

� Are we secure? How do you know? Do we
have a framework, a GAAP-equivalent
for cyber risk, that gives me the tools to
understand and measure risk?

� Are we a good steward of the data we
collect about our customers?

Each of us needs answers to these questions.
Your response will have a big impact on the
future of your organization.

A few years ago, there was a common
story in security circles about two types of
companies: those who knew they had been
hacked and those who had been hacked but
did not know it. Going forward, we will talk
about companies in terms of who cares
about cybersecurity: in some companies, it
will be the entire executive suite; in others,
it will just be the CISO or CIO. Your com-
pany doesn’t want to fall into the latter cat-
egory. Use the three Ts to help your organi-
zation manage cyber risk and leverage the



3. See “Consumers Increasingly Hold
Companies Responsible for Loss of
Confi dential Information, HyTrust Poll
Shows,” HyTrust, October 1, 2014, Available
n e w s / p r e s s – r e l e a s e s / c o n s u m e r s –
loss-confi dential-info, Additional survey
data available at http://www.hytrust.
c o m / s i t e s / d e f a u l t / f i l e s / H y Tr u s t _

fantastic opportunities in this golden age of

Works Cited
1. See Joseph Menn, “Cyberactivists warned

of arrest,” The Financial Times, February
5, 2011, Available at
c m s / s / 0 / 8 7 d c 1 4 0 e – 3 0 9 9 – 11 e 0 – 9 d e 3 –

2. See Maggie McGrath, “Target Profi t Falls
46% On Credit Card Breach And The Hits
Could Keep On Coming,” Forbes, February
26, 2014, Available at http://www.forbes.

17 ■

Georgia Institute of Technology, Institute for Information
Security & Privacy – Jody R. Westby, Esq., Adjunct Professor

Cyber governance best practices

■ The evolution of cybersecurity governance
Corporate governance has evolved as a means of protect-
ing investors through regulation, disclosure, and best
practices. The United Nations Guidance on Good Practices
in Corporate Governance Disclosure noted:

Where there is a local code on corporate governance,
enterprises should follow a “comply or explain” rule
whereby they disclose the extent to which they fol-
lowed the local code’s recommendations and explain
any deviations. Where there is no local code on corpo-
rate governance, companies should follow recognized
international good practices.1

The Business Roundtable (BRT), one of America’s most
prominent business associations, has promoted the use of
best practices as a governance tool since it published its
fi rst Principles of Corporate Governance in 2002. In its 2012
update, BRT noted:

Business Roundtable continues to believe, as we noted
in Principles of Corporate Governance (2005), that the
United States has the best corporate governance,
fi nancial reporting and securities markets systems in
the world. These systems work because of the adop-
tion of best practices by public companies within a
framework of laws and regulations that establish
minimum requirements while affording companies
the ability to develop individualized practices that are
appropriate for them. Even in the challenging times
posed by the ongoing diffi cult economic environment,
corporations have continued to work proactively to
refi ne their governance practices, and develop new
practices, as conditions change and “best practices”
continue to evolve.2

■ 18


17799 and then ISO/IEC 27001.8 ISO/IEC
27001 is the most accepted cybersecurity
standard globally.

Today, the ISO/IEC 27000 series of infor-
mation security standards is comprised of
nearly 30 standards. ISO, of which the
American National Standards Institute
(ANSI) is the member body representing U.S.
interests for the development of international
standards, has additional information secu-
rity standards outside of the 27000 series.9

ISO information security standards cover a
range of topics, such as security controls, risk
management, the protection of personally
identifi able information (PII) in clouds, and
control systems. Additional security stand-
ards also have been developed for fi nancial
services, business continuity, network secu-
rity, supplier relationships, digital evidence,
and incident response.10

The U.S. National Institute of Standards
and Technology (NIST) has developed a
comprehensive set of cybersecurity guid-
ance and Federal Information Processing
Standards (FIPS),11 including a Framework
for Improving Critical Infrastructure
Cybersecurity (Framework).12 The NIST
guidance and standards are world-class
materials that are publicly available at no
charge. NIST recognized existing standards
and best practices by mapping the
Framework to ISO/IEC 27001 and COBIT.

Other respected cybersecurity standards
have been developed for particular purpos-
es, such as the protection of credit card data
and electrical grids. The good news is that
cybersecurity best practices and standards
are harmonized and requirements can be
mapped. This is particularly important
because as companies buy and sell operating
units or subsidiaries or merge, they may
have IT systems and documentation based
upon several standards or best practices.
Thus, the harmonization of standards ena-
bles companies to blend IT departments and
security programs and continue to measure

Some companies may need to align with
multiple standards. For example, electric
transmission and distribution companies

Increases in cybercrime and attacks on corpo-
rate systems and data have propelled discus-
sions regarding governance of cyber risks
and what exactly boards and senior execu-
tives should be doing to properly manage
this new risk environment and protect corpo-
rate assets. The topic reached a crescendo in
May 2014 when the Institutional Shareholder
Service (ISS) called for seven of the ten Target
board members not to be re-elected on the
grounds that the failure of the board’s audit
and corporate responsibility committees “to
ensure appropriate management of these
risks set the stage for the data breach, which
has resulted in signifi cant losses to the com-
pany and its shareholders.”3

Over the past decade, the concept of cyber-
security governance has evolved from infor-
mation technology (IT) governance and
cybersecurity best practices. The Information
Systems Audit and Control Association
(ISACA) has been a frontrunner in IT govern-
ance best practices with the COBIT (Control
Objectives for Information and Related
Technology)4 framework. ISACA founded the
IT Governance Institute (ITGI) in 1998 to
advance the governance and management of
enterprise IT. The ITGI defi nes IT governance:

IT governance is the responsibility of the
board of directors and executive manage-
ment. It is an integral part of enterprise
governance and consists of the leadership
and organisational structures and pro-
cesses that ensure that the organisation’s
IT sustains and extends the organisation’s
strategies and objectives.5

Gartner has a similar defi nition.6

■ Cybersecurity program standards and best

As IT systems became vulnerable through
networking and Internet connectivity, secur-
ing these systems became an essential ele-
ment of IT governance. The fi rst cybersecu-
rity standard was developed by the British
Standards Institute in 1995 as BS 7799. Over
time, this comprehensive standard proved
its worth and ultimately evolved into ISO

19 ■


important to understand the breadth and
reach of the standard and to choose one that
meets the organization’s security and compli-
ance needs.

ISO/IEC 27001, which can be obtained
from ANSI at, is a
comprehensive standard and a good choice
for any size of organization because it is
respected globally and is the one most
commonly mapped against other stand-
ards. One should not make the mistake of
believing that all standards contain a full
set of requirements for an enterprise secu-
rity program; they do not. Some standards,
such as NERC-CIP or PCI, set forth security
requirements for a particular purpose but
are not adequate for a full corporate secu-
rity program.

will need to meet the North American
Electric Reliability Corporation Critical
Infrastructure Protection (NERC-CIP) stand-
ards, as well as the Payment Card Industry
Data Security Standard (PCI DSS) if they
take credit cards, and some other broad
security program standard, such as ISO/IEC
27001 or NIST for their corporate operations.

Even with harmonization, it is important
that companies choose at least one standard to
align their cybersecurity program with so pro-
gress and security maturity can be measured.
In determining which standard to use as a
corporate guidepost, organizations should
consider the comprehensiveness of the stand-
ard. Although standards requirements may be
mapped, each standard does not contain the
same or equivalent requirements. Thus, it is

Leading cybersecurity standards and best practices include:
� The International Organization for Standardization (ISO), the information security series,
active_tab=standards&sort_by=rel (also available from ANSI at

� The American National Standards Institute (ANSI)—the U.S. member body to ISO.
Copies of all ISO standards can be purchased from ANSI at

� National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800)
series and Federal Information Processing Standards (FIPS),

� Information Technology Infrastructure Library (ITIL),
� International Society of Automation (ISA),

� Information Systems Audit and Control Association (ISACA), the Control Objectives
for Information and Related Technology (COBIT),

� Payment Card Industry Security Standards Council (PCI SSC), https://www.

� Information Security Forum (ISF) Standard of Good Practice for Information Security,

� Carnegie Mellon University’s Software Engineering Institute, Operationally Critical
Threat, Asset, and Vulnerability Evaluation (OCTAVE),

� Health Insurance Portability and Accountability Act (HIPAA) regulations for security

� North American Electric Reliability Corporation Critical Infrastructure Protection

� U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs
for Nuclear Facilities,

■ 20


necessarily extends this duty to include the
protection of the organization’s digital assets
(data, networks, and software). As a conse-
quence, the governance of cyber risks has
become increasingly important for boards of
directors and senior management. This
includes exercising good risk management,
validating the effectiveness of controls, and
ensuring compliance requirements are met.

An increase in shareholder derivative
suits against D&Os for failure to protect
against breaches also has heightened atten-
tion on cybersecurity at the board and senior
management level. Target was hit with share-
holder derivative suits for failure to protect
the company and its data from a breach,13 as
was Wyndham Hotels on similar grounds.14

In addition, cybersecurity has become an
important compliance issue that carries the
risk of headlines concerning enforcement
actions, investigations, and breaches of per-
sonally identifi able information. Several state
and federal laws impose privacy and securi-
ty requirements on targeted industry sec-
tors and types of data. For example, the
Gramm-Leach-Bliley Act (GLBA), the Health
Insurance Portability and Accountability Act
(HIPAA), the Health Information Technology
for Economic and Clinical Health Act
(HITECH Act), and state breach laws impose
specifi c requirements pertaining to the secu-
rity and privacy of data and networks.

So, what does cyber governance mean?
What actions should board members be tak-
ing? Who should be involved—the entire
board or just certain committees? Cyber gov-
ernance means more than D&Os periodically
asking interesting questions or receiving
reports regarding the company’s cybersecu-
rity program. There is now an international
standard, ISO/IEC 27014, on the governance
of information security, which sets out roles
and responsibilities for executive manage-
ment and boards of directors and is applica-
ble to all types and sizes of organizations.

The standard notes:

[G]overnance of information security
provides a powerful link between an
organization’s governing body, executive

Some information security standards,
such as NERC-CIP, U.S. Nuclear Regulatory
cybersecurity requirements, PCI standards
for credit card data, and HIPAA security
requirements are mandatory. Portions of
NIST guidance are mandatory for federal
government contractors and U.S. govern-
ment agencies and departments. The remain-
der of the standards listed are voluntary.

In addition to the leading cybersecurity
standards listed in the shaded box, additional
standards have been developed for certain
industry sectors because they require height-
ened security protections. For example, ISO/
IEC 27015 was developed as additional secu-
rity requirements for fi nancial organizations;
ISO/IEC 27799 was developed for informa-
tion security in health systems using ISO/IEC
27002 (the controls portion of ISO/IEC 27001);
27011 was developed for telecommunications
systems using ISO/IEC 27002; and ISO/IEC
27019 was developed for industrial control
system security for the energy utility industry.

The value of using a standard as a guide-
post for the development, maintenance, and
maturity of a security program is that it sets
forth best practices for cybersecurity and is
updated as required to meet changing
threats, technological innovation, and com-
pliance requirements. Standards also enable
boards and senior executives to understand
how comprehensive their organization’s
security program is and provide an objective
basis for audits and cybersecurity assess-
ments. Evaluating a cybersecurity program
against a leading standard enables an organ-
ization to measure progress, assess the effec-
tiveness of controls, identify gaps and defi –
ciencies, and measure program maturity.

■ Cyber governance standards and best practices
Cyber governance standards and best prac-
tices have evolved over the past 20 years as
companies have increased connectivity to the
Internet and networks and as cyberattacks
have continued to rise. Directors and offi cers
(D&Os) have a fi duciary duty to protect the
organization’s assets and the value of the cor-
poration. The increased dependence on IT
systems and data in corporate operations

21 ■


and compliance obligations, reputational

risks, business interruption, and fi nancial

losses; allocate the resources needed for the

risk-based approach.
3. “Set the direction of investment decisions”:

establish an information security
investment strategy that meets business
and security requirements; integrate
security considerations into existing
business and investment processes.

4. “Ensure conformance with internal and
external requirements”: ensure policies
and procedures incorporate legal,
regulatory, and contractual obligations;
routinely audit such compliance.

5. “Foster a security-positive environment”:
accommodate human behavior and
the needs of users; promote a positive
information security environment through
training and tone from the top.

6. “Review performance in relation to
business outcomes”: ensure the security
program supports business requirements,
review impact of security on business as
well as controls.18

ISO/IEC 27014 sets forth separate roles and
responsibilities for the board and executive
management within fi ve processes: Evaluate,
Direct, Monitor, Communicate, and Assure.
These are set forth in abbreviated form in the
following table.19

management and those responsible for
implementing and operating an informa-
tion security management system. It pro-
vides the mandate essential for driving
information security initiatives through-
out the organization.15

The objectives of the standard are to align
security program and business objectives
and strategies, deliver value to stakeholders
and the board, and ensure information risks
are adequately managed.16

The difference between IT governance
and information security governance is that
the latter is focused on the confi dentiality,
integrity, and availability of information,
whereas governance of IT is focused on the
resources required to acquire, process, store,
and disseminate information.17 ISO/IEC
27014 sets forth six principles as foundation
for information security governance:

1. “Establish organization-wide information
security”: information security activities
should encompass the entire organization
and consider the business, information
security, physical and logical security, and
other relevant issues.

2. “Adopt a risk-based approach”:
governance decisions should be based on

the risk thresholds of a company, taking

into account competitiveness issues, legal

Board of directors Executive management


Ensure business initiatives take information
security into consideration

Ensure information security supports
business objectives

Review reports on information security
performance, initiate prioritized actions

Submit new security projects with
signifi cant impact for board review


Establish risk thresholds of organization Ensure security and business objectives are

Approve security strategy and overarching

Develop security strategy and overarching

Allocate adequate resources for security

Establish a positive culture of cybersecurity


■ 22


is IT-focused, however, and does not men-
tion the roles and responsibilities of chief
information security offi cers (CISOs). The
separation of the role of the chief informa-
tion security offi cer from the chief informa-
tion offi cer (CIO) (in other words, not having
the CISO report to the CIO), is a best practice
that the Board Briefi ng ignores. It assigns all
responsibilities to the CIO, IT Strategy
Committee, IT Steering Committee, IT
Architecture Review Board, and Technology
Council. Nevertheless, it is a valuable
resource for boards and executive teams
seeking to implement good cyber govern-
ance practices.

Finally, Carnegie Mellon University’s
Software Engineering Institute developed the
Governing for Enterprise Security Implementation
Guide in 2007 as a guide for boards and execu-
tives on governing enterprise security pro-
grams.21 It is still quite instructive and includes
a model organizational structure for cyber

■ Beyond ISO/IEC 27014: Other best practices
and guidance

At present, the only guidance NIST has
developed that addresses information secu-
rity governance is its 2006 Special Publication
800-100, Information Security Handbook: A
Guide for Managers. This publication, how-
ever, is written for a federal audience and is
more technical than other materials directed
toward boards and senior executives.

ISACA’s IT Governance Institute updated
its Board Briefi ng on IT Governance in 2014,20
which sets forth an approach similar to ISO/
IEC 27014, but is based on ISACA’s COBIT
best practices. The Board Briefi ng includes
questions board members should ask and
also checklists, tool kits, roles and responsi-
bilities, and other helpful materials. The
Board Briefi ng focuses on fi ve activity areas:
Strategic Alignment, Value Delivery, Risk
Management, Resource Management, and
Performance Measurement. The publication

Board of directors Executive management


Assess effectiveness of security program Determine appropriate metrics for security

Ensure compliance and legal obligations
are met

Provide input to board on security
performance results, impacts on

Evaluate changes to operations, legal
frameworks, and impact on information

Keep board apprised of new developments
affecting information security


Report to investors/shareholders on
whether information security is adequate
for business

Inform board of security issues that require
their attention

Provide results of external audits or reviews
and identifi ed actions to executive team

Ensure board’s actions and decisions
regarding security are acted upon

Recognize compliance obligations, business
needs, and expectations for information


Order independent reviews/audits of
security program

Support reviews/audits commissioned by

23 ■


members to become inundated in technical
data and issues and lose sight of the major
risks that must be managed. In part, CIOs
and CISOs need to develop better executive
and board communication skills when
reporting on cybersecurity program activi-
ties and incidents. Outside experts can also
help separate which cybersecurity govern-
ance issues should be directed to the execu-
tive management team and which are for
board consideration.

Once the critical vulnerabilities that
require board and executive attention have
been identifi ed, the next step is to deter-
mine the information fl ows that are needed
to keep the board and senior management
informed and enable informed decision-
making. These two steps—identifi cation of
cyber-related vulnerabilities and associ-
ated information flows—should be fol-
lowed by an analysis of the board’s and
senior management’s roles in incident
response and business continuity/disaster

The Target breach revealed how disas-
trous it can be when a company’s executive
team and board are not prepared to manage
a major cybersecurity incident. The breach
was clever but not terribly diffi cult to recov-
er from; as ISS pointed out so clearly, it was
Target’s executive team and board who
failed to protect the company’s data and
ensure a robust incident response plan was
in place that involved their participation.

Cybersecurity governance is an area
where an independent adviser can provide
valuable guidance to a board and executive
team by reviewing available reports and
assessing the current state of the security
program, identifying key vulnerabilities
and associated information fl ows that
should be directed to the board, advising on
the threat environment, and establishing
the proper organizational structures for
effective cybersecurity governance. These
activities should be undertaken in a collab-
orative fashion with IT and security leaders
and in the spirit of helping them gain visi-
bility and support for security program

governance; composition of a cross-
organizational privacy/security committee;
sample mission, goals, and objectives for a
board Risk Committee; and an explanation of
the critical activities in an enterprise security
program, including who should lead and be
involved in them, and the outputs (artifacts)
to be developed. It indicates where the board
has a role for governance oversight and sets
forth roles and responsibilities for the critical
players, as well as shared responsibilities, for
the following:

� chief security offi cer/chief information
security offi cer

� chief privacy offi cer
� chief information offi cer
� chief fi nancial offi cer
� general counsel
� business line executives
� human resources
� public relations
� business managers
� procurement
� operational personnel
� asset owners
� certifi cation authority.

■ Additional considerations in cybersecurity

Board structure plays a signifi cant role in
cybersecurity governance. A Risk Committee
is the best choice for governance of cybersecu-
rity because IT risks must be managed as
enterprise risks and integrated into enterprise
risk management and planning. Many compa-
nies place all oversight for cybersecurity in the
board Audit Committee, which can substan-
tially increase the workload of that committee.
Placing cyber governance with the Audit
Committee also creates segregation of duties
issues at the board level because the Audit
Committee is auditing the security program,
determining remediation measures, and then
auditing this work the following year.

One of the most important aspects of
cybersecurity governance is the identifi ca-
tion of vulnerabilities that could have a
material impact on corporate operations
and/or bottom line. It is easy for board

■ 24


12. Evaluate the adequacy of cyber
insurance against loss valuations and
ensure adequate risk strategies are in
place for cyber risks.

Many organizations also are struggling
with how to integrate cybersecurity into
their enterprise risk management process.
Most business operations today are
dependent upon IT systems and the confi –
dentiality, availability, and integrity of their
data. Following are another dozen guiding
points on integrating cyber risks into enter-
prise risk management.:

A dozen best practices for integrating cybersecurity into
enterprise risk management
1. Understand the business’s strategies,

objectives, and needs for IT and data.
2. Inventory assets (data, applications,

hardware), assign ownership,
classifi cation, and risk categorization.

3. Map legal requirements to data for all

4. Evaluate the security of vendors, business
partners, and supply chain linkages.

5. Align the cybersecurity program with
best practices and standards.

6. Ensure controls are determined and
metrics identifi ed.

7. Conduct a risk assessment to establish a
baseline for cyber risk management.

8. Develop cyber risk strategies (block the
risk, cyber insurance, other compensating
controls, all of these).

9. Design system architecture to
accommodate business goals and
objectives, meet security and legal
requirements, and detect or prevent
unauthorized usage.

10. Use technical tools and services to
provide integrated data on threats and

11. Make cyber training and security
compliance part of annual performance
reviews for all personnel.

12. Stay abreast of innovation and changes
in the threat environment as well as
changing operational requirements.

■ Dutiful dozen
There are some actions that boards can take
to ensure they are managing cyber risks
and meeting their fi duciary duty. Following
is a list of a dozen actions that are within
best practices, which can be used as a start-
ing point and checklist for governance

A dozen best practices for cyber governance
1. Establish a governance structure with

a board Risk Committee and a cross-
organizational internal team.

2. Identify the key cyber vulnerabilities
associated with the organization’s

3. Identify the security program activities
over which boards and executives
should exercise oversight, and identify
the key information fl ows and reports
that will inform board and executives on
the management of cyber vulnerabilities
and security program activities.

4. Identify legal compliance and fi nancial
exposures from IT systems and data.

5. Set the tone from top that privacy and
security are high priorities for the
organization, and approve top-level
policies on acceptable use of technology
and compliance with privacy and
security policies and procedures.

6. Review the roles and the responsibilities
of lead privacy and security personnel,
and ensure there is segregation of duties
between IT and security functions.

7. Ensure that privacy and security
responsibilities are shared, enterprise
issues that apply to all personnel.

9. Review and approve annual budgets for
security programs.

10. Review annual risk assessments, the
maturity of the security program, and
support continual improvement.

11. Retain a trusted adviser to independently
inform the board on changes in the
threat environment, provide assistance
on governance issues, and advise on
response issues in the event of a major
cyber incident.

25 ■


management of enterprise IT is available

5. Board Briefi ng on IT Governance, IT
Governance Institute, 2nd ed., 2014 at
fi nal.pdf.

6. Gartner, IT Glossary, “IT Governance,”

7. The term “cybersecurity best practice”
may be used interchangeably with
“standard” in the cybersecurity context,
as the standards embody best practices.
The term “standard” is commonly used
to refer to mandatory requirements.
With respect to cybersecurity programs,
however, there is no bright line between
best practices and standards. Some
standards, such as NERC-CIP and
HIPAA, are mandatory for certain
organizations, while other standards,
such as ISO/IEC, are voluntary.
Other standards, such as the Federal
Information Processing Standards (FIPS)
and NIST guidance (the 800 Special
Publication series) are voluntary for
some entities and mandatory for others.

8. Wikipedia, “BS 7799,” https://en.

9. International Organization for
Standardization, Information Security,

10. Id.
11. National Institute of Standards and

Technology, Computer Security Division,
Computer Security Resource Center,
h t t p : / / c s rc . n i s t . g o v / p u b l i c a t i o n s /

12. Framework for Improving Critical
Infrastructure Cybersecurity, National
Institute of Standards and Technology,
Version 1.0, Feb. 12, 2014, http://www.

■ Conclusion
Best practices and standards now require
boards and senior management to exercise
governance over cybersecurity programs and
associated risks. Laws such as Gramm-Leach-
Bliley, the Health Insurance Portability and
Accountability Act, and the Federal
Information Security Management Act all
require executive oversight of security pro-
grams. Each organization’s operations, system
architecture, policies and procedures, and
culture vary, thus, cyber risk management has
to be tailored to the organization. Boards
should know what standards/best practices
their organization is using to implement their
security program and determine an approach
for their own governance activities. Checklists
and the use of ISO/IEC 27014, the ISACA
Board Briefi ng on IT Governance, and the
Carnegie Mellon University’s Governing for
Enterprise Security Implementation Guide are all
useful resources that will help ensure boards
are meeting their fi duciary duty and protect-
ing the assets of the organization.

1. Guidance on Good Practices in Corporate

Governance Disclosure, United Nations
Conference on Trade and Development
(UNCTAD), New York & Geneva, 2006,

2. Principles of Corporate Governance 2012,
Harvard Law School Forum on Corporate
Governance and Financial Regulation,
Aug. 17, 2012,

4. Elizabeth A. Harris, “Advisory Group
Opposes Re-election of Most of Target’s
Board,” The New York Times, May 28,
board.html?_r=0 (quoting ISS report).

4. COBIT is an acronym for Control
Objectives for Information and Related
Technology. Information on the COBIT
5 framework for the governance and


■ 26

16. Id. at 4.2. “Objectives.”
17. Id. at 4.4. “Relationship.”
18. Id. at 5.2. “Principles.”
19. Id. at 5.3. “Processes.” The full

requirements of the standard should be
reviewed prior to use by an organization;
ISO 27014 is available at http://www.iso.

20. Board Briefi ng on IT Governance, IT
Governance Institute, 2nd ed., 2014,
h t t p : / / w w w. i s a c a . o rg / re s t r i c t e d /
fi nal.pdf.

21. Jody R. Westby & Julia H. Allen, Governing
for Enterprise Implementation Guide,
Carnegie Mellon University, Software
Engineering Institute, 2007, http://
g l o b a l c y b e r r i s k . c o m / w p – c o n t e n t /
u p l o a d s / 2 0 1 2 / 0 8 / G o v e r n i n g – f o r –

13. See, e.g., Kevin LaCroix, “Target Directors
and Offi cers Hit with Derivative Suits
Based on Data Breach,” Feb. 3, 2014,

14. See, e.g., Jon Talotta, Michelle Kisloff, &
Christopher Pickens, “Data Breaches Hit
the Board Room: How to Address Claims
Against Directors & Offi cers,” Hogan &
Lovells, Chronicle of Data Protection, Jan.
23, 2015, http://www.hldataprotection.

15. ISO/IEC 27014 (2013), Governance
of Information Security, “Summary,”

27 ■

Institutional Shareholder Services Inc. – Patrick McGurn,
ISS Special Counsel and Martha Carter,
ISS Global Head of Research

Investors’ perspectives on cyber
risks: Implications for boards

Although pundits proclaimed 2014 as the “Year of the
Data Breach” and a signifi cant “no” vote at Target’s
annual meeting put directors on notice that sharehold-
ers want to know about potential risks, few 2015 corpo-
rate disclosure documents provide evidence that boards
increased transparency with respect to cyber oversight.
Despite prodding from top regulators and investors’
calls for greater transparency, companies continue to fall
short on disclosure in their key governance disclosure
documents of cybersecurity risks and their board’s over-
sight of them. Equally concerning is the limited infor-
mation regarding cyber risk oversight provided by
boards at a handful of fi rms that were the targets of
2014’s most widely publicized breaches. Boards would
benefi t from an understanding of investors’ perspec-
tives and adoption of best practices in disclosure on
cyber risks.

■ Target’s breach led to boardroom backlash
Target’s high-profi le data breach made headlines world-
wide. Despite this, neither Target’s 2014 proxy state-
ment nor the company’s initial annual meeting-related
engagement materials discussed in a meaningful way
the massive data theft or the board’s responses to it. As
part of its research process leading up to the annual
meeting, Institutional Shareholder Services (ISS)
engaged with members of the Target board to learn
more about the directors’ oversight of cyber risks before
and after the breach. In the end, ISS opined in its 2014
annual meeting report on Target that the members of the
board’s Audit and Corporate Responsibility committees
had “failed to provide suffi cient oversight of the risks
facing the company that potentially led to the data

■ 28


lack of sharp, downward stock movements
in the wake of disclosures of hacks or other
data breaches (or quick rebounds from such
price drops when they occur) with share-
holders’ apathy over cybersecurity prob-
lems. In a recent Harvard Business Review
article (Why Data Breaches Don’t Hurt Stock
Prices, March 31, 2015), cybersecurity strate-
gist Elena Kvochko and New York Times
Chief Technology Offi cer Rajiv Pant dismiss
this easy explanation. They argue that muted
stock price reactions to data breaches refl ect
the absence of timely information and qual-
ity tools to price cyber risk: “Shareholders
still don’t have good metrics, tools, and
approaches to measure the impact of cyber
attacks on businesses and translate that into
a dollar value . . . The long and mid-term
effects of lost intellectual property, disclo-
sure of sensitive data, and loss of customer
confi dence may result in loss of market
share, but these effects are diffi cult to quan-
tify.” Faced with this information vacuum,
Kvochko and Pant note that “shareholders
only react to breach news when it has direct
impact on business operations, such as
litigation charges (for example, in the case of
Target) or results in immediate changes to a
company’s expected profi tability.”

Indeed, stock prices may not tell the
whole story. Contrary to the conventional
wisdom, recent survey data show investors
understand the long-term risks stemming
from hacks and they may actually shy
away from investing in companies with
multiple breaches. A recent survey—
conducted by FTI Consulting on behalf of
consulting giant KPMG LLP—of more than
130 global institutional investors with an
estimated $3 trillion under management
found that cyber events may affect inves-
tors’ confi dence in the board and demand
for the affected companies’ shares.

Investors opined that less than half of
boards of the companies that they currently
invest in have adequate skills to manage
rising cyberthreats. They also believe that
43 percent of board members have “unac-
ceptable skills and knowledge to manage
innovation and risk in the digital world.”

breach.” Accordingly, ISS recommended
votes against the members of those two
board oversight panels. ISS acknowledged
the board’s actions in the wake of the
breach but found that the committees
“failed to appropriately implement a risk
assessment structure that could have better
prepared the company for a data breach.”

After investors’ concerns emerged before
the meeting, the company engaged in a solic-
itation effort to defend the board’s response
to the breach. When the votes were tallied,
none of the members of Target’s audit and
governance panels received support from
more than 81 percent of the votes cast. Target
lead director James A. Johnson received the
lowest support—62.9 percent of the votes
cast. According to ISS’ Voting Analytics data-
base of institutional investors’ voting records,
governance professionals at funds connected
to nearly half of Target’s top 10 largest inves-
tors cast votes against one or more of the
company’s directors.

In the direct wake of the 2014 data
breach issues and the dearth of proxy-
related disclosure on those matters, SEC
Commissioner Luis A. Aguilar fi red a shot
across the bow of boards that lack disclo-
sure. In a June 10, 2014, speech (“Boards of
Directors, Corporate Governance and Cyber
Risks: Sharpening the Focus”) delivered at
a New York Stock Exchange (NYSE)–hosted
cybersecurity conference, Aguilar said,
“[B]oard oversight of cyber-risk manage-
ment is critical to ensuring that companies
are taking adequate steps to prevent, and
prepare for, the harms that can result from
such attacks. There is no substitution for
proper preparation, deliberation, and
engagement on cybersecurity issues.”
Noting the wide damage crater caused by
cyber events, Aguilar noted that the board-
room plan should include “whether, and
how, the cyber-attack will need to be dis-
closed internally and externally (both to
customers and to investors).”

■ Shareholders care about breaches
Are shareholders apathetic about data
breaches? Some media reports equate the

29 ■


■ ISS policy respondents indicate a disclosure

What level of detail do investors expect to
see about these issues in disclosures regard-
ing cyberthreats? In 2014, as part of ISS’
2015 policy-formulation process, we asked
institutional investors to weigh the factors
they assess in reviewing boardroom over-
sight of risk, including cyberthreats. A
majority of the shareholder respondents
indicated that the following are all either
“very” or “somewhat” important to their
voting decisions on individual directors

� role of the company’s relevant risk
oversight committee(s)

� the board’s risk oversight policies and

� directors’ oversight actions prior to and
subsequent to the incident(s)

� changes in senior management.

Notably, shareholders do not appear to be
looking for scapegoats. Disclosures about
boardroom oversight action subsequent to
an incident drew more demand than fi r-
ings. An eye-popping 85 percent of the
respondents cited such crisis management
and “lessons learned” disclosures as “very
important.” In contrast, only 46 percent of
the shareholders indicated that changes in
senior management are “very important” to
them when it came time to vote on director

■ 2015 disclosures provide few insights
Despite prodding by the SEC and numerous
indications from investors, many boards
continue to lack disclosure of cyberthreats
in their fl agship documents—the proxy
statement and the 10-K. Only a handful of
the companies that drew widespread cover-
age of their data breaches during 2014 men-
tion the events in their proxy statements,
and many cite materiality concerns to avoid
discussing the data breaches in detail in
their 10-Ks.

In sharp contrast to the absence of infor-
mation in Target’s 2014 proxy statement,

More ominously for boards, four of fi ve
investor respondents (79 percent) suggest-
ed that they may blacklist stocks of hacked
fi rms. As for a remedy, 86 percent of the
surveyed investors told KPMG and FTI
that they want to see increases in the time
boards spend on addressing cyber risk.

■ Investors raise the bar for disclosure
Insights on the gap between investors’
expectations and boardroom practices were
gleaned from PwC’s juxtaposition of two
surveys that it conducted in the summer of
2014, one of 863 directors in PwC’s 2014
Annual Corporate Directors Survey, and the
other of institutional investors with more
than $11 trillion in aggregate assets under
management in PwC’s 2014 Investor Survey.

� Nearly three quarters (74 percent) of
investors told PwC that they believe
it is important for directors to discuss
their company’s crisis response plan in
the event of a major security breach.
Only about half of directors (52 percent)
reported having such discussions.

� Roughly three out of four (74 percent)
investors urged boards to boost cyber
risk disclosures in response to the SEC’s
guidance, but only 38 percent of directors
reported discussing the topic.

� Similarly, 68 percent of investors believe it is
important for directors to discuss engaging
an outside cybersecurity expert, but only
42 percent of directors had done so.

� Fifty-fi ve percent of investors said it
was important for boards to consider
designating a chief information security
offi cer, if their companies did not
have one in place. Only half as many
directors (26 percent) reported that such
a personnel move had been discussed in
the boardroom.

� Finally, 45 percent of investors believe
it is important for directors to discuss
the National Institute of Standards
and Technology (NIST)/ Department
of Homeland Security cybersecurity
framework, but only 21 percent of directors
reported their boards had done so.

■ 30


and management process to the full

Next, the Home Depot disclosure provides
some color on the board’s risk oversight
policies and procedures:

For a number of years, IT and data secu-
rity risks have been included in the risks
reviewed on a quarterly basis by the ERC
and the Audit Committee and in the
annual report to the Board on risk assess-
ment and management. In the last few
years, the Audit Committee and/or the
full Board have also regularly received
detailed reports on IT and data security
matters from senior members of our IT
and internal audit departments. These
reports were given at every quarterly
Audit Committee meeting in fi scal 2014,
including an additional half-day Audit
Committee session devoted exclusively to
these matters that was held prior to the
discovery of the Data Breach. The topics
covered by these reports included risk
management strategies, consumer data
security, the Company’s ongoing risk mit-
igation activities, and cyber security strat-
egy and governance structure. . . .

To further support our IT and data
security efforts, in 2013 the Company
enhanced and expanded the Incident
Response Team (“IRT”) formed several
years earlier. The IRT is charged with
developing action plans for and respond-
ing rapidly to data security situations. . . .
The IRT provided daily updates to the
Company’s senior leadership team, who
in turn periodically apprised the Lead
Director, the Audit Committee and the
full Board, as necessary.

The Home Depot board also highlights its
cyber-risk oversight actions prior to the

Under the Board’s and the Audit
Committee’s leadership and oversight,
the Company had taken signifi cant steps

however, another big box retailer provided
investors with a window into the board’s
role in cyber risk oversight in its 2015
proxy materials. Home Depot addressed its
2014 data breach, which affected up to
56 million customers who shopped at the
company’s stores between April 2014 and
September 2014, with a concise (roughly
1000-word) explanation of the steps taken
by the board before and after the company’s

The proxy statement disclosures include a
brief summary of the depth and duration of
the breach, an explanation of the board’s
delegation of oversight responsibility to the
audit committee, and an outline of remedial
steps that the board took in response to the

Notably, Home Depot’s disclosures gen-
erally align with all the pillars identifi ed by
investors in their responses to the ISS policy

First, Home Depot’s board details the
delegation of risk oversight to the audit com-
mittee and describes the directors’ relation-
ship with the company’s internal audit and
compliance team:

The Audit Committee . . . has primary
responsibility for overseeing risks related
to information technology and data pri-
vacy and security. . . . The Audit
Committee stays apprised of signifi cant
actual and potential risks faced by the
Company in part through review of quar-
terly reports from our Enterprise Risk
Council (the “ERC”). The quarterly ERC
reports not only identify the risks faced
by the Company, but also identify wheth-
er primary oversight of each risk resides
with a particular Board committee or the
full Board . . . The chair of the ERC, who
is also our Vice President of Internal
Audit and Corporate Compliance, reports
the ERC’s risk analyses to senior manage-
ment regularly and attends each Audit
Committee meeting. The chair of the ERC
also provides a detailed annual report
regarding the Company’s risk assessment

31 ■


Privacy Governance Committee,
to provide further enterprise-wide
oversight and governance over data
security. This committee reports
quarterly to the Audit Committee.

� We are in the process of further
augmenting our IT security team,
including by adding an offi cer level
Chief Information Security Offi cer and
hiring additional associates focused on
IT and data security.

� We are reviewing and enhancing all
of our training relating to privacy and
data security, and we intend to provide
additional annual data security
training for all of our associates before
the end of Fiscal 2015.

� Our Board, the Audit Committee, and
a special committee of the Board have
received regular updates regarding the
Data Breach. In addition to the IT
and data security initiatives described
above, the Board, supported by
the work of its Audit and Finance
Committees, has reviewed and
authorized the expenditures associated
with a series of capital intensive
projects designed to further harden
our IT security environment against
evolving data security threats.

■ Boards would benefi t from engagement
and disclosure

Although the good news is that cybersecu-
rity has seemingly come to the forefront for
many directors, the bad news is that share-
holders are not yet getting the transparency
they need to assess the quality of boardroom
oversight. The signifi cant “no” vote against
the Target board at its 2014 annual meeting,
coupled with survey data, show that share-
holders are far from apathetic when it comes
to assessing cyber risk oversight.

■ Target’s lessons learned
In the wake of its challenging 2014 annual
meeting, Target hosted calls or held meet-
ings with shareholders representing approx-
imately 41% of shares voted. The majority of

to address evolving privacy and cyber
security risks before we became aware of
the Data Breach:

� Prior to the Data Breach and in part
in reaction to breaches experienced
by other companies, we augmented
our existing security activities by
launching a multi-work stream effort
to review and further harden our
IT and data security processes and
systems. This effort included working
extensively with third-party experts
and security fi rms and has been
subsequently modifi ed and enhanced
based on our learnings from the Data
Breach experience.

� In January 2014, as part of the efforts
described above, we began a major
payment security project to provide
enhanced encryption of payment card
data at the point of sale in all of our U.S.
stores. . . . Upon discovery of the Data
Breach, we accelerated completion
of the project to September 2014,
offering signifi cant new protection for
customers. The new security protection
takes raw payment card information
and scrambles it to make it unreadable
to unauthorized users. . . .

� We are rolling out EMV “chip-and-PIN”
technology in our U.S. stores, which
adds extra layers of payment card
protection for customers who use EMV
chip-and-PIN enabled cards. . . .

Finally, the Home Depot board discusses the
boardroom oversight actions taken subse-
quent to the incident including changes in
senior management:

Following discovery of the Data Breach,
in addition to continuing the efforts
described above, the Company and the
Board took a number of additional

� We formed an internal executive
committee, the Data Security and


■ 32

these conversations were led by Director
Anne Mulcahy. In light of this feedback and
with the assistance of a third-party strategy
and risk management and regulatory com-
pliance consultant, the board “embarked on
a comprehensive review” of risk oversight
at the management, board, and committee
levels. As a result of this comprehensive
review, in January 2015, the Target board
“clarifi ed and enhanced” its practices to pro-
vide more transparency about how risk
oversight is exercised at the board and com-
mittee levels. As part of this revamp, the
board reallocated and clarifi ed risk oversight

responsibilities among the committees, most
notably by elevating the risk oversight role
of the corporate risk & responsibility com-
mittee (formerly known as the corporate
responsibility committee).

Examples such as Home Depot and the
Target board’s 2015 disclosures provide
more transparency on risk oversight and are
a good framework for other boards to follow.
Boards would be wise to raise their games
by disclosing more details of their board
oversight efforts and engaging with inves-
tors when cyber incidents occur, or they may
run the risk of a loss of investor confi dence.

33 ■

Elena Kvochko, Author, Towards the Quantifi cation
of Cyber Threats report; and Danil Kerimi, Director,
Center for Global Industries, World Economic Forum

Toward cyber risks measurement

As most companies in the U.S. already use some form of
cloud-based solutions, the digital footprint of enterprises
is growing, and so are the risks. Technological solutions
have always focused on convenience, transparency, and
an ever-increasing ability to share information and col-
laborate, while built-in security hasn’t been a priority
until recently. Now enterprises are shifting away from
this model. Growing privacy and security concerns affect
customer perception. According to Deloitte, 80% of cus-
tomers are aware of recent cyber breaches, and 50% of
them are ready to switch brands if they feel their informa-
tion may be compromised. Experian reported that now
cyber breaches are as devastating for the reputation of
organizations as environmental disasters and poor cus-
tomer service.

Most executives recognize that cyber risks are no longer
on the horizon but are an imminent cost of doing business.
Companies are actively looking for effective mitigation
actions. Recent surveys show that cybersecurity is already
part of the agenda of 80% of corporate boards (up from
around 30% 4 years ago). Companies are adjusting their
enterprise risk management frameworks and including
cyber risks and accompanying controls as part of the nec-
essary risk management actions. Traditional controls intro-
duced for in-house infrastructure no longer work, as more
and more operations are performed in the cloud. Just as in
any healthy ecosystem, these environments present great
opportunities for stakeholders to interact with each other
and with the content, but they also carry inherent risks.

Risk mitigation approaches and technologies lag
behind the sophistication of the threat. In fact, our ear-
lier research with the World Economic Forum and
McKinsey showed that 90% of executives feel they only

■ 34


fi nancial services industry and describes the
risk appetite and potential losses for a port-
folio that an institution will incur over a
defi ned period of time and is expressed in a
probability to insure the loss.

In the cyber value-at-risk, we introduced
three major pillars, according to which com-
panies can model their risk exposure: exist-
ing vulnerabilities, value of the assets, and
profi le of an attacker. A complete cyber value-
at-risk allows us to answer the question:
“Given a successful cyberattack, a company
will lose not more than X amount of money
over period of time with 95% accuracy.” The
application of these models will depend on
particular industries, companies, and avail-
able data and should be built for an organi-
zation. We discussed specifi c indicators that
can potentially be used to populate the
model. Mathematically, these components
can be brought together and used to build a
stochastic model. For example, vulnerabili-
ties can be measured in the number of exist-
ing unpatched vulnerabilities, not up-to-
date software, number of successful compro-
mises, or results of internal and external
audits. They can be benchmarked against
the maturity of existing controls and security
of networks, applications, data, etc. The
maturity of defending systems has to be
benchmarked against the threat environ-
ment, hence the profi le of an attacker com-
ponent becomes important. In this model, it
would be important to look into their moti-
vations (e.g., fi nancial gain, destruction of
assets, espionage), the tools they are using,
and the innovative approaches. Because
cyber breaches are criminal activity, nontech-
nical factors, such as behavioral motivations,
are to be considered. The component of the
value of assets of many organizations is dif-
fi cult to establish. This includes tangible
assets, such as fi nancial fl ows, infrastructure,
and products, and intangible assets, primarily
data assets (customer and employee data,
business strategies, intellectual property),
brand, reputation, and trust of stakeholders.
Although cost of business interruption can
be qualifi ed easier, the impact on intangible
assets is still subject to approximation. The

have “nascent” and “developing” capabili-
ties to combat cyberthreats. In this situa-
tion when cyber breaches have become an
inevitable reality of doing business, execu-
tives ask themselves, “What does it mean
for my business, how probable is it that a
devastating breach will happen to us, and
how much could it cost us?” Still, very few
organizations have developed ways to
assess their cyber risk exposure and to
quantify them.

In this chapter, we discuss the cyber
value-at-risk framework introduced by the
Partnering for Cyber Resilience initiative of
the World Economic Forum and released at
the Annual Summit in Davos in 2015. More
than 50 organizations, including Wipro,
Deloitte (project advisor), and Aon, have
contributed to this effort. The framework
laid the foundations for modeling cyber
risks and encouraged organizations to take
a quantitative approach toward assessing
their cyber risks exposure, which could
also help make appropriate investment

We were delighted to see many spin-off
projects and initiatives that were initiated as
part of this work and hope they will contrib-
ute to better risk management tools. Our
research showed that the aggregate impact
of cybercrime on the global economy can
amount to $3 trillion in terms of slow down
in digitization and growth and result in the
slower adoption of innovation. Multiple
other studies showed signifi cant negative
impact of cyber breaches. CSIS established
that the annual cost of economic espionage
reaches $445 billion. Target’s breach cost the
company more than $140 million, a large
portion of which went to cover litigation
costs. Interestingly, however, Aon research
shows that more than 80% of breaches cost
the companies less than $1 million.

■ Value-at-risk
How can companies defi ne their risk expo-
sure and the level of investments, as well as
priority areas for these investments? To
answer this question, we turned to the value-
at-risk concept. The concept goes back to the

35 ■


breach probability distribution”); hacker
model (mapping out motivations of adver-
saries in relation to the organization); attack
model (attack types and characteristics);
asset and loss model (potential loss given a
successful attack); security model (describ-
ing organizations’ security posture), and
company model (modeling organizations’
attractiveness as a target). Cyberpoint’s
Cy-var models looks at “time-dependent
valuation of assets” while taking into
account an organization’s security posture
and includes variables such as the values of
intellectual property assets, IT security con-
trols in place to protect those assets and
other related risks, infrastructure risks, a
time horizon, and a probability of an attack.

At the same time, all stakeholders came to
agreement that quantifying risks is a chal-
lenging task. In a workshop organized togeth-
er with Deloitte, the World Economic Forum
Partnering for Cyber Resilience members
defi ned the attributes of an ideal model of
cyber risks quantifi cation: applicability across
various industries; ease of interpretation by
experts and executives alike; association with
real data and measurable security events;
scalability across organizations or even
across the industry; at the same, not relying
on data that are currently absent within most

Although the cyber value-at-risk frame-
work doesn’t specify how to calculate the
fi nal number, it presents core components
and gives examples of how these compo-
nents can be quantifi ed. This complete
model, however, could be characterized by
general applicability across various indus-
tries. For it to be effective, it has to be vali-
dated by the industry stakeholders. Cyber
value-at-risk aimed to bring together “tech-
nical, behavioral and economic factors from
both internal (enterprise) and external (sys-
temic) perspectives.” As a next step, it would
be important to understand dependencies
between various components in the frame-
work and ways to incorporate these models
into existing enterprise risk frameworks. It is
important to remember that organizations
should be wary of new emerging risks and

impact of losing these assets can be unno-
ticed in the short term but may hurt long-
term profi tability and market leadership of
an organization.

The cyber value-at-risk model has a num-
ber of limitations, including availability of
data, diffi culties in calculating probabilities,
and applicability across various industries,
but it presents a fi rst step and incentives for
organizations to move toward quantitative
risk management. By publishing the model,
we aimed to encourage more industry stake-
holders to develop comprehensive quantita-
tive approaches to cyber risks measurement
and management. For further examples and
information, please refer to Wipro’s use of
cyber value-at-risk for its clients, Deloitte’s
continuous development cyber value-at-
risk, Rod Becktom’s cybervar model, and
CXOWare’s Cyber Risk application model.
The Institute of Risk Management (IRM)
announced that it will release a cyber risk
quantifi cation framework to help companies
assess their cyber risks exposure. The call to
action from the Partnering for Cyber
Resilience effort was that to develop a uni-
fi ed framework that can be used by indus-
tries to reduce uncertainty around cyber risks
implications on businesses in the absence of
dominant models and frameworks. Aon has
defi ned important ways in which quantifi ca-
tion of cyberthreats can lead to better busi-
ness decisions. First, as the conversation has
shifted from technology and information
security departments to boardrooms, the
question of costs and risks becomes ever
more prevalent. It helps show the scale and
the impact that cyberthreats can have on
fi nancial targets and overall competitiveness
of organizations; helps defi ne and narrow
down the investments required to mitigate
those threats; makes it easy to paint compel-
ling pictures, build scenarios, and make busi-
ness cases; and helps make a determination
whether any parts of the risk can be trans-
ferred. Deloitte has put together a compre-
hensive model for modular approach to
cyber risk measurement introducing the
following components: probability model
(“attractiveness and resilience determine


■ 36

consider cyber risks in addition to broader
technology or operational risks.

Overall, the goal was to help raise aware-
ness of cyber risks as a standing and regular
cost of doing business and help fi nd a way
to measure and mitigate those risks. This
can be done through standardization of
various risk factors and indicators into a
normal distribution.

The components that we looked at in this
chapter help bring together various risk fac-
tors via “measures of risk likelihood and
impact.” To achieve a more granular level of
sophistication, quantifi cation and standardi-
zation metrics must mature. Some of the
main cited obstacles are availability of data
to build models, lack of standardized met-
rics and tools, lack of visibility within enter-
prise, and inability to collect data and
dubbed models internally. The variables and
components of the model can be brought
together into a stochastic model, which will
show the maximum loss given a certain
probability over a given period of time. It
was discussed that close to real-time sharing
of data between organizations could address
some of the main challenges of datasets’
availability and provide enough data to
build models.

Although a silver bullet to achieve cyber
resilience doesn’t exist, organizations con-
sider comprehensive frameworks for quanti-
fying and mitigating risk factors, including
cyber risks. Following this model, compa-
nies will assess their assets and existing
controls, quantify vulnerabilities, and know

their attackers and threats. The most signifi –
cant challenge so far is the absence of input
variables, quality of existing datasets and,
following these, no standardized measures
to assess cyber risk exposures. Building such
a model would require efforts in data classi-
fi cation, encourage a strong organization
leadership, process improvement and col-
laboration, as well improve decision making
across various business areas. For example,
the car industry, mortgage industry, or most
insurances have agreed on a standardized
metrics and data collection; the same should
happen for cyber risks measurement.
Understanding dependencies between these
variables and what they mean for various
industries should be a subject for cross-
industry collaboration so that input varia-
bles are unifi ed. The main benefi ts of this
approach are seen in the ability to support
decision-making processes, quantify the
damage at a more granular level, and defi ne
appropriate investments. This would help
stimulate the development of risk transfer
markets and emergence of secondary risk
transfer products to mitigate and distribute
the risks. For organizations, the focus will
shift from an attacker to assets and how to
secure them in such a distributed digital
ecosystem, where everything is vulnerable.
As more robust quantitative cyber risks
models emerge and the industries are mov-
ing toward a standardized recognizable
model, the confi dence of digital ecosystems
stakeholders and their ability to make effec-
tive decisions will also rise.

Based on Towards the Quantifi cation of Cyber
Threats report.

37 ■

Internet Security Alliance – Larry Clinton, CEO

The evolving cyberthreat and an
architecture for addressing it

According to the Pentagon’s 2015 Annual Report, “The
military’s computer networks can be compromised by
low to meddling skilled attacks. Military systems do not
have a suffi ciently robust security posture to repel sus-
tained attacks. The development of advanced cyber tech-
niques makes it likely that a determined adversary can
acquire a foothold in most DOD systems and be in a posi-
tion to degrade DOD missions when and if they choose.”

If the cyber systems of the world’s most sophisticated
and best funded armed forces can be compromised by
“low to meddling skilled attacks,” how safe can we expect
discount retailers, movie studios, or any other corporate
or public systems to be?

That is not even the bad news.

■ Things are getting much worse: Three reasons
1. The system is getting weaker.
The bad news is that the cyber systems that have become
the underpinning of virtually all of aspects of life in the
digital age are becoming increasing less secure. There are
multiple reasons for this distressing trend. First, the sys-
tem is getting technologically weaker. Virtually no one
writes code or develops “apps” from scratch. We are still
relying on many of the core protocols designed in the
1970s and 80s. These protocols were designed to be
“open,” not secure. Now the attacking community is
going back through these core elements of the Internet
and discovering still new vulnerabilities. So as new func-
tionalities come online, their own vulnerabilities are sim-
ply added to the existing and expanding vulnerabilities
they are built upon. The reality is that the fabric of the
Internet is riddled with holes, and as we continue to
stretch that fabric, it is becoming increasingly less secure.

Additionally, vulnerabilities in many open source
codes, widely in use for years, are becoming increasingly
apparent and being exploited by modern “zero-day”

■ 38


new access points to large amounts of data
resulting from the explosion in the number of
mobile devices vastly increases the challeng-
es to securing cyberspace.

However, the rise in use of mobile devices
pales in comparison to the coming Internet
of Things (IoT). The IoT, embedded comput-
ing devices with Internet connections,
embraces a wide range of devices, including
home security systems, cars, smart TVs, and
security cameras. Like the bring-your-own-
device (BYOD) phenomenon, the coming of
the IoT further undermines the overall secu-
rity of the system by dramatically increasing
the vectors, making every new employee’s
internet-connected device, upon upgrade, a
potential threat vector.

2. The bad guys are getting better.
Just after the turn of the century, the NSA
coined a new term, the “APT,” which stood
for the advanced persistent threat. The APT
referred to ultrasophisticated cyberattack
methods being practiced by advanced
nation-state actors. These attacks were char-
acterized by their targeted nature, often
focused on specifi c people instead of
networks, their continued and evolving
nature, and their clever social engineering
tactics. These were not “hackers” and “script
kiddies.” These were pros for whom cyberat-
tacks were their day job.

They were also characterized by their
ability to compromise virtually any target
they selected. APTs routinely compromised
all anti-virus intrusion detection and best
practices. They made perimeter defense

Now these same attack methods, once
practiced only by sophisticated nation-states,
are widely in use by common criminals.
Whereas a few years ago these attacks were
confi ned to nations and the Defense Industrial
Complex, they now permeate virtually all
economic sectors.

The APT now stands for the average persis-
tent threat.

The increasing professionalism and
sophistication of the attack community is
fueled by the enormous profi ts cyberattacks

attacks, and the patching system we have
relied on to remediate the system can’t keep
pace. Huge vulnerabilities such as
Heartbleed and Shellshock have existed
within open source code for years only to
be revealed recently when scrutinized by
fresh eyes.

Within hours of the Heartbleed vulnerabil-
ity becoming public in 2014, there was a surge
of attackers stepping up to exploit it. The
attackers exploiting the vulnerability were
much faster than the vendors could patch it.
This is a growing trend. In 2014 it took
204 days, 22 days, and 52 days to patch the top
three zero-day vulnerabilities. In 2013 it took
only four days for patches to arrive. Even
more disturbing is that the top fi ve zero-day
attacks in 2014 were actively used for a com-
bined 295 days before patches were available.

Moreover, because almost no one builds
from scratch anymore, the rate of adoption
for open source programming as a core com-
ponent of new software greatly exceeds the
vetting process for many applications. As
the code gets altered into new apps, the risks
continue to multiply. In 2015 Symantec esti-
mates there are now more than a million
malicious apps in existence. In fast-moving,
early stage industry, developers have a
strong incentive to offer new functionality
and features, but data protection and priva-
cy policies tend to be a lesser priority.

The risks created by the core of the system
becoming intrinsically weaker is being fur-
ther magnifi ed by the explosion of access
points to the system, many with little or no
security built into their development. Some
analysts are already asserting that there are
more mobile devices than there are people
on the earth. If that is not yet literally true, it
will shortly be.

It is now common for individuals to have
multiple mobile devices and use them inter-
changeably for work and leisure often with-
out substantial security settings. Although
this certainly poses a risk of data being stolen
directly from smartphones, the greater con-
cern is that mobile devices are increasingly
conduits to the cloud, which holds increasing
amounts of valuable data. The number of

39 ■


corporate growth, innovation, and profi ta-
bility also undermine cybersecurity.

Technologies such as VOIP or cloud com-
puting bring tremendous cost effi ciencies but
dramatically complicate security. Effi cient,
even necessary, business practices such as the
use of long supply chains and BYOD are also
economically attractive but extremely prob-
lematic from a security perspective.

Corporate boards are faced with the
conundrum of needing to use technology to
grow and maintain their enterprises without
risking the corporate crown jewels or hard-
won public faith in the bargain. In addition,
the fears and potential losses from cyber
events tend to be speculative and future ori-
ented, whereas most corporate leaders (as
well as the citizen investors who have their
401(k)s tied up in the stock market) tend to
make their decisions with an eye toward the
next quarter or two.

The national security equation
Finally, from the national security perspec-
tive, Internet economics are also complicated.
This economic puzzle is important to solve
because multiple independent studies indi-
cate that the number one problem with
securing critical infrastructure from cyberat-
tack is economic. As the 2014 National
Infrastructure Protection Plan makes clear,
the public and private sectors have aligned,
but not identical, perspective on cybersecu-
rity based on their differing, and legally
mandated, roles and obligations.

The private sector is legally required to
invest to maximize shareholder value.
Although shareholder value is enhanced to
some degree by security investment, gener-
ally security is considered a cost center in
the corporate world. As with most corporate
investments, security is a mater of cost ben-
efi t for the private sector. What this trans-
lates to is that the private sector may legiti-
mately judge that there is a level of security
that goes beyond their commercial interest
and hence their legally mandated obligation
to their shareholders. An example is the
common case of pilfering in many retail
stores, wherein the owner may be aware

are generating—routinely estimated in the
hundreds of billions of dollars and growing.
It is now apparent that attackers are not
going to rely on reusing the same old meth-
ods. Instead, like any smart, successful, and
growing enterprise, they are investing in
R&D and personnel acquisition. They are
seeking to grow their business, including
fi nding new vulnerabilities in older infra-
structures and thus widening the surface
available for attack.

3. The economics of cybersecurity favor the attackers.
Cyberattacks are relatively cheap and easy to
access. Virtually anyone can do an Internet
search and fi nd vendors to purchase attack
methods for a comparatively small invest-
ment. The attacker ’s business plans are
expansive with extremely generous profi t
margins. Multiple reports suggest hundreds
of billions of dollars in criminal cyber reve-
nue each year. They can use virtually identi-
cal attack methods against multiple targets.
The vast interconnection of the system
allows attackers to exploit weaker links who
have permitted access to more attractive
targets, and their “market” is accessible to
them worldwide.

Meanwhile, cyber defense tends to be
almost inherently a generation behind the
attackers, as anticipating the method and
point of attack is extremely diffi cult. From a
business investment perspective it is hard
to show return on investment (ROI) to
attacks that are prevented, making ade-
quate funding a challenge. Moreover, law
enforcement is almost nonexistent—we
successfully prosecute less than 2% of cyber
criminals, so there is little to discourage the
attackers from being bold. Furthermore, as
we have already illustrated, notwithstand-
ing consumers tend to prefer utility and
function over security, which provides a
disincentive for investors to enhance devic-
es with added security, which often slows
or limits utility.

This little-understood imbalance of the
economic incentives is exacerbated by the
fact that many of the technologies and busi-
ness practices that have recently driven

■ 40


the Department of Homeland Security
(DHS) be given authority to set minimum
standards for cybersecurity over the private
sector. Subsequently two bills were offered
in the Senate, one by the Chairman of the
Senate Commerce Committee, Senator Jay
Rockefeller (D-WV) with Senator Olympia
Snow (R-ME) and separately by Senate
Homeland Security Chairman Joe Lieberman
(D-CN) and Senator Susan Collins (R-ME).
Both bills largely followed the Obama para-
digm of DHS setting regulatory mandates
for the private sector with substantial penal-
ties available for noncompliance.

Despite strong backing from the Senate
Majority Leader Harry Reid and much of the
military establishment, the bills could not
get out of committee. Even though Reid
exercised his parliamentary power to control
the Senate agenda, there was not enough
support to even get the bills to the fl oor for
consideration, let alone vote on it.

There was certainly industry opposition to
these bills, but what killed them was the
bipartisan realization that the traditional reg-
ulatory model was an ill fi t for cybersecurity.
Government agencies’ ability to craft regula-
tions that could keep up with cyberthreats
was highly questionable. Early efforts to
apply traditional regulation to cyberspace,
such as HIPAA in the health-care industry,
had not generated success. Indeed health
care is widely considered one of the least
cyber secure of all critical infrastructures.

However, with cyber systems becoming
increasingly ubiquitous and insecure threat-
ening economic development and national
security, there was obvious need for an
affi rmative and effective approach. The non-
regulatory, collaborative model selected
largely followed the “social contract” para-
digm previously promoted by industry gov-
ernment analysts.

The social contract approach
In 2013 President Obama reversed course
180 degrees. In an executive order on
cybersecurity the president abandoned the
government-centric regulatory approach

that 5% of his inventory is “walking out the
back door” every month. The reason he
doesn’t hire more guards or put up more
cameras or other security measures is that
the cost benefi t presumably suggests it will
cost him 6% to do so, and hence the better
business decision is to tolerate this level of

Government doesn’t have that luxury.
The government is charged with providing
for the common defense. Surely, they have
economic considerations with respect to
security; however, they are also mandated to
a higher level of security largely irrespective
of cost to provide for national security, con-
sumer protection, privacy, and other non-
economic considerations.

In the Internet space, government and
industry are using the same networks. This
means the two users of the systems have dif-
fering security requirements—both legiti-
mate and backed by lawful authority.
Moreover, requiring greater cybersecurity
spending, beyond commercial interest as
suggested by some, could run afoul of other
government interests such as promoting
innovation, competitiveness, and job growth
in a world economy (presumably not follow-
ing U.S.-based requirements).

Finally, the presumption that requiring
increased security spending by commercial
entities up to the government risk tolerance
is in the corporate self-interest is complicat-
ed by the data that have emerged after
highly publicized cyber breaches. One year
after the Target breach, which would pre-
sumably damage the company’s image prof-
itability and reputation, Target’s stock price
was up 22%, suggesting such predictions
were incorrect. Similarly, 6 months after the
high-profi le cyberattacks on Sony (the sec-
ond high-profi le cyberattack for Sony in a
few years), Sony’s stock price was up 26%.

■ Some good news: Enlightened policy working
in partnership

Traditional regulatory efforts fail
In 2012 President Obama offered a legisla-
tive proposal to Congress suggesting that

41 ■


telephone service at affordable rates, govern-
ment would guarantee the investment pri-
vate industry would make in building and
providing the service. This agreement
ensured enough funds to build, maintain,
and upgrade the system plus make a reason-
able rate of return on the investment. Thus
were born the privately owned public utili-
ties and the rate of return regulation system.

The result was that the U.S. quickly built
out the electric and communications systems
for the expanding nation, which were gener-
ally considered the best in the world. Some
have argued this decision was foundational
to the U.S.’s rapid expansion and develop-
ment, which turned it from a relatively
minor power in the early part of the twenti-
eth century to the world’s dominant super-
power less than a generation later.

Although the Obama social contract
approach to cybersecurity has different
terms than that of previous infrastructure
development, the paradigm is similar.
Similar modifi cations of the incentive model
are also in use in other areas of the economy,
such as environment, agriculture, and trans-
portation, but this is the fi rst application in
the cybersecurity fi eld.

Although it is in its formative stages, at
this point early indications for the social con-
tract approach are positive. The cybersecuri-
ty framework development process conduct-
ed by the National Institute of Standards and
Technology (NIST) has been completed and
received virtually unanimous praise. In an
exceedingly rare development, the Obama
approach to cybersecurity closely tracks with
that outlined by the House Republican Task
Force on Cyber Security. Bipartisan bills
using liability incentives, instead of govern-
ment mandates, are moving through
Congress, and additional incentive programs
are under development.

■ Conclusion
The cybersecurity problem is extremely
serious and becoming more so. An inher-
ently insecure system is becoming weaker.
The attack community is becoming more

embodied in his previous legislative pro-
posals and the Senate bills. Instead, he sug-
gested a public private partnership—a
social contract—that would address the
technical as well as economic issues that are
precluding the development of a cyber sys-
tem that can become sustainably secure. In
this new partnership, industry and govern-
ment would work together to identify a
framework of standards and practices wor-
thy of industry based on cyber risk assess-
ments conducted by the companies. The
president ordered that the framework be
voluntary, prioritized, and cost effective. If
there were an economic gap between what
ought to be done and what would be
accomplished through normal market
mechanisms, a set of market incentives
would be developed to promote voluntary
adoption of the framework. Although
industry that operates under regulatory
systems would remain subject to regulatory
authority, no new regulatory authority for
cybersecurity would be part of the system.
Instead, a partnership system based on vol-
untary use of consensus standards and
practices and reinforced through market
incentives would be built.

The cyber social contract model has sub-
stantial precedent in the history of infra-
structure development in the United States.
In the early twentieth century the innovative
technologies were telephony and electricity
transport. Initially the private companies
that provided these technologies, because of
natural economies, served primarily high-
density and affl uent markets. Policy makers
of the era quickly realized that there was a
broader social good that would be served by
having universal service of these services
but also realized that building out that infra-
structure would be costly and uneconomic
either for industry or government.

Instead of government taking over the
process or mandating that industry make
uneconomic investment, the policy makers
designed a modern social contract with
industry. If industry would build out the
networks and provide universal electric and


■ 42

sophisticated and enjoys massive economic
incentives over the defender community.
Traditional government methods to fi ght
criminal activity have not matured to
address the threat and may be inappropri-
ate to meet the dynamic nature of this
uniquely twenty-fi rst century problem.
Fortunately, at least the U.S. government

seems to have developed a consensus strat-
egy to better leverage public and private
resources to combat cyberthreats without
excessively compromising other critical
social needs. Although there are some ini-
tial signs of progress, the road to creating a
sustainably secure cyber system will be
long and diffi cult.

43 ■

Former CIO of the U.S. Department
of Energy – Robert F. Brese

Effective cyber risk management:
An integrated approach

In its 2015 Data Breach Report, Verizon found that in 60%
of the nearly 80,000 security incidents reviewed, including
more than 2,000 confi rmed data breaches, cyber attackers
were able to compromise an organization within minutes.
Alarmingly, only about one third of the compromises
were discovered within days of their occurrence. This is
not good news for C-suites and boardrooms. Data breach-
es, compromises in which data loss is unknown, denial of
service attacks, destructive malware, and other types of
cybersecurity incidents can lead to lost revenue, reputa-
tion damage, and even lawsuits, as well as short- and
long-term liabilities affecting a company’s future.
Although “getting hacked” may seem, or even be, inevita-
ble, the good news is that by taking an integrated
approach to risk management, cybersecurity risk can be
effectively managed.

But who is responsible for this integrated approach,
and what does it include? Although often the case, man-
aging cybersecurity risk should not be left solely to the
chief information offi cer (CIO) and chief information
security offi cer (CISO). Even though these professionals
are capable, only an integrated information (i.e., data),
information technology, and business approach will ena-
ble a company to effectively manage cybersecurity risk as
a component of an organization’s overarching enterprise
risk program. There is also a movement for board-level
involvement and reporting, resulting in a risk to board
members’ tenure if they are not considered to be suffi –
ciently engaged in the oversight of cybersecurity risk
management and incident response. As an example, in
2014, Institutional Shareholders Services (ISS) recom-
mended that shareholders of Target stock vote against all
seven of the directors that were on the board at the time of
the highly publicized 2013 breach. Although somewhat
shocking, it should be inherently obvious that effective

■ 44


collaboration. They also predict that the digi-
tal industrial economy, and the Internet of
Things (IoT), will result in even greater diffi –
culty. However, attempting to scale cyberse-
curity risk management in isolation from an
organization’s enterprise risk program only
exposes the organization to greater risk by
creating a gap in risk oversight.

Nearly every company has established
processes to manage enterprise risk. Larger
companies often have a chief risk offi cer
(CRO) or equivalent individual who is inde-
pendent of the business units and is given
the authority and responsibility to manage
the enterprise risk processes. Incorporating
cybersecurity into the mix of corporately
managed risks should be a priority. Some
may argue that cybersecurity is too different
from the other risks a company faces, such as
market risk, credit risk, currency risk, or
physical security risk, to be managed in a
similar manner. However, although cyberse-
curity may seem more “technical,” the
desired outcome of the treatment is the
same, that is to eliminate, mitigate, transfer,
or accept risk affecting the company’s future.
One thing is certain: not all cybersecurity
risk can be eliminated through controls or
transferred through insurance, so residual
risk must accepted. Making good decisions
requires an integrated, formal approach.

■ The cybersecurity risk management process
There are several key steps that should be
taken to effectively integrate cybersecurity
risk management into the company’s enter-
prise risk management process. This chapter
doesn’t attempt to explain the details of any
particular process but instead focuses on com-
mon attributes that should be used, including
risk framing and assessment, controls assess-
ment, risk decision-making, residual risk sign-
off, risk monitoring, and accountability. Figure 1
provides a visual of the process. For addi-
tional details on approaches to cybersecurity
risk management, the National Institute of
Standards and Technology (NIST) Computer
Security Resource Center (CSRC), interna-
tional standards organizations, and other
industry sources may be consulted.

cybersecurity risk management is key to
meeting the fi duciary responsibilities of cor-
porate offi cers and the board.

To ensure success, managing cybersecu-
rity risk must be an ongoing and iterative
process, not a one-time, infrequent, or check-
the-box activity. This area of risk manage-
ment must grow with the company and
change with ever-evolving cyber threats.
Data holdings and information technology
(IT) systems, and the Internet-connected
environment in which they operate, change
at a pace that is more rapid than many of the
other variables affecting enterprise risk. Not
only must the right stakeholders be engaged
at the right levels within an organization,
but also the right automated tools and
processes must be in place to support risk
decision making and monitoring.

■ Perfect security is a myth
As in physical security, there is no such thing
as perfect IT (cyber) security. All the fi re-
walls, encryption, passwords, and patches
available cannot create a zone of absolute
safety that enables a company to operate
unimpeded and free of concern regarding
the cybersecurity threat. However, perfect
security is not required, or even desired. The
effects of too little security are fairly obvious.
However, too much security unnecessarily
constricts the business’ ability to operate by
reducing the effectiveness and effi ciency of a
customer’s access to the company’s products
and services and unnecessarily constraining
internal and business-to-business (B2B)
interactions. Effective risk management
fi nds the balance between the needs of the
business to operate and the needs and cost of
security. In fi nding this balance, the company
will be able to compete successfully in its
market while protecting the critical informa-
tion and assets on which its success relies.

■ Enterprise risk management
Gartner, Inc., the world’s leading IT research
and advisory company, has found that cyber-
security risk management programs have
experienced trouble in scaling with corporate
initiatives in mobility, cloud, big data, and

45 ■


a company has to avoid, mitigate, share,
transfer, or accept risk. This means that cor-
porate structure, training and awareness
programs, physical security, and other
options should be considered in addition to
traditional IT controls. Cyber insurance may
also be considered. Again, the CIO and
CISO cannot do this alone, and there should
be active engagement across all the various
business lines, business support, and IT
organizations that can contribute to identi-
fying potential controls and the impact they
may have on cybersecurity risk.

Risk Decision Making: A crucial element
of risk response is the decision-making pro-
cess. Decisions are made regarding what will
be done and what will not be done in
response to each risk. A balance must be
struck between protecting systems and
information and the need to effectively run
the business that relies on them. Other fac-
tors that should be considered include the
amount of risk reduction related to imple-
mentation and maintenance costs and the
impacts on employee training and certifi ca-
tion requirements.

An acceptable course of action is identi-
fi ed and agreed to by the business, and then
controls are implemented and initially eval-
uated for effectiveness. If the controls per-
form acceptably, then the sign-off and moni-
toring processes can begin. If not, then a
new course of action must be developed,
which may require further controls assess-
ment to respond to the risk or even addi-
tional framing and assessment to adjust the
risk tolerance.

Risk Framing and Assessment: The ini-
tial activities in risk management include
risk framing and assessment and controls
assessment. CIOs and CISOs have been
assessing the risk to IT systems for many
years and are well informed on the range of
cybersecurity threats and vulnerabilities
that affect corporate risk. However, the con-
sequences (i.e., business impact) may or
may not be well understood, depending on
how close the relationship between IT and
the line of business leaders has been in the
past. The engagement between IT and the
line of business owners is crucial and must
result in clarity about the type and amount
of risk the business is willing to accept with
respect to the

confi dentiality (preventing unauthorized

integrity (preventing unauthorized modifi ca-
tion or destruction); and

availability (ensuring data and systems are
operational when needed)

of the information and systems on which
the business relies. Once IT understands the
business owner’s risk threshold, the CIO
and CISO can begin planning, implement-
ing, and assessing the appropriate security

Controls Assessment: Preparing an
appropriate response to risk requires the
assessment of potential controls. Controls
include all of the tools, tactics, and processes

Framing &



Risk Sign-off




The cybersecurity risk management process

■ 46


treatment plan and/or the accepted level of
residual risk may require revision. If so, the
previous process steps should be revisited.
The frequency of review should be in rela-
tion to the likelihood and severity of the risk.
Because most companies have a large num-
ber of systems, each with their own risk
register, an automated system is typically
used to aid monitoring and review.

Accountability: Last and most important,
we have to consider accountability.
Accountability is not about who to blame
when something goes wrong. As stated earli-
er, the likelihood of something going wrong is
high. Accountability ensures a formal risk
management process is followed and that
effective decision-making is occurring. One
person should be accountable for the risk
management process; however, numerous
individuals will be
responsible or
accountable for
the various steps,
and many more
will be consulted
and informed
along the way.
One option to
ensure roles and
responsibilities are
clearly articulated

Residual Risk Sign-Off: The sign-off of
residual risk closes the decision-making pro-
cess. This should be the role of the business
because it is the operational customer of the
risk management process. Additionally, this
should be a formal, documented activity.
The decisions on how each risk will be
treated and/or accepted must be articulated
in a manner such that the signatory and
reviewers (i.e., regulators, etc.) can clearly
understand the risk treatment plan and the
residual risk being accepted. Once the resid-
ual risk is formally accepted, the system is
typically placed into operation. The formal
recognition of the residual risk also helps
build a culture of risk awareness in the busi-
ness units.

Risk Monitoring: Monitoring risk is an
ongoing process. Each monitoring activity is
designed with a purpose, type, and frequen-
cy of monitoring. Typically, a risk register
has been developed during the risk framing
and assessment phase and leveraged
throughout all steps of the risk management
process. The register also serves as a refer-
ence for auditors. The register should con-
tain the risks that matter most and be rou-
tinely updated and reviewed with the busi-
ness over time. If the likelihood or severity
of consequences changes, or if other physical
or IT environmental factors change, the


Process Step CIO CISO LOB CRO CEO Board

Risk Framing and


Controls Assessment A R C I I I

Risk Decision-Making C R A C I I

Residual Risk Sign-Off C R A I I I

Risk Monitoring A R C C I I

Accountability R C C A C C

A responsibility assign-

ment matrix (RAM), also

known as RACI matrix/

‘reisi:/ or ARCI matrix

or linear responsibility

chart (LRC), describes

the participation by var-

ious roles in completing

tasks or deliverables for

a project or business


47 ■


conduct user acceptance testing or experi-
ence surveys as well.

■ Evaluating maturity of an organization’s
cybersecurity risk management program

Cybersecurity risk management programs
aren’t born effective and are not immedi-
ately prepared to scale with the business.
Equally important as making effective risk
management decisions and accepting resid-
ual risk is the continuous evaluation of the
process itself. Numerous IT, cybersecurity,
and business consultants, as well as trade
associations have published guidance,
checklists, and suggested questions for
board members. Although there are many
ways for the C-suite and board to stay
engaged, a company’s cybersecurity risk
management program must continuously
mature to ensure future success. To under-
stand a program’s growing maturity, ques-
tions should be focused on evaluating
improvements in how well risk is under-
stood and treated, the effectiveness of busi-
ness leader and general employee participa-
tion, how responsive the risk management
process is to change, and the capability to
effectively respond to an incident.

How consistent is the understanding of
the company’s tolerance for cybersecurity
risk across the C-suite and senior managers?
How deep in the organization does this
understanding go?

How well do line of business owners
understand the cybersecurity risks associat-
ed with their business? Are sound and effec-
tive risk management and acceptance deci-
sions being made in a timely manner to meet
business needs?

How clearly are roles and responsibilities
understood, and how well do role owners
adhere to and fulfi ll their responsibilities?
Do employees report cybersecurity issues
and are they incorporated into the risk mon-
itoring process?

When threats, vulnerabilities, or other con-
ditions change, does the risk management
process respond and, when necessary, make
sustainable changes to the risk treatment plan?

is by using a RACI matrix (see insert) to iden-
tify which person or organization is responsi-
ble, accountable, consulted, or informed. Table
1 provides an example but should be adjusted
to align to the enterprise risk management
and governance processes of the company.

■ Information supporting cybersecurity risk

No risk management is a precise science,
including cybersecurity risk management.
Throughout the risk management process,
the information required for success has to be
“good enough” to recognize and understand
risks to the level necessary to support effec-
tive decision-making. Although complex
mathematical models may work to manage
some risks the company faces, forcibly creat-
ing objectivity when little or none exists can
actually result in poor or ineffective decisions
by creating a focus on the numbers rather
than on the meaning of the risk analysis. So,
using big bucket approach categories such as
low, moderate, and high or unlikely, likely,
and very likely may be adequate.

■ Stakeholder engagement
A key success factor of ensuring that fi duci-
ary responsibilities are fulfi lled in a compa-
ny’s cybersecurity risk management pro-
gram is the right level of stakeholder engage-
ment. Leaving the program to the CRO or
the CIO alone should not be considered due
diligence. Framing and assessing risk
requires a clear understanding of corporate
risk tolerance. The line of business lead
should have the responsibility to sign off on
the residual risk, but to make good risk deci-
sions, the perspectives of other individuals
and organizations in the company must be
consulted and taken into consideration.
Depending on the system(s) for which risk is
being evaluated, some potential stakehold-
ers include the CIO, CISO, chief fi nancial
offi cer (CFO), legal counsel, and other line of
business owners and external partners with
supporting or dependent relationships. If
there is signifi cant potential to affect the cus-
tomer experience, there may be a need to


■ 48

How effective is the cyber incident
response plan? Is it regularly exercised and
are lessons learned from exercises and prior
incidents leveraged to improve the plan?

■ Effective communications
Long-term effectiveness in cybersecurity risk
management requires all employees to fulfi ll
their responsibilities of the security of the
organization for which they work. Creating
a company culture of cybersecurity risk
awareness is critical and is fostered through
effective communications. Leadership must
understand how risk is being measured
across the enterprise, articulate what level is
acceptable, and balance the cost they are will-
ing incur for this level of security. Employees
must understand the basics of the various
cybersecurity threats and vulnerabilities and
the importance of their daily decisions and
actions as they go about their business.
Regular training and awareness activities are
essential and can be similar to the “see some-
thing, say something” campaigns related to
physical security. Additionally, employees
must be empowered and rewarded for iden-
tifying cybersecurity issues.

Communications are also important to
build strong relationships, not only through
customer assurances but also with external
partners and suppliers. Communicating
cybersecurity requirements and expecta-
tions to business partners can improve risk

decision-making as well as lead to coopera-
tive approaches to mitigating risk.
Cybersecurity risks also exist in the supply
chain, and communicating cybersecurity
requirements and vetting suppliers for cer-
tain critical components or services can effec-
tively reduce risk. Had Target, Home Depot,
and certain other high-profi le cyberattack
victims built stronger cybersecurity relation-
ships with external partners, their risk of
becoming a victim may have been reduced.

■ Conclusion
C-suites and boards should not fear cyberse-
curity. By integrating cybersecurity risk man-
agement into the enterprise risk management
process and by effectively engaging IT and
business executives, cybersecurity risk can be
understood and managed. Building a risk-
aware culture is important to ensuring the
quality of the ongoing risk monitoring pro-
cess. When cyberthreats and vulnerabilities
are regularly evaluated, employees are
empowered to report issues and business
executives are aware of potential impacts to
their operations, the company’s cybersecuri-
ty defenses become more agile and respon-
sive and the overall risk remains under con-
trol. Finally, continuous evaluation of the risk
management process, including its effective-
ness and responsiveness to change and to
incidents, is necessary to ensure effectiveness
is sustained.

Electronic version of this guide and additional content available at:

Cyber risk and the
board of directors

51 ■

Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner

The risks to boards of directors
and board member obligations

As cyberattacks and data breaches continue to accelerate
in number and frequency, boards of directors are focusing
increasingly on the oversight and management of corpo-
rate cybersecurity risks. Directors are not the only ones.
An array of federal and state enforcement agencies and
regulators, most notably the Department of Justice (DOJ),
Department of Homeland Security (DHS), Securities
and Exchange Commission (SEC), Financial Industry
Regulatory Authority (FINRA), and state Attorneys
General, among others, identify board involvement in
enterprise-wide cybersecurity risk management as a cru-
cial factor in companies’ ability to appropriately establish
priorities, facilitate adequate resource allocation, and
effectively respond to cyberthreats and incidents. As SEC
Commissioner Luis A. Aguilar recently noted, “Boards
that choose to ignore, or minimize, the importance of
cybersecurity responsibility do so at their own peril.”1
Indeed, even apart from the regulators, aggressive plain-
tiffs’ lawyers, and activist shareholders are similarly
demanding that boards be held accountable for cyberse-
curity. Shareholder derivative actions and activist investor
campaigns to oust directors are becoming the norm in
high-profi le security breaches.

Directors have clearly gotten the message. A survey by
the NYSE Governance Services (in partnership with a
leading cybersecurity fi rm) found that cybersecurity is
discussed at 80% of all board meetings. However, the same
survey revealed that only 34% of boards are confi dent
about their respective companies’ ability to defend them-
selves against a cyberattack. More troubling, a June 2015
study by the National Association of Corporate Directors
found that only 11% of respondents believed their boards
possessed a high level of understanding of the risks associ-
ated with cybersecurity.2 This is a diffi cult position to be in:
aware of the magnitude of the risks at hand but struggling

■ 52


action or inaction. To maximize their per-
sonal protection, directors must ensure that,
if the unthinkable happens and their corpo-
ration falls victim to a cybersecurity disaster,
they have already taken the steps necessary
to preserve this critical defense to personal

In the realm of cybersecurity, the board of
directors has “risk oversight” responsibility:
the board does not itself manage cybersecurity
risks; instead, the board oversees the corpo-
rate systems that ensure that management is
doing so effectively. Generally, directors will
be protected by the business judgment rule
and will not be liable for a failure of oversight
unless there is a “sustained or systemic fail-
ure of the board to exercise oversight—such
as an utter failure to attempt to assure a rea-
sonable information and reporting system
exists.” This is known as the Caremark test,5
and there are two recognized ways to fall
short: fi rst, the directors intentionally and
entirely fail to put any reporting and control
system in place; or second, if there is a report-
ing and control system, the directors refuse to
monitor it or fail to act on warnings they
receive from the system.

The risk that directors will face personal
liability is especially high where the board
has not engaged in any oversight of their
corporations’ cybersecurity risk. This is a
rare case, but other risks are more prevalent.
For example, a director may fail to exercise
due care if he or she makes a decision to
discontinue funding an IT security project
without getting any briefi ng about current
cyberthreats the corporation is facing, or
worse, after being advised that termination
of the project may expose the company to
serious threats. If an entirely uninformed or
reckless decision to de-fund renders the cor-
poration vulnerable to known or anticipated
risks that lead to a breach, the members of
the board of directors could be individually
liable for breaching their Caremark duties.

II. The Personal Liability Risk to Directors

Boards of directors face increasing litigation
risk in connection with their responsibilities

to understand and fi nd solutions to address
and mitigate them.

In this chapter, we explore the legal obli-
gations of boards of directors, the risks that
boards face in the current cybersecurity
landscape, and strategies that boards may
consider in mitigating that risk to strengthen
the corporation and their standing as dutiful

I. Obligations of Board Members

The term “cybersecurity” generally refers to
the technical, physical, administrative, and
organizational safeguards that a corporation
implements to protect, among other things,
“personal information,”3 trade secrets and
other intellectual property, the network and
associated assets, or as applicable, “critical
infrastructure.”4 This defi nition alone should
leave no doubt that a board of directors’ role
in protecting the corporation’s “crown jew-
els” is essential to maximizing the interests of
the corporation’s shareholders.

Generally, directors owe their corporation
fi duciary duties of good faith, care, and loy-
alty, as well as a duty to avoid corporate
waste.3 The specifi c contours of these duties
are controlled by the laws of the state in
which the company is incorporated, but the
basic principles apply broadly across most
jurisdictions (with Delaware corporations
law often leading the way). More specifi cal-
ly, directors are obligated to discharge their
duties in good faith, with the care an ordi-
narily prudent person would exercise in the
conduct of his or her own business under
similar circumstances, and in a manner that
the director reasonably believes to be in the
best interests of the corporation. To encour-
age individuals to serve as directors and to
free corporate decision making from judicial
second-guessing, courts apply the “business
judgment rule.” In short, courts presume
that directors have acted in good faith and
with reasonable care after obtaining all mate-
rial information, unless proved otherwise; a
powerful presumption that is diffi cult for
plaintiffs to overcome, and has led to dis-
missal of many legal challenges to board

53 ■


by failing to act in the face of a reasonably
known cybersecurity threat. Recent cases
have included allegations that directors:

� failed to implement and monitor an
effective cybersecurity program;

� failed to protect company assets and
business by recklessly disregarding
cyberattack risks and ignoring red fl ags;

� failed to implement and maintain
internal controls to protect customers’
or employees’ personal or fi nancial

� failed to take reasonable steps to timely
notify individuals that the company’s
information security system had been

� caused or allowed the company to
disseminate materially false and
misleading statements to shareholders (in
some instances, in company fi lings).

Board members may not be protected from
liability by the exculpation clauses in their
corporate charters. Although virtually all
corporate charters exculpate board mem-
bers from personal liability to the fullest
extent of the law, Delaware law, for exam-
ple, prohibits exculpation for breaches of
the duty of loyalty, or breaches of the duty
of good faith involving “intentional mis-
conduct” or “knowing violations of law.”
As a result, because the Delaware Supreme
Court has characterized a Caremark viola-
tion as a breach of the duty of loyalty,7
exculpation of directors for Caremark
breaches may be prohibited. In addition,
with the myriad of federal and state laws
that touch on privacy and security, directors
may also lose their immunity based on
“knowing violations of law.” Given the
nature of shareholder allegations in deriva-
tive litigation, these are important consid-
erations, and importantly, vary depending
on the state of incorporation.

Directors should also be mindful of stand-
ard securities fraud claims that can be
brought against companies in the wake of a
data breach. Securities laws generally pro-
hibit public companies from making material

for cybersecurity oversight, particularly in
the form of shareholder derivative litigation,
where shareholders sue for breaches of
directors’ fi duciary duties to the corporation.
The rise in shareholder derivative suits coin-
cides with a 2013 Supreme Court decision
limiting the viability of class actions that fail
to allege a nonspeculative theory of con-
sumer injury resulting from identity theft.6
Because of a lack of success in consumer
class actions, plaintiffs’ lawyers have been
pivoting to shareholder derivative litigation
as another opportunity to profi t from mas-
sive data breaches.

In the last fi ve years, plaintiffs’ lawyers
have initiated shareholder derivative litiga-
tion against the directors of four corpora-
tions that suffered prominent data breaches:
Target Corporation, Wyndham Worldwide
Corporation, TJX Companies, Inc., and
Heartland Payment Systems, Inc. Target,
Heartland, and TJX each were the victims of
signifi cant cyberattacks that resulted in the
theft of approximately 110, 130, and 45 million
credit cards, respectively. The Wyndham
matter, on the other hand, involved the theft
of only approximately 600,000 customer
records; however, unlike the other three
companies, it was Wyndham’s third data
breach in approximately 24 months that got
the company and its directors in hot water.
The signs point to Home Depot, Inc., being
next in line. A Home Depot shareholder
recently brought suit in Delaware seeking to
inspect certain corporate books and records.
A “books and records demand” is a common
predicate for a shareholder derivative action,
and this particular shareholder has already
indicated that the purpose of her request is
to determine whether Home Depot’s man-
agement breached fi duciary duties by failing
to adequately secure payment information
on its data systems, allegedly leading to the
exposure of up to 56 million customers’ pay-
ment card information.

Although there is some variation in the
derivative claims brought to date, most have
focused on two allegations: that the directors
breached their fi duciary duties by making a
decision that was ill-advised or negligent, or

■ 54


III. Protecting Boards of Directors

From a litigation perspective, boards of
directors can best protect themselves from
shareholder derivative claims accusing them
of breaching their fi duciary duties by dili-
gently overseeing the company’s cybersecu-
rity program and thereby laying the founda-
tion for invoking the business judgment
rule. Business judgment rule protection is
strengthened by ensuring that board mem-
bers receive periodic briefi ngs on cybersecu-
rity risk and have access to cyber experts
whose expertise and experience the board
members can rely on in making decisions
about what to do (or not to do) to address
cybersecurity risks. Most importantly, direc-
tors cannot recklessly ignore the information
they receive, but must ensure that manage-
ment is acting reasonably in response to
reported information the board receives
about risks and vulnerabilities.

Operationally, a board can exercise its
oversight in a number of ways, including by
(a) devoting board meeting time to presenta-
tions from management responsible for
cybersecurity and discussions on the subject,
to help the board become better acquainted
with the company’s cybersecurity posture
and risk landscape; (b) directing manage-
ment to implement a cybersecurity plan that
incentivizes management to comply and
holds it accountable for violations or non-
compliance; (c) monitoring the effectiveness
of such plan through internal and/or exter-
nal controls; and (d) allocating adequate
resources to address and remediate identi-
fi ed risks. Boards should invest effort in
these actions, on a repeated and consistent
basis, and make sure that these actions are
clearly documented in board and committee
packets, minutes, and reports.
(a) Awareness. Boards should consider

appointing a chief information security
offi cer (CISO), or similar offi cer, and
meet regularly with that individual
and other experts to understand the
company’s risk landscape, threat
actors, and strategies to address

statements of fact that are false or mislead-
ing. As companies are being asked more and
more questions about data collection and
protection practices, directors (and offi cers)
should be careful about statements that are
made regarding the company’s cybersecurity
posture and should focus on tailoring cyber-
security-related risk disclosures in SEC fi l-
ings to address the specifi c threats that the
company faces.

Cybersecurity disclosures are of keen
interest to the SEC, among others. Very
recently, the SEC warned companies to use
care in making disclosures about data secu-
rity and breaches and has launched inquiries
to examine companies’ practices in these
areas. The SEC also has begun to demand
that directors (and boards) take a more
active role in cybersecurity risk oversight.

Litigation is not the only risk that direc-
tors face. Activist shareholders—who are
also customers/clients of corporations—
and proxy advisors are challenging the re-
election of directors when they perceive that
the board did not do enough to protect the
corporation from a cyberattack. The most
prominent example took place in connection
with Target’s data breach. In May 2014, just
weeks after Target released its CEO,
Institutional Shareholder Services (ISS), a
leading proxy advisory fi rm, urged Target
shareholders to seek ouster of seven of
Target’s ten directors for “not doing enough
to ensure Target’s systems were fortifi ed
against security threats” and for “failure to
provide suffi cient risk oversight” over

Thoughtful, well-planned director
involvement in cybersecurity oversight, as
explained below, is a critical part of a com-
prehensive program, including indemnifi ca-
tion and insurance, to protect directors
against personal liability for breaches.
Moreover, it can also assist in creating a com-
pelling narrative that is important in brand
and reputation management (as well as liti-
gation defense) that the corporation acted
responsibly and reasonably (or even more
so) in the face of cybersecurity threats.

55 ■


details of any cybersecurity risk
management plan should differ from
company to company, the CISO and
management should prepare a plan
that includes proactive cybersecurity
assessments of the company’s network
and systems, builds employee
awareness of cybersecurity risk and
requires periodic training, manages
engagements with third parties that
are granted access to the company’s
network and information, builds an
incident response plan, and conducts
simulations or “tabletop” exercises to
practice and refi ne that plan. The board
should further consider incentivizing
the CISO and management for company
compliance with cybersecurity policies
and procedures (e.g., bonus allocations
for meeting certain benchmarks) and
create mechanisms for holding them
responsible for noncompliance.

(c) Monitor compliance. With an
enterprise-wide cybersecurity risk
management plan fi rmly in place,
boards of directors should direct
that management create internal and
external controls to ensure compliance
and adherence to that plan. Similar
to internal fi nancial controls, boards
should direct management to test and
certify compliance with cybersecurity
policies and procedures. For example,
assuming that management establishes
a policy that software patches be
installed within 30 days of release,
management would conduct a patch
audit, confi rm that all patches have
been implemented, and have the
CISO certify the results. Alternatively,
boards can also retain independent
cybersecurity fi rms that could be
engaged by the board to conduct an
audit, or validate compliance with
cybersecurity policies and procedures,
just as they would validate fi nancial
results in a fi nancial audit.

(d) Adequate resource allocation. With
information in hand about what the

that risk. Appointing a CISO has an
additional benefi t. Reports suggest that
companies that have a dedicated CISO
detected more security incidents and
reported lower average fi nancial losses
per incident.8

Boards should also task a committee
or subcommittee with responsibility
for cybersecurity oversight, and devote
time to getting updates and reports
on cybersecurity from the CISO on
a periodic basis. As with audit
committees and accountants, boards
can improve oversight by recruiting
a board member with aptitude for
the technical issues that cybersecurity
presents, and placing that individual on
the committee/subcommittee tasked
with responsibility for cybersecurity
oversight. Cybersecurity presentations,
however, need not be overly technical.
Management should use established
analytical risk frameworks, such as the
National Institute for Standards and
Technology “Framework for Improving
Critical Infrastructure Cybersecurity,”
(usually referred to as the “NIST
Cybersecurity Framework”) to assess
and measure the corporation’s current
cybersecurity posture. These kinds
of frameworks are critical tools that
have an important role in bridging
the communication and expertise gaps
between directors and information
security professionals and can also
help translate cybersecurity program
maturity into metrics and relative
relationship models that directors are
accustomed to using to make informed
decisions about risk. It is principally
through their use that directors can
become sufficiently informed to
exercise good business judgment.

(b) Plan implementation and
enforcement. Boards should require that
management implement an enterprise-
wide cybersecurity risk management
plan and align management’s incentives
to meet those goals. Although the


■ 56

other government-issued identifi cation;
(c) fi nancial or credit/debit account
number plus any security code necessary
to access the account; or (d) health or
medical information.

4. Critical infrastructure refers to systems,
assets, or services that are so critical
that a cyberattack could cause serious
harm to our way of life. Presidential
Policy Directive 21 (PPD-21) identifi es
the following 16 critical infrastructure
sectors: chemicals, commercial facilities,
communications, critical manufacturing,
dams, defense industrial base, emergency
services, energy, fi nancial services, food
and agriculture, government facilities,
healthcare and public health, information
technology, nuclear, transportation, waste,
and wastewater. See Critical Infrastructure
Sectors, Department of Homeland
Security, available at http://www.dhs.

5. For Delaware corporations, directors’
compliance with their oversight function
is analyzed under the test set out in In re
Caremark Int’l, Inc. Derivative Litig., 698 A.2d
959 (Del. Ch. 1996).

6. See Clapper v. Amnesty Int’l USA, 133 S. Ct.
1138 (2013). Consistent with Clapper, most
data breach consumer class actions have
been dismissed for lack of “standing”:
the requirement that a plaintiff has
suffered a cognizable injury as a result
of the defendant’s conduct. That has
proven challenging for plaintiffs because
consumers are generally indemnifi ed
by banks against fraudulent charges on
stolen credit cards, and many courts have
rejected generalized claims of injury in the
form of emotional distress or exposure to
heighted risk of ID theft or fraud.

7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
8. Ponemon Inst., 2015 Cost of Data Breach

Study: Global Analysis (May 2015), http://

company’s cybersecurity risks are,
and an analysis of its current posture,
boards should allocate adequate
resources to address those risks so that
management is appropriately armed
and funded to protect the company.

As criminals continue to escalate the cyber-
war, boards of directors will increasingly fi nd
themselves on the frontlines of regulatory,
class plaintiff, and shareholder scrutiny.
Directors are well-advised to proactively ful-
fi ll their risk oversight functions by driving
senior management toward a well-developed
and resilient cybersecurity program. In so
doing, board members will not only better
protect themselves against claims that they
failed to discharge their fi duciary duties, but
will strengthen their respective organizations’
ability to detect, respond, and recover from
cybersecurity crises.

1. SEC Commissioner Luis A. Aguilar,

Remarks at the N.Y. Stock Exchange,
Boards of Directors, Corporate Governance
and Cyber-Risks: Sharpening the Focus
(June 10, 2014).

2. Press Release, Nat’l Assoc. of Corp.
Dir., Only 11% of Corporate Directors
Say Boards Have High Level of Cyber-
Risk Understanding (June 22, 2015)

3. Personal information is defi ned under a
variety of federal and state laws, as well
as industry guidelines, but is generally
understood to refer to data that may be
used to identify a person. For example,
state breach notifi cation laws in the U.S.
defi ne personal information, in general,
as including fi rst name (or fi rst initial)
and last name, in combination with
any of the following: (a) social security
number; (b) driver ’s license number or

57 ■

Fish & Richardson P.C. – Gus P. Coldebella,
Principal and Caroline K. Simons, Associate

Where cybersecurity meets
corporate securities: The SEC’s
push to regulate public companies’
cyber defenses and disclosures

The risks associated with cyberattacks are a large and
growing concern for American companies, no matter the
size or the industry. If a company is publicly traded, how-
ever, there’s a signifi cant additional impetus for execu-
tives’ cyber focus: the ever-increasing attention the U.S.
Securities and Exchange Commission (SEC) pays to
cybersecurity issues. The SEC, as one of the newest gov-
ernment players in the cybersecurity space, is fl exing its
regulatory muscles—including by mandating and scruti-
nizing cybersecurity risk disclosures, prodding compa-
nies to disclose additional information, and launching
investigations after a breach comes to light.

This chapter explores the SEC’s expanding role as
cyber regulator and the growing nexus between cyberse-
curity and corporate securities. It gives companies a
primer on the background and sources of the SEC’s cyber
authority, discusses tricky disclosure and securities regu-
lation-related issues, and provides a potential framework
for companies to think about whether, how, and when
they should publicly disclose cybersecurity risks, and—
when the inevitable happens—cyberattacks.

■ The SEC’s authority to regulate cybersecurity
Generally, a company’s duty to disclose material infor-
mation under U.S. securities laws arises only when a
statute or SEC rule requires it, and currently, no existing
laws or rules explicitly refer to disclosure of cyber risks
or incidents. Even so, the SEC has made it clear that it
will use authorities already on the books to promote
cybersecurity in public companies. During the SEC’s
March 2014 “Cybersecurity Roundtable,” Chairman
Mary Jo White said that, although the SEC’s “formal
jurisdiction over cybersecurity is directly focused on
the integrity of our market systems, customer data pro-
tection, and disclosure of material information, it is

■ 58


■ Contours of the SEC’s staff guidance
Taking its cues from Regulation S-K, the
Guidance details the key places where cyber-
security disclosures may appear in a com-
pany’s 10-Ks and 10-Qs. The main focuses
are as follows:

� Risk factors. The company’s risk factors
are the central place for cyber disclosure.
If cybersecurity is among the most
signifi cant factors making investment
in the company risky, the risk factor
disclosure should take into account
“all available relevant information” from
past attacks, the probability of future
attacks occurring, the magnitude of
the risks—including third-party risk,
and the risk of undetected attacks—
and the costs of those risks coming
to pass, including the potential costs
and consequences resulting from
misappropriation of IP assets, corruption
of data, or operational disruption. The
risk factor should also describe relevant
insurance coverage.

� MD&A. If the costs or other consequences
of a cyberattack represent a material
trend, demand, or uncertainty “that is
reasonably likely to have a material effect
on the registrant’s results of operations,
liquidity, or fi nancial condition or would
cause reported fi nancial information
not to be necessarily indicative of future
operating results or fi nancial condition,”
the company should address cybersecurity
risks and cyber incidents in its
Management’s Discussion and Analysis
of Financial Condition and Results of
Operations (MD&A).

� Description of business. If one or more
cyber incidents materially affected the
company’s products, services, customer
or supplier relationships, or competitive
conditions, the Guidance suggests
disclosure in the “Description of Business”

� Legal proceedings. If any litigation arose as
a result of a cyber incident, the Guidance
suggests disclosure if material.

incumbent on every government agency to
be informed on the full range of cybersecu-
rity risks and actively engage to combat
those risks in our respective spheres of
responsibility.” In other words—formal
jurisdiction notwithstanding—the SEC
will use every tool it has to combat cyber

To divine the SEC’s position on cyberse-
curity, companies and experienced counsel
may look to a patchwork of non-binding staff
guidance, SEC offi cials’ speeches, and espe-
cially staff comment letters on companies’
public fi lings. Given that cyber disclosures
can have an effect on corporate reputations
and stock price, give would-be attackers
information about vulnerabilities, and trig-
ger shareholder and other litigation and
government investigations, companies
anguish over exactly when, what, and how
much to disclose. To answer these questions,
it is crucial to understand the background
and contours of existing requirements and
the SEC’s expectations.

■ History and background of the SEC’s
cybersecurity oversight

In May 2011, Senator Jay Rockefeller sent a
letter to then-SEC Chairman Mary Schapiro
urging the SEC to “develop and publish
interpretive guidance clarifying existing
disclosure requirements pertaining to infor-
mation security risk.” Rockefeller, frustrated
with Congress’s inability to pass cybersecu-
rity legislation, identifi ed the SEC’s control
over corporate public disclosure as a vehicle
to promote security in the absence of legisla-
tion. Five months after the Rockefeller letter,
in October 2011, the Division of Corporation
Finance (the “Division”) issued CF Disclosure
Guidance: Topic No. 2 (the “Guidance”). Even
though it’s not an SEC rule itself, the
Guidance announced the Division’s view
that—”although no existing disclosure
requirement explicitly refers to cybersecurity
risks and cyber incidents”—existing SEC
rules, such as Regulation S-K, “may impose”
obligations to disclose cybersecurity and cyber
events in a company’s periodic reporting.

59 ■


staff comments have consistently urged
companies to disclose past data breaches
that are not material, even in the face of
companies’ well-reasoned positions to the
contrary. For instance, Amazon resisted
disclosing a past cyberattack at its subsidi-
ary Zappos because it said the entire
Zappos operation was not material to
Amazon’s consolidated revenues. SEC
staff pushed Amazon to disclose it any-
way, to place the risk factor “in appropri-
ate context.” A version of this comment
appears in letter after letter. By fi rst man-
dating cybersecurity risk factors via the
Guidance, and then urging even non-
material incidents to be included in those
risk factors for “context,” the staff appears
to be pushing for disclosure of past cyber
events notwithstanding materiality.

Trend 2: Staff will research cyber incidents—
and ask about them. Division staff is inde-
pendently monitoring breaches and com-
paring them with company disclosures.
When a breach has been reported by a
company or in the press, but there is no
concomitant disclosure in the company’s
fi lings—especially where the company has
already acknowledged susceptibility to
attack as a risk factor—the staff will likely
notice. Citigroup discovered this when the
staff referred to press reports about a 2011
breach that supposedly affected 360,000
credit card accounts and asked why no
10-Q disclosure was made. The staff ’s
practice is to ask for analysis supporting
the conclusion that no further disclosure is
necessary, including a discussion of mate-
riality from a fi nancial and reputational
risk standpoint. Moreover, when a compa-
ny discloses that a particular kind of
potential breach may be material, the
staff’s comment letter almost always asks
the company to disclose whether that kind
of breach has already occurred—and if it
has, to disclose it, material or not (see
Trend 1). Taken together, these trends sug-
gest that the SEC may be using its author-
ity to make up for the lack of a federal
breach notifi cation law.

� Financial statements. If signifi cant costs
are associated with cyber preparedness
or remediation, they should appear in the
company’s fi nancial statements.

■ SEC post-guidance practice
Of course, guidance is just guidance unless
the SEC, through its actions, gives it teeth.
And the SEC has. Under Sarbanes-Oxley,
the Division reviews every public compa-
ny’s reports at least once every three years,
and the Division has focused intensely
on cyber disclosures since the Guidance—
especially risk factor disclosures.
Responding to a follow-up letter from
Senator Rockefeller requesting that
the SEC enshrine the Guidance as a formal
SEC rule, Schapiro’s successor Mary Jo
White took pains to stress that active staff
review of cybersecurity—using existing
disclosure rules—was an SEC priority.
In her May 1, 2013 letter, White revealed
that the Division had already issued
approximately 50 cyber-related comment
letters. And many more have been sent
since then. Google, Amazon, AIG, Quest
Diagnostics, and Citigroup are just some of
the scores of public companies that
received letters from staff urging enhanced
disclosures of their cyber risks. The lessons
we can learn from those exchanges are
detailed below.

■ Tips for preparing 10-K and 10-Q cyber

According to a recent survey by Willis,
87% of Fortune 500 companies claim to
have complied with the Guidance. The
SEC’s “enforcement” of it through com-
ment letters has given it the muscle and
imprimatur of a rule. Certain noteworthy
trends that emerge from these letters

Trend 1: Staff pushes for all cyber incidents
to be disclosed—material or not. Materiality
is the touchstone of disclosure. Even so,
and even though the Guidance calls for
disclosure of “cyber incidents… that are
individually, or in the aggregate, material,”

■ 60


enumerated material corporate events, such
as termination of executive offi cers or chang-
es in auditors, must be reported on a “current
basis” on Form 8-K. However, no currently-
existing securities law or rule expressly
requires cyberattacks—material or other-
wise—to be reported on Form 8-K. Generally,
reporting cyber events is entirely voluntary.
Companies that do so use Form 8-K’s Item
8.01, “Other Events,” which is used to volun-
tarily report events that the company consid-
ers to be of importance to investors. Public
companies must navigate issues such as
materiality, selective disclosure, trading, and
effect on stock price, all in an environment
where disclosure of a cyber event is almost
sure to draw a lawsuit, a government investi-
gation, or other unwanted scrutiny. No one-
size-fi ts-all answer exists—it is almost always
a judgment call. In this section, we detail
some of the questions and analysis that com-
panies should consider regarding whether to
disclose an attack on Form 8-K, and if so,
when. One way to think about these ques-
tions is outlined in the decision tree on the
next page (Figure 1).

Why consider disclosure if you don’t have
to? Even if no rule mandates disclosure,
companies and experienced counsel know
that there are frequently upsides to disclo-
sure—especially in a world where securi-
ties litigation, derivative suits, and enforce-
ment actions are lurking. Instead of pro-
voking shareholder litigation, might an
announcement ward it off? Can an 8-K
eliminate a plaintiff’s or regulator ’s argu-
ment that an insider traded on the basis on
material non-public information? The chart
on the next page (Table 1) lays out some of
the possible advantages—along with the
more well-known disadvantages—that com-
panies should consider.

Is the cyberattack material? The determina-
tion of whether a cyber event is material is
not clear-cut. First, the Supreme Court has
rejected a bright-line, quantitative rule for
materiality—instead reaffi rming Basic v.
Levinson’s formulation that any nonpublic
information that signifi cantly alters the total

Trend 3: Staff is interested not only in the
disclosure, but the pre-disclosure process. As
Chairman White has stated, even with the
absence of a direct law or regulation directly
compelling companies to adopt strict
cybersecurity measure, the SEC is exercis-
ing its power to indirectly prod companies
to analyze and strengthen their cybersecu-
rity programs through issuing disclosure
guidance and bringing investigations,
enforcement actions, and litigation against
companies that fall short. In this way the
SEC has taken on a larger mission than
simply requiring disclosure—it is using its
existing authorities to steer companies to
engage in a deep, searching process to
evaluate cyber risk. Whether or not you
think the SEC is the appropriate regulator
of this area, such a searching analysis is
important to securing a company’s digital
assets. Management should engage in and
document its analysis of the effects of cyber
incidents on the company’s operations,
with special attention to probability of
various types of attacks and their potential
cost, from a quantitative and qualitative
standpoint. It should do so not just to
weather the storm of a possible SEC inquiry,
but because such an analysis brings neces-
sary executive-level oversight to a crucial
area of enterprise risk.

Trend 4: Third-party risk is on the staff’s mind.
Staff is encouraging companies to look
beyond their four walls to the cyber risk
posed by the use of vendors. Staff will ask
whether the company’s vendors have experi-
enced cyberattacks, and request assessment—
and disclosure—if a breach at a third-party
vendor could have a material effect on the
company. The SEC likely believes that if
public companies are required to disclose
risks in their supply chain in addition to their
own, third-party cybersecurity will improve
as a result.

■ In the heat of battle: 8-K disclosure
questions during an attack

Of course, 10-Ks and 10-Qs are not the only
reports public companies produce—certain

61 ■


Really? Are you sure?



Will it trigger securities or
other litigation

or investigations?

Will it compromise

Will the disclosure itself
harm the company?

Will insiders trade
while in possession of

this information?

Does it make prior
statement misleading?

Does the cost and
consequence of the breach

substantially affect you
or your financial outlook?


Not sure

Not sure

Maybe not













No No









Is it material?

Will you disclose
anyway via website,
to third parties, etc.?

Is discovery of the breach
(by the gov’t or public)

likely or inevitable?

Is there a separate
obligation to disclose?
(state PII laws, trading


Is there a potential
Regulation FD issue?


Fish & Richardson 8-k Disclosure Decision Tree



Pros Cons














1. May eliminate potential class
plaintiffs’ argument that
information was not known
to the market or was not
adequately disclosed, cutting
off potential securities claims
to the date of the 8-K

2. May counter allegations that
insiders were trading on
basis of material nonpublic
information about the breach
(so long as insider trades
happen after 8-K issued)

1. If incident is truly not material and
was not going to be discovered,
could needlessly cause reputational
harm and draw litigation and other
unwanted scrutiny

2. May be seen as concession that
incident was material (although
companies frequently disavow
materiality in 8-K), and even if not
material, may make incident seem
bigger than it is

■ 62


mix of information available to shareholders
could well be material. Second, even when
the scope of an attack has come into focus,
the effects of cyberthefts are frequently hard
to quantify. Although it is relatively easy for
a company to decide to announce a breach of
customer personal information (because the
breach will likely have to be disclosed under
state law and because remediation costs may
be signifi cant), what should a company do
about, for example, theft of trade secrets,
such as source code for a big-selling software
product? Without more (such as the thieves’
development and marketing of a competing
product), such a theft may not have a mate-
rial effect on the company’s fi nancial state-
ments. Adding to the diffi cult nature of this
inquiry: companies must be aware that an
initial determination that the event is not
material—if the event later becomes public—
is likely to be critically reexamined with
20/20 hindsight, months or years after the
event, by shareholders, plaintiffs’ lawyers,
regulators, and the press. So careful analysis
and documentation of the company’s deter-
mination are important.

Is there a duty to correct or to update? If the
company made public statements about its
information systems or other aspects of its

operations affected by a cyberattack, and the
statements were inaccurate or misleading
when made, the company has an obligation
to correct the statements—even if it only
learned of the inaccuracy afterwards. Failure
to comply with this “duty to correct” can pro-
vide plaintiffs’ lawyers with fodder for
a suit alleging that purchasers or sellers relied
on the inaccurate statement to their detri-
ment. Moreover, even if the company’s for-
ward-looking statements were accurate when
made, some courts have found a “duty to
update” when circumstances change (such as
when an attack happens), and the forward-
looking statement becomes inaccurate.

Do you have another legal obligation to dis-
close? Other disclosure requirements may be
at play, such as any state notifi cation laws that
require companies to inform affected individ-
uals if their personally identifi able informa-
tion (PII) was stolen during an attack. If the
company is listed on an exchange such as
NYSE or NASDAQ, the trading markets
themselves may also have rules requiring
timely notifi cation of material events. Frankly,
it is easier for a company to decide to announce
a data breach on Form 8-K—and to accrue the
benefi ts to fi ling an 8-K—if it is going to dis-
close for another reason, or already has.


Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

Pros Cons














3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,

4. Quick, full disclosure may stave
off regulatory scrutiny (but see

5. Allows company to own the
message, rather than giving
control of the message to
someone else

3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading

4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny

5. Could draw other hackers to test
company’s defenses

63 ■


window for insiders. Even after the inci-
dent’s details are known, if the company is
leaning against declaring the incident
material, the question is whether to dis-
close the incident—material or not—on
Form 8-K, so no later allegation of insider
trading can stick. (Of course, if the incident
is material, no trading by insiders should
occur until information about the incident
is made public.)

When to disclose? The decision to disclose
is only half of the 8-K equation—another
question is, when? Target took two months
after the world knew of its massive data
breach to issue an 8-K; Morningstar, which
releases an 8-K regularly on the fi rst Friday
of every month, disclosed its 2012 breach a
little more than one month after becoming
aware of it. Some companies, such as health
insurer Anthem, choose instead to wait
until the next periodic report. A challenge
facing a victim company is to balance the
benefi ts of prompt disclosure against the
potential downsides. Because a disclosure
should be accurate and not misleading
when made, a company should grasp the
scope of the cyber incident before disclos-
ing. In a typical breach, however, it is rare
for an entity to be able to immediately
assess the attack’s scope—investigations
take time. Therefore, a factor to consider in
deciding when to disclose is the pace and
progress of the post-breach investigation,
which will allow the company to under-
stand the extent of the attack. A company
confronts an unenviable disclosure dilem-
ma: disclose based on the state of the world
as you know it right now, and later be
accused of not telling the whole story? Or
disclose when you have a better grasp of
what actually happened, but face accusa-
tions of allowing earlier (and potentially
rosier) cybersecurity disclosures to persist
uncorrected? Generally, companies should
resist falling into the immediate disclosure
trap, because in our experience a cyber
incident looks very different at the end of
the fi rst week than it does at the end of the
fi rst day. Furthermore, the company will

Are you going to disclose anyway? Is the
incident likely to become widely known? Absent
a mandatory disclosure requirement, a
company may still have reasons to disclose
the attack to stakeholders. There may be
contractual obligations to customers or
other third parties to communicate about
breaches involving their information. Even
without a contractual obligation, a breach
may affect a company’s vendors, suppliers,
or partners, and the company may choose
to disclose the incident to them. A sound
operating assumption is that once the com-
pany discloses an incident to even a single
third party, it is likely to become widely
known. Thus, the company should have
a coordinated, unifi ed disclosure strategy
to ensure that all interested parties are
informed in a consistent manner, and very
close in time. Companies can use affi rma-
tive disclosure to mitigate any reputational
harm or embarrassment that could arise
from having the narrative created on your
behalf by the media, security researchers,
hackivists, or worse.

Any such disclosure raises potential issues
under the SEC’s Regulation Fair Disclosure,
or Reg FD. Reg FD prohibits companies from
selectively disclosing material non-public
information to analysts, institutional inves-
tors, and certain others without concurrently
making widespread public disclosure. Many
companies that communicate with third
parties—as did J.P. Morgan after its October
2014 breach—will issue a Form 8-K to make
sure their communications do not violate
Reg FD. It is worth considering whether dis-
closures on a company’s website, or other-
wise to customers, vendors, or other parties,
trigger a Reg FD requirement.

What to do about trading? Another reason
that the materiality determination is a
tricky one is that insiders in possession of
material nonpublic information may not
trade while in possession of that informa-
tion. If there is even a chance that the cyber
incident may be material, an early call that
a public company general counsel must
make is whether to close the trading


■ 64

revealed that the SEC was among the gov-
ernment agencies investigating the 2013
data breach, including “how it occurred, its
consequences, and our responses.”

With the growing threat of cyberattacks
and mounting pressure from Congress and
the public, future regulatory and enforce-
ment actions are almost assured. Companies
should be prepared for additional scrutiny,
review their existing disclosures in light of
the Guidance and the SEC’s stated priori-
ties, and apply these principles to the pub-
lic disclosure and related questions that
will arise post-breach.

not want to have to correct itself after mak-
ing its cyber disclosure—it will want to get
it right the fi rst time.

■ SEC cybersecurity enforcement
The SEC has not yet brought an enforce-
ment action against a public company
related to its cybersecurity disclosures. It
has, however, opened investigations look-
ing not only into whether companies ade-
quately prepared for and responded to
cyber incidents but also as to the suffi ciency
of their disclosures relating to the breaches.
Target’s February 2014 Form 8-K fi ling

65 ■

Internet Security Alliance, NACD – Larry Clinton, CEO
of ISA and Ken Daly, President and CEO of NACD

A cybersecurity action plan
for corporate boards

With the majority of cyber networks in the hands of the
private sector, and the threats to these systems apparent and
growing, organizations need to create an effective method
to govern and manage the cyber threat. This responsibility
ultimately falls to the corporate board of directors. In fact, the
word cyber is derived from the same Greek word, kybernan,
from which the word govern also derives.

■ How is cyber risk different from other corporate risks?
Although corporate boards have a long history of man-
aging risks, the digital age may create some unique
challenges. To begin with, the nature of corporate asset
value has changed signifi cantly in the last 20 years.
Eighty percent of the value of Fortune 500 companies
now consists of intellectual property (IP) and other

With this rapidly expanding “digitalization” of assets
comes a corresponding digitalization of corporate risk.
However, many of the traditional assumptions and under-
standings about physical security don’t apply to securing
digital assets.

First, unlike many corporate risks, such as natural dis-
asters, cybersecurity risks are the product of conscious
and often better-resourced attackers, including nation
states and state affi liates. This means that the attack
methods, like the technology, will change constantly,
responding to defensive techniques and often in a highly
strategic fashion. This characteristic of cyberattacks
means that the risk management system must be a
dynamic 24/7/365 fl exible process—a full team sport—
requiring participation from all corners of the organiza-
tion rather than being the primary responsibility of any
one particular entity.

Second, with many traditional human-based corporate
risks, such as criminal activity, companies can plug into a

■ 66


However, many digital technologies and
business processes that drive business econ-
omies come with major cybersecurity risks,
which as discussed elsewhere (see Chapter 6),
can put the corporation at a long-term cata-
strophic risk.

This means that cyber risk must be con-
sidered not as an addendum to a business
process or asset, but as a central feature of
the business process. In the modern world,
cybersecurity is as central to business
decisions as legal and financial considera-
tions. Thus, a board’s consideration of
fundamental business decisions such as
mergers, acquisitions, new product devel-
opment, partnerships, and marketing
must include cybersecurity.

■ Are corporate boards concerned about

Although some critics have assumed that the
publicity from high-profi le corporate breaches
is prima facie evidence of corporate inatten-
tion to cybersecurity, the evidence does not
support that proposition.

Corporate spending on cybersecurity has
doubled over the past few years and now
totals more than $100 billion a year. By com-
parison, the total annual budget for the U.S.
Department of Homeland Security is only
about $60 billion—including TSA and
immigration—with only $1 billion for cyber-
security. Total U.S. government spending on
cybersecurity is generally estimated to be
near $16 billion. Moreover, recent surveys
indicate cybersecurity now tops the list of
issues corporate boards must face—replacing
leadership succession, and two thirds of
board members are seeking even more time
and attention paid to cybersecurity.

Although the data seems to show conclu-
sively that corporate boards are aware of
and becoming ever more interested in cyber-
security, the novelty and complexity of the
issue has led to a fair amount of uncertainty
as to how to approach it.

One recent survey found that despite the
“spotlight on cyber security getting bright-
er” that nearly half of directors had not dis-
cussed the company’s crisis response plan

well-defi ned legal superstructure including
enforcement power, which can greatly assist
the organization in defending itself.
Unfortunately, in the cyber world this sys-
tem is dramatically underdeveloped. In
addition to the major problem of many
attackers actually receiving state support,
the international criminal legal system has
not evolved to the point where there is any-
thing close to the cooperation and coordina-
tion generally available in the physical
world. As a result, current estimates are that
law enforcement is able to apprehend and
convict less than 2% of cyber criminals.

Third, corporate cybersecurity is not con-
fi ned to traditional corporate boundaries.
Whereas in the physical world a particularly
conscientious organization might be able
defend itself by having an especially strong
security perimeter, the cyber world is essen-
tially borderless. A fundamental characteristic
of cyber systems is that they are interconnect-
ed with other, independent systems. For
example, the highly publicized breach of
Target was accomplished by exploiting vul-
nerabilities in Target’s air conditioner vendor.
In another well-publicized case, a well-
defended energy installation was compro-
mised by malware placed on the online menu
of a Chinese restaurant popular with employ-
ees who used it to order lunch. This means
that a board must consider not only their
“own” security but that of all the entities with
whom they interconnect, including vendors,
customers, partners, and affi liates.

Fourth, unlike many physical risks, in
which the security effort is to create a perim-
eter around an asset, so many modern corpo-
rate assets are in fact digital. Cyber risk
must be considered as an integral part of the
business process. A good deal of modern
corporate growth, innovation, and profi ta-
bility is inherently tied to digital technology.
Rare is the entity that has by now not built
the benefi ts of digitalization into their busi-
ness plan in many different ways, including
online marketing, remote business produc-
tion, employee use of personal mobile
devices, cloud computing, big data, out-
sourced process, and off-site employment.

67 ■


free, even as a goal. The goal is to keep your
system healthy enough so that you can fi ght
off the germs that will inevitably attack it.
When you do get sick, as we all eventually
do, you detect and understand the infection
promptly and accurately and get access to
the appropriate expertise and treatment so
that you can return to your normal routine as
soon as possible—ideally wiser and stronger.

Thinking of cybersecurity narrowly as an
IT issue to be addressed simply with techni-
cal solutions is a fl awed strategy. The single
biggest vulnerability in cyber systems is
people. Insiders, whether they are poorly
trained, distracted, angry, or corrupted, can
compromise many of the most effective tech-
nical solutions.

Building on the NACD model, the Institute
of Internal Auditors (IIA) extended NACD’s
principle 1 by commenting that the board
should receive an internal annual health
check of the organization’s cybersecurity
program that covers all domains of the
organization’s cybersecurity, including an
assessment of if the enterprise risk levels
have improved or deteriorated from year to
year, and comments specifically that
“Sarbanes-Oxley compliance provides little
assurance of an effective security program
to manage cyber risks.”

2. Directors must understand the legal
implications of cyber risk.

The legal situation with respect to cyberse-
curity is unsettled and quickly evolving.
Boards should be mindful of the potential
legal risks posed to the corporation and
potentially to the directors on an individual
or collective basis. For example, high-profi le
attacks may spawn lawsuits, including
shareholder derivative suits alleging that the
organization’s board neglected its fi duciary
duty by failing to take steps to confi rm the
adequacy of the company’s protections
against breaches of customer data. To date
juries have tended not to fi nd for the plain-
tiffs in these cases, but that could change
with time and boards need to be aware of the
risk of court suits.

in the event of a breach, 67% had not dis-
cussed the company’s cyber insurance cov-
erage, nearly 60% had not discussed engag-
ing an outside cybersecurity expert, more
than 60% had not discussed risk disclosures
in response to SEC guidance, and slightly
more than 20% had discussed the National
Institute of Standards and Technology
(NIST) cybersecurity framework.

■ A corporate board action plan
for cybersecurity

In an effort to fi ll the gap between awareness
and targeted action, The National Association
of Corporate Directors (NACD), in conjunc-
tion with AIG and the Internet Security
Alliance, published their fi rst Cyber Risk
Oversight Handbook for corporate boards in
June 2014. The handbook was the fi rst pri-
vate sector document endorsed by the U.S.
Department of Homeland Security as well as
the International Audit Foundation and is
available free of charge either through DHS
or NACD. It identifi ed fi ve core principles
for corporate boards to enhance their cyber
risk oversight.

The fi ve principles can be conceptualized
into two categories. Principles 1, 2, and 3 deal
with board operations. The fi nal two princi-
ples deal with how the board should handle
the senior management.

1. Understand that cybersecurity is an
enterprise-wide risk management issue.

The board has to oversee management in
setting the overall cyber strategy for the
organization, including how cybersecurity is
understood in terms of the business. It is
critical that the board not approach the topic
simply by thinking, “What if we have a
breach?” Virtually every organization will be
successfully breached. The board has to
understand the issue is how to manage the
risks caused by breaches, not to focus solely
on how to prevent them.

One useful metaphor is to think of corpo-
rate cybersecurity in a similar fashion to how
we think of our own personal health.
Obviously, it is impractical to be totally germ

■ 68


some boards are now recruiting cyber pro-
fessionals for board seats to assist in analyz-
ing and judging staff reports. Another tech-
nique is to schedule periodic “deep-dives”
for the full board. Many organizations have
delegated the task to a special committee—
often audit but sometimes a risk or even
technology committee—although no one
approach has been demonstrated clearly
superior. A proliferation of committees can
exacerbate the board time problem, and due
care must be paid to overload any one com-
mittee, such as audit, with issues that are not
inherently in their expertise lane.

Still another technique is to empower the
board with the right questions to ask and
require that the outside or internal experts
answer the questions in understandable ter-
minology. The NACD Cyber Risk Handbook
provides lists of 5 to 10 simple and direct
questions for board members covering the
key issues such as strategy and operation
readiness, situational awareness, incident
response, and overall board “cyber literacy.”

At minimum, boards can take advantage
of the company’s ongoing relationships
with law enforcement agencies and regu-
larly make adequate time for cybersecurity
at board meetings. This may be through
interaction with CISOs or as part of the
audit or similar committee reports. More
appropriately, boards, as discussed above,
should integrate these questions into gen-
eral business discussions.

The fi nal two principles offered by NACD
focus on how boards should deal with senior

4. Directors need to set an expectation that
management have an enterprise-wide
cyber risk management framework in

It is important that someone be thinking
about cybersecurity, from an enterprise-wide
perspective (i.e., not just IT) every day.
Corporations have introduced a variety of
models, chief risk offi cer, chief fi nancial
offi cer, chief operating offi cer as well as the
more traditional CIO and CISO models. The

Prudent steps for directors to take include
maintaining records of discussions related to
cyber risks at the board and key committee
meetings. These records may include updates
about specifi c risk as well as reports about
the company’s overall security program and
how it is addressing these risks. Evidence
that board members have sought out special-
ized training to educate themselves about
cyber risk may also be helpful in showing
due diligence.

No one standard applies, especially for
organizations who do business in multiple
jurisdictions. Some countries, including the
U.S. have received specifi c guidance from
securities regulators. Many countries have
passed a variety of laws, some of which may
be confusing or confl icting with mandates in
other countries. It is critical that organiza-
tions systematically track the evolving laws
and regulations in their markets and analyze
their legal standing.

Again, building on the NACD model, IIA
emphasizes that this legal analysis must be
extended to third parties and recommends
that the board get a report of all the critical
data that are being managed by third-party
providers and be sure the organization has
appropriate agreements in place, including
audits of these providers. The board ought
to communicate that a “chain of trust” is
expected with these third-party providers
that they have similar agreements with their
down-stream relationships.

3. Board members need adequate access to
cybersecurity expertise.

Most board meetings are incredibly pressed
for time, and often there are multiple issues
and people who feel they need more board
time. Add to this the fact that most acknowl-
edge that directors lack the needed expertise
to evaluate cyber risk, and the board is left
with the conundrum of how to get enough
time to become properly educated to address
this serious issue.

One answer is to increase the use of out-
side experts working directly with the board
to provide independent assessments. Indeed,

69 ■


At the people level, it is important to follow
leading practices for managing personnel,
especially with respect to hiring and fi ring.
Ongoing cybersecurity training is similarly
important and most effective if cybersecurity
metrics are fully integrated into employee
evaluation and compensation methods.

Of special attention is the inclusion of
senior and other executive level personnel
who, research has shown, are highly valued
targets and often uniquely lax in following
through on security protocols.

The asset management process then can
be considered in light of the business prac-
tices that may create liabilities.

For example, the expansion of the number
of access points brought on by the explosion
in mobile devices and the emerging “Internet
of Things” (connecting cars, security camer-
as, refrigerators, etc. to the Internet) really
increases vulnerability (see Chapter 6).

Still a different type of vulnerability can
occur in the merger and acquisition process.
Here management may feel pressure to gen-
erate value through the merging of highly
complex and technical information systems
on accelerated pace. In discussions with
management, the board must carefully
weigh the economics of the IT effi ciencies
the company seeks with the potential to miss
or create vulnerability by accessing a system
that is not well enough understood or had its
defi ciencies mitigated.

5. Based on the plan, management needs to
have a method to assess the damage of a
cyber event. They need to identify which
risks can be avoided, mitigated, accepted,
or transferred through insurance.

Organizations must identify for the board
which data, and how much, the organization
is willing to lose or have compromised. Risk
mitigation budgets then must be allocated
appropriately between defending against
basic and advanced risks.

This principle highlights the need for the
“full-team” approach to cybersecurity
advocated under principle 4. For example,
the marketing department may determine

important aspect to ensure, however, is that
the risk management is truly organization
wide, including the following steps:

� establish leadership with an individual
with cross-departmental expertise

� appoint a cross-organization cyber risk
management team including all relevant
stakeholders (e.g., IT, HR, compliance,
GC, fi nance, risk)

� meet regularly and report directly to the

� develop an organization-wide cyber
risk management plan with periodic
tests reports and refi nements. At a
more technical level, the Cyber Security
Framework developed by the National
Institute of Standards and Technologies
(NIST) is a useful model.

� develop an independent and adequate
budget for the cyber risk management

One mechanism to implement the frame-
work is to create a “cybersecurity balance
sheet” that identifi es, at a high level, the
company’s cyber assets and liabilities and
can provide a scorecard for thinking through
management progress in implementing the
security system. The balance sheet may
begin with identifying the organization’s
“crown jewels.” This is an important exer-
cise because it is simply not cost effi cient to
protect all data at the maximum level.
However, the organization’s most valued
data must be identifi ed (e.g., IP, patient data,
credit card data). Other corporate data can
be similarly categorized as to its relative
security needs.

The next step is to discuss the strategy for
securing data at each level. This strategy
generally involves a consideration of people,
process, and technology.

At the technology process levels there are
a range of options available with good
research indicating cost-effective methods to
secure lower-level data and thus reserving
deployment of more sophisticated, and
hence costly, measures to be reserved for the
higher valued data.


■ 70

that a particular third-party vendor is ideal
for a new product. The CISO may determine
that this vendor does not have adequate
security. Marketing may, nevertheless,
decide it is worth the risk to fulfi ll the busi-
ness plan and presumably senior manage-
ment may support marketing, but condition
approval on the ability to transfer some of
this additional risk with the purchase of
additional insurance.

This is an example of the process pro-
ceeding appropriately, wherein cyber risk
is integrated into business decisions con-
sistent and managed on the front end con-
sistent with the organization’s business

If an organization follows these princi-
ples, it should be well on its way to estab-
lishing a sustainably secure cyber risk man-
agement system.

71 ■

Stroz Friedberg LLC — Erin Nealy Cox,
Executive Managing Director

Establishing a board-level
cybersecurity review blueprint

Over the last two years cybersecurity has leaped to the top
of the boardroom agenda. If you’re like most board mem-
bers, though, you haven’t had enough time to fi gure out
how to think about cybersecurity as part of your fi duciary
responsibility, and you’re not quite certain yet what ques-
tions to ask of management. You may even harbor a secret
hope that, like many technology-related issues,
cyberthreats will soon be rendered obsolete by relentless

Don’t count on it. Cybersecurity is taking its place
among the catalog of enterprise risks that demand board-
room attention for the long term. It comes along with the
digital transformation that is sweeping through virtually
all industries in the global economy. As businesses “digi-
tize” all aspects of their operations, from customer inter-
actions to partner relationships in their supply chains,
entire corporations become electronically exposed—and
vulnerable to cyberattack.

Cybersecurity risk is not new. However, in the last two
years multiple high-profi le attacks have hit brands we all
trusted with our personal information, making for big
headlines in the media and signifi cant reputational and
fi nancial damage for many of the victimized companies.
What’s more, corporate heads have rolled: CIOs and even
CEOs have departed as a direct result of breaches. The
ripple effect continues. Cybersecurity legislation is a per-
ennial agenda item for governments and regulators
around the world, and shareholder derivative lawsuits
have struck the boards of companies hit by high-profi le

Although directors have added cybersecurity enter-
prise risk to their agendas, there is no standard way for
boards to think about cybersecurity, much less time-tested
guidelines to help them navigate the issue. This chapter’s
goal is to help directors evolve their mindsets for thinking

■ 72


expressed through the following three high-
level questions:

1. Has your organization appropriately
assessed all its cybersecurity-related
risks? What reasonable steps have you
taken to evaluate those risks?

2. Have you appropriately prioritized your
cybersecurity risks, from most critical to
noncritical? Are these priorities properly
aligned with corporate strategy, other
business requirements, and a customized
assessment of your organization’s cyber

3. What actions are you taking to mitigate
cybersecurity risks? Do you have a regularly
tested, resilience-inspired incident response
plan with which to address cyberthreats?

Naturally, these questions are proxies for the
industry-specifi c and/or situation-specifi c
questions particular to each organization
that will result in that organization’s most
productive cybersecurity review. The key to
formulating the relevant questions for your
organization is to fi nd the right balance
between asking enough to achieve the assur-
ance appropriate to board oversight, but not
so much that management ends up spinning
wheels unnecessarily.

The rest of this chapter is a guide to fram-
ing board-level cybersecurity review issues
for your organization by exploring meaning-
ful ways to apply these high-level questions
in a variety of circumstances and industries.
The next step is yours, or your board’s: use
this blueprint to drive cybersecurity enter-
prise risk discussions with management,
critical stakeholders, and external experts.
Doing so will help achieve cyber resilience
for your organization.

■ The board’s cyber resilience blueprint
Boards are very comfortable managing fi nan-
cial issues and risks. They have audit
committees, they have compensation com-
mittees, their members include former CFOs
(to populate those committees), and they
have plenty of experience reviewing fi nancial

about the enterprise risk associated with
cybersecurity and provide a simple blue-
print to help directors incorporate cyberse-
curity into the board’s overall enterprise risk

■ Establishing the right blueprint for
boardroom cybersecurity review

For boards, cybersecurity is an issue of enter-
prise risk. As with all enterprise risks, the
key focus is mitigation, not prevention. This
universally understood enterprise risk
guideline is especially helpful in the context
of cybersecurity because no one can prevent all
cyber breaches. Every company is a target, and
a suffi ciently motivated and well-resourced
adversary can and will get into a company’s

Consequently, terms like “cyber defense”
are insuffi cient descriptors of an effective
posture because they evoke the image that
corporations can establish an invincible
perimeter around their networks to prevent
access by bad actors. Today, it’s more accu-
rate to think of the board-level cybersecurity
review goal as “cyber resilience.” The idea
behind the cyber resilience mindset is that,
because you know network breaches will
happen, it is more important to focus on
preparing to meet cyberthreats as rapidly as
possible and on mitigating the associated

Also important to a board member ’s
cybersecurity mindset is to be free from fear
of the technology. Remember, the issue is
enterprise risk—not technical solutions. Just
as you need not understand internal com-
bustion engine technology to write rules for
safe driving, you need not be excluded from
the cybersecurity risk discussion based on
lack of technology acumen. Although this is
liberating, in a sense, there is also a price:
directors cannot deny their fi duciary respon-
sibility to oversee cybersecurity risk based
on lack of technology acumen.

Given a focus on enterprise risk (not tech-
nology) and risk mitigation (not attack
prevention), the correct blueprint for cyber-
security review at the board level can best be

73 ■


review process, and that these discussions
take place regularly—preferably at every
meeting of the board.

A committee responsible for studying
cybersecurity risk can cover both of these
aspects of participation. With such a
committee, someone on the board (i.e., the
committee chair) becomes the stakeholder
charged with becoming educated about cyber-
security risk and educating the broader group.
Although the board will never need to know
how to confi gure a fi rewall, there is much to
learn about the nature of cybersecurity risks,
their potential impacts on your organization,
and successful mitigation approaches. It may
also be appropriate to appoint a director with
cybersecurity expertise for this purpose.

Establishing such a committee also fulfi lls
the goal of consistent cybersecurity discus-
sion. The chair can give a report, arrange for
reports from the CIO or CISO, or facilitate
talks by outside experts on issues around
which additional subject matter expertise
proves useful. Threat intelligence is an exam-
ple of an excellent topic for an outside expert
because it’s not a specialty most organiza-
tions have in house or that can be justifi ably
developed. A person or organization steeped
in analyzing the tools, approaches, and
behaviors of threat actors can look at your
organization’s profi le and provide custom-
ized insight that accelerates the board’s
cybersecurity education.

To empower all directors to engage in
cybersecurity review, board-level discus-
sions should address issues in the enterprise
risk language with which boards are already
familiar. One requisite, therefore, is that
boards not stand for technical jargon. Even
reports from the CIO should be delivered in
plain language free of specialized terms.

statements and analyzing profi t and loss. The
knowns are known and the unknowns are
few, if any.

It is useful to juxtapose this stable, com-
fortable picture with the state of board-level
cybersecurity discussion—that is, you may
not yet be certain what questions to ask, or
know what to expect from management’s
responses. To help accelerate you toward the
same level of stability and comfort you have
managing fi nancial issues, the following
board-level cybersecurity review blueprint is
organized into six areas:

1. Inclusive board-level discussion:
empowering all directors to be accountable
for cybersecurity

2. Proactive cyber risk management:
incorporating cybersecurity into all early
stage business decisions

3. Risk-oriented prioritization: differentiating
assets for varying levels of cyber protection

4. Investment in human defenses: ensuring
the organization’s cybersecurity investment
goes beyond technical to include awareness,
education, and training programs for

5. Assessments of third-party relationships:
limiting cyber exposure through business

6. Incident response policies and
procedures: mitigating potential risks
when breaches occur.

1. Inclusive board-level discussion
Given the rapidly growing threat posed by
cybercrime and the potentially devastating
consequences of a major breach, it is critical
that every director have enough of an under-
standing of cyber risk to be able to take an
active part in the board’s cybersecurity

Active inclusion, in sum:
� Establish a cybersecurity risk committee, or add the subject to an existing enterprise
risk committee.

� Discuss cybersecurity risk at every board meeting.
� Empower all directors to become educated and comfortable discussing cybersecurity risk.

■ 74


cybersecurity analysis of the target to their
diligence process; protecting their M&A
process from cyber breaches; and potential
cyber exposure resulting from post-deal

In both of these examples, it should be
clear how challenging it would be to address
cybersecurity concerns after the initiative
gets underway.

3. Risk-based prioritization
Everyone’s resources are limited. Because
there are an infi nite number of cybersecurity
measures in which a company can invest,
the trick is to prioritize such measures based
on a customized assessment of the most seri-
ous threats facing your organization. Such
assessments should be approached along
two primary dimensions: your organiza-
tion’s most valuable assets and its greatest
cyber vulnerabilities.

Often, your most critical assets are obvi-
ous: payment card data for a retailer, the
script of an upcoming franchise sequel for
a movie studio, the source code at the
heart of a software company’s bestselling
product. Every board’s cybersecurity
review must ask management what meas-
ures are being taken to protect a compa-
ny’s most critical assets, beginning with
development and on through production
and distribution. Beyond the most critical
are other assets that require differentiated
gradations of protection. Identifying and
prioritizing those assets is an information
governance challenge, so the board also
has to understand the organization’s infor-
mation governance policy and have a
sense for the quality of its execution. Has
the company identifi ed what are sensitive

2. Proactive cyber risk management
It is important to incorporate discussion of
cybersecurity risk in all business decisions,
from the beginning, because it is much
harder and far less effective to consider
cybersecurity after the fact. Whether a deci-
sion has to do with corporate strategy, new
product launches, facilities, customer inter-
action, M&A, legal or fi nancial issues, man-
agement should always proactively consider
cybersecurity risk.

As an example, take the white-hot omni-
channel marketing trend, which has retailers
using mobile technology to collect data from
their customers, and then exploiting that
knowledge to better target marketing and
promotions—sometimes, at the moment a
customer walks into the store. Obviously,
such retailers are gathering more informa-
tion about their customers than ever before.
How will they protect it? Do the mobile
applications that make these approaches
possible expose their organizations to new
vulnerabilities? No matter how exciting the
revenue-driving opportunity, these are ques-
tions that retail boards should be asking
management as part of the decision to pur-
sue such initiatives. Management should
respond with some variation of, “Our soft-
ware vendor says their security is `X, and in
addition, we’re doing our own testing to see
how vulnerable the software may be before
we introduce it to our customers.”

Boards should extrapolate the thinking in
the above example to all aspects of their
business decision-making. To apply proac-
tive thinking to cyber strategy, consider
growth through M&A. Boards should think
through M&A cybersecurity risks in multi-
ple dimensions. To name three: adding

Proactive cyber risk management, in sum:
� Think about potential cybersecurity risk from the outset of all business initiatives from
corporate strategy to new types of customer interaction.

� Think particularly about new kinds of risk associated with emerging digital business

75 ■


awareness. Furthermore, investments in
human defenses should be aligned to the
insights from customized threat intelli-
gence so they are focused on the ‘most
valuable/most vulnerable’ prioritization
discussed in the previous section.

When looking at cybersecurity invest-
ment, board reviews should include classic
IT spending on systems that authenticate
user identity and manage access, as well as
compliance with applicable laws and regula-
tions. However, that’s just the baseline.
Boards need to think further, to issues such as
the following:

How well does our IT knowledge/expertise
align with the kind of challenges suggested by
our threat intelligence reports?

Are we appropriately augmenting our inter-
nal staff with outside expertise?

Should we hire “white hat” hackers to attack
our networks in search of gaps?

Should we test our employees’ anti-phishing

No matter how well your security technol-
ogy works, hackers can always go after the
weakest link—humans—through a combi-
nation of tactics known as social engineer-
ing and spear phishing. The only defense
against these phenomena is enterprise-
wide education. Ongoing education and
awareness programs, such as spear phish-
ing training, should be part of the cyberse-
curity investment. Boards should ask
about, support, and ensure these programs
are aligned with business requirements.

data and where they are being held? What
data are not sensitive and where are they
being held? Are your retention policies
ensuring you keep the information that is
important and throw away everything
else? We’ve all read headlines about
breaches that could have been less sensa-
tional if the victims had better retention

The second dimension—your compa-
ny’s cyber vulnerabilities—is where cus-
tomized threat intelligence plays a role.
Analyzing your network for weaknesses,
learning where sensitive information is
stored and how it is protected, and assess-
ing your environment: the competitiveness
of your industry (e.g., how valuable your
intellectual property is to others) and the
way information fl ows in concert with
business processes (e.g. whether or how
you store sensitive information about con-
sumers or clients, what countries you do
business in, and what that implies for your

The board’s cybersecurity review should
include discussion of both dimensions, and
the issues should be discussed often—these
risks are not static. They can vary signifi –
cantly over time and depend on evolving
Internet connectivity and infrastructure

4. Investment in human defenses
Cyber defense and cyber resilience are as
much human matters as they are matters
of products and technology confi gura-
tions. Although security technologies for
protection and response are indeed neces-
sary, boards should also ask about enter-
prise-wide cybersecurity education and

Risk-based prioritization, in sum:
� Optimize limited resources by prioritizing along two dimensions: what’s most valuable
and what’s most vulnerable.

� Ensure the quality of policies and practices around the organization’s approach to
information governance so that all assets are protected appropriately.

■ 76


5. Assessments of third-party relationships
Those of us paying close attention to the
stories behind 2014’s cyber breach headlines
know that in many cases the so-called “attack
vectors” came through third-party relation-
ships. Bad actors breached a business part-
ner (that likely had weaker security than the
intended target) and then used that part-
ner’s access credentials to break into the tar-
get company.

But this is only one way in which third-
party relationships create security vulnera-
bilities. As business collaboration surges, for
example, the amount of confi dential, trade
secret, and intellectual property information
that is being shared among employees of
business partners skyrockets. This electronic
fl ow of mission critical information, often
across the open Internet, creates an environ-
ment ready-made for economic espionage. It
used to be such cases were a particular thorn
in the side of only a few sectors, such as
defense, energy, and technology. Today, all
kinds of industries are targeted.

A board’s cybersecurity review should
include an understanding of how the organ-
ization conducts cyber due diligence on
third parties. Boards need a clear under-
standing of the third parties their organiza-
tions do business with and must prioritize
those relationships in terms of high, medi-
um, and low risk. Once a partner is identi-
fi ed as high risk (e.g., they have access to
your corporate network), that partner’s own
security posture must be understood. How
much visibility does your organization have
into your vendors’ security policies and

practices? Do they respond to your security
questionnaires? Do you have the right to
conduct on-site validations/audits?

Boards also should require IT involve-
ment early in the development of new
business partner relationships. That way,
information access can be better tuned to
the business requirements of the partner-
ship. An HR vendor, for example, may
need access to your employee data, but that
access may not need to be around the clock.
Perhaps it can be controlled and limited to
certain times of the month and/or hours of
the day to limit risk exposure and enable
fi nely tuned security monitoring.

6. Incident response policies and procedures
Armed with the knowledge that perfect secu-
rity isn’t achievable and breaches are there-
fore inevitable, boards must ensure their
organizations have well-honed policies for
cyber incident response, and must test these
plans with regular simulation exercises.

Good incident response plans defi ne the
roles and responsibilities of the response
team (including crisis communications,
human resources, legal, IT, etc.) and estab-
lish clear initial action items, including noti-
fi cations to internal and external resources
who will lead an investigation or manage
communications. Remember, preparing for
the worst is not an admission of a weak or
vulnerable network. On the other hand, a
delayed, bumbling response to a security
breach is what often leads to increased data
loss, exposure to regulatory action, and
reputational damage.

Assessments of third-party relationships, in sum:
Review all business partner relationships for potential cybersecurity vulnerabilities.
Empower IT’s involvement earlier in the development of business relationships.

Human investment, in sum:
Supplement appropriate investment in information security products with continuous
enterprise-wide cybersecurity awareness, education, and training programs.

77 ■


our risk in a way that is consistent with most
likely attacks?

■ Conclusion: No surprises!
No one likes unpleasant surprises, least of all
corporate boards. The goal of a board’s
cybersecurity review is to avoid being unpre-
pared for a cyber incident. Unfortunately,
experience so far suggests that the only com-
panies with truly top-grade, board-level
cybersecurity plans are those that have expe-
rienced an unpleasant surprise in the form of
a bad breach. They felt the pain once and
don’t ever want to go through it again.

If you follow the board-level cybersecu-
rity review thinking and principles dis-
cussed in this chapter, and partner with
external experts that bring domain-specifi c
knowledge and skills you may not have in-
house, you can avoid surprises and be pre-
pared to meet risk head on. The review
approach described in this chapter will
enable you to lead your organization’s shift
from a paradigm of discomfort and uncer-
tainty in the cybersecurity risk realm to one
of assurance and comprehensive answers,
facilitated by the board’s regular cyber risk
discussions; from simple perimeter protec-
tion to around-the-clock monitoring and
universally understood incident response;
from lack of cyber risk awareness to enter-
prise-wide awareness led by top-down
C-suite messaging and incentivized
employee behavior.

The blueprint presented in this chapter
can help ensure you truly have your eye on
the cyber risk ball. Obviously, that doesn’t
mean your company won’t be breached.
But if—or when—you are, you will be able
to handle the event with clear-eyed confi –
dence that the risks have been properly

Two key thoughts boards should keep in
mind when reviewing incident response
plans were noted previously, albeit in a dif-
ferent context. First, it is critical to engage the
entire enterprise in your incident response
plan. IT security professionals can only do so
much if an employee clicks on a spear phish-
er’s link, creating a hole in your network.
Employees can be educated to avoid those
clicks and incented to be fi rst responders—or,
at least, to notice these attempts to breach
your company’s defenses. Employees are on
the front lines of cybersecurity; prompt notice
of a breach from an alert employee can often
signifi cantly mitigate damage. Second, your
organization’s cybersecurity risk environ-
ment is a dynamic, ever-changing thing. Your
incident response plan must be kept up to
date and rehearsed continually, taking evolv-
ing threat intelligence into account.

Appropriate board-level review questions
include the following:

What are the organization’s policies and pro-
cedures to rapidly identify breaches?

How are all employees empowered to monitor
and report/respond?

How are we triaging/escalating once an inci-
dent is detected?

How is incident response integrated into IT

What are we doing to align our cyber respons-
es to business requirements and to ensure that
all parts of the business understand their roles
in the response plan?

How does our response plan match up with
our threat intelligence? Are we characterizing

Incident response, in sum:
� Because breaches will happen, board review must ensure fi rst-class incident response.
� All enterprise employees should be part of the incident response plan.
� Incident response must continually evolve—because threats do.


■ 78

Inclusive Board-Level Discussion

CYBER REVIEW blueprint




Proactive Cyber Risk Management

Risk-Oriented Prioritization

Investment in Human Defenses

Assessment of Third-Party

Incident Response Policies
and Procedures

79 ■

Dell SecureWorks – Mike Cote, CEO

Demystifying cybersecurity
strategy and reporting: How
boards can test assumptions

Cybersecurity is one of those issues that justify the state-
ment, “It’s what you don’t know that can hurt you.”
Although board engagement in cybersecurity risk is on
the rise, corporate directors continue to struggle with the
complexity of the subject matter, making it more diffi cult
for them to assess whether the company’s strategy is
effective. As one public company director recently stated,
“I understand the magnitude of the risk, and I know we
have signifi cant resources decked against it, but as a
board member how will I know if management has the
right measures in place to keep us from being the next
story in the news?”

This chapter does not explain how to eliminate the risk
of a data breach. In fact, one requirement for being resil-
ient against cyberthreats is to accept that breaches will
happen. Nor does this chapter strive to make an expert of
the reader. After all, the board’s job is to provide reason-
able oversight of the risk, not manage it.

What this chapter does do is provide boards with a
framework of inquiry—elements of a mature security
strategy in plain language—to help directors have discus-
sions with management about the company’s overall
resilience against the threats. By understanding these
concepts, directors will have a better context for testing
assumptions when management reports on metrics such
as the effectiveness of breach prevention, breach frequen-
cy, and response time.

■ Background: Who is behind hacking, and why do
they do it?

Before delving into the right strategy for cybersecurity, it
is helpful for boards to fi rst understand the nature of the
threat. Hacking has become a burgeoning global industry
that generates billions of dollars in illicit trade annually.
It’s fueled by a strong reseller’s market in which hackers
sell stolen data to others who possess the desire but not

■ 80


■ Elements of a mature security strategy . . . in
plain language

1. Determine what needs protecting and who
holds the keys.

Companies begin their journey to resiliency
by identifying and prioritizing the assets they
must protect. What do cyber criminals want
that they can get from us and why? Do
employees handle intellectual property that
could make or break us competitively? Do
we collect personally identifi able informa-
tion that cyber criminals could sell to iden-
tity thieves? Do we store customer account
information? How would someone take
command and control of our infrastructure
or systems?

It is equally important to know where
those coveted assets are located. Many
boards are surprised to learn that the infor-
mation security team is fending off hackers
across the entire enterprise, even outside it:
for example, in a supplier’s network, on a
home computer, or on an employee’s iPad,
where he or she just reviewed a proprietary
schematic. Hackers are capable of scanning
for vulnerabilities wherever someone con-
nects to the Internet, and business leaders
must operate under the assumption that
even they are a target.

As with sensitive fi nancial information,
only those who need access to the assets
should have it, and policies should be in place
to ensure stringent controls. Administrator
passwords are gold to cybercriminals, and
increasing the number of people with access
to them effectively multiplies the ways that
hackers can attack.

2. Prevention is not an endgame.

It’s tempting to think that we can eliminate
breaches if we just put more effort into pre-
vention at the front end, but information
security professionals know that eliminating
the possibility of a breach is an unrealistic
goal in today’s environment. Preventative
tools such as fi rewalls play an essential role
because they provide the fi rst layer of
defense: they ‘recognize’ and stop the threats

the tools to harvest valuable intellectual
property. It’s funded by organized crime and
actors within nation-states that not only
operate beyond any jurisdiction but also
have access to billions of dollars of capital to
invest in these criminal operations.

The robust cyber black market offers sto-
len goods—from credit cards to personal
identities—in large quantities at reasonable
cost. Sellers also offer money-back guaran-
tees on the quality of their goods. Buyers can
obtain tutorials for hacking or for using sto-
len data, and they can even hire subcontrac-
tors to do the dirty work.

It’s not always about the money. From
attacks based on sectarian hate between
nation-states to sabotage from a bitter, laid-
off employee, motivations for hacking run
deep and wide. Anger about environmental
policies and resentment against the excesses
of Wall Street are among other examples.
Whatever their reasons, hackers are focused
on stealing, disrupting, or destroying data
every moment of every day. There are thou-
sands of cyber criminals around the globe.
They work around the clock, for free or for
hire, on speculation or with a known pur-
pose, trying to invent new ways to steal or
harm a company. They have the funding and
technology to be not only persistent but also
highly adaptable, and the barrier to replicat-
ing their cyber weapons is low in contrast to
the physical world. They have the luxury of
always being anonymous, always on offense,
and seldom prosecuted.

Companies, on the other hand, are highly
visible, and by virtue of being connected to
the Internet must operate in an environment
where being attacked by hackers is the
norm. Companies must prevent, detect,
defend against, and take on the threat with-
out the luxury of knowing when they’ll be
attacked, by whom, or on what front.

A mature cybersecurity strategy prepares
for and responds to this challenging envi-
ronment. Breaking that strategy down into
its core elements provides boards with a use-
ful framework for discussing risk assump-
tions with the chief information security
offi cer.

81 ■


4. Stay a step ahead: The future won’t look like
the past.

To stay one step ahead of the threat, an infor-
mation security program should also be able
to predict what the adversary will do next.
To make fi nancial predictions, business lead-
ers apply internal and environmental intel-
ligence to test assumptions. In the case of
cybersecurity, security teams should apply
“threat intelligence,” which tells them the
intent and capabilities of current, real-world
hackers who may want to harm them.
Gathered from a company’s own environ-
ment and often supplemented with much
broader environmental intelligence from a
third party, threat intelligence can be applied
to cybersecurity technologies and human
procedures. As a result, the enterprise is able
to anticipate the nature of forthcoming
attacks and more effectively allocate limited
resources to stop them.

Companies with the ability to predict can
also defend earlier with less effort and recov-
er faster when a breach occurs. When boards
and management discuss metrics like breach
frequency, response time, and potential
impact, it’s helpful to know if the security
team is applying threat intelligence to help
them make their assumptions.

5. Educate and train vigilant employees.

One of the most important defenses against
cyberattack is an informed, vigilant employ-
ee population. Employees and executives are
often targeted with carefully crafted emails
designed to be relevant to the employee’s
personal or work life. In reality, these phish-
ing emails are often loaded with malicious
code. One click by a less careful individual
can deploy a cyber weapon into the compa-
ny’s network and execute various actions
that shut down critical business functions or
steal information and accounts. Similar tac-
tics may be used over the phone to get
employees to divulge confi dential informa-
tion such as client lists, which can then be
paired with other stolen data to complete a
set of stolen identities.

we already know about. As we already
established, however, hackers are highly
adaptive. No one piece of technology can
provide a complete defense. A good security
program assumes that at some point preven-
tion will fail and the business will have to
deal with threats in its network.

Detection then becomes the focus.
Companies need the right technology, pro-
cesses, programs, and staff to help them
detect what has happened so that they can
fi nd the threat and respond more quickly
to contain and eradicate it. The question is
not if the hackers will get in but when.
Board members may test this assumption
by asking their security team, “Do we
know if hackers are inside our defenses
right now? How do we know when they
get in?”

3. You can’t defend with your eyes closed.

No one wants to be blindsided. If a compa-
ny’s security team can’t “see” what is hap-
pening on the network and across all of the
endpoints such as work stations, point-of-
sale terminals, and mobile devices, then the
company will have little chance to detect or
respond quickly to an attack when preven-
tion fails. Visibility across the enterprise is an
essential attribute of the cybersecurity strat-
egy because it helps companies respond to
unusual activity more quickly, reducing
down time and related costs.

Business leaders should know that hav-
ing visibility means collecting large amounts
of data from all of those places. Unfortunately
those data are useless if the security team
doesn’t have the bandwidth to analyze and
act on it. The information security industry
has responded to this problem, and services
are available to manage the data, do the
heavy lifting, and sort out what is actionable.
The actionable data can then be fed back to
the information security team to more effi –
ciently zero in on the threats that need their
immediate attention. Boards may ask if their
security team is managing all the data itself,
and, if so, does it still have the bandwidth to
focus on the actual threats.

■ 82


7. Measure effectiveness, not compliance.

It is impossible for a company to know how
effective its security program is against real-
world attackers unless it conducts real-world
exercises to test its defenses. Compliance
frameworks can improve rigor in many
areas of cybersecurity, but it is folly to
assume that following a compliance man-
date (or even passing a compliance inspec-
tion) is commensurate with resilience. No
matter how well architected a security pro-
gram is against recommended standards, no
two companies’ environments are alike.

That’s why it is so important to battle-test
one’s own environment. Network security
testing emulates actual hackers using real-
life tactics such as phishing to validate how
well defenses work against simulated
attacks. By learning how hackers penetrate
security defenses, companies can determine
actual risk and resource cybersecurity opera-
tions accordingly. Testing also helps compa-
nies meet compliance mandates. Compliance
should be a by-product of an effective secu-
rity program, not the other way around.

8. Emphasize process as much as technology.

Technology is only half the solution to mak-
ing a company resilient. Breaches can occur
as the result of human and process errors
throughout the enterprise. Take the example
of recent high-profi le cases in which weak-
nesses in a supply chain or a business part-
ner’s security allowed hackers to access the
parent company’s network and do signifi –
cant damage. Leading practice today is for
companies to insist, by contract, that their
business partners meet the same security

However, what if a business line leader
fails to insist on contract requirements in the
interest of going to market quickly? What
happens when business enablement trumps
security in the far reaches of the business,
where people think, “No harm done”?
Adequate checks and balances should be in
place to ensure that IT security and business
procedures are being executed, and policies

The bottom line is that human behavior
is equally as important as security tech-
nologies in defending against the threat.
Boards should know whether employee
awareness and training programs are in
place and how effective they are. The best
programs will simulate how hackers may
trick an employee and provide on-the-spot
training if the employee falls victim. An
open dialog in these cases helps employees
and the organization as a whole learn from
mistakes. It also builds a culture of security

6. Organize information security teams for

Defending and responding effectively
against cyber adversaries also depends on
manpower and expertise. Technologies
cannot be used to full advantage without
highly skilled people to correlate, analyze,
prioritize, and turn the data into actiona-
ble intelligence that can be used to increase
resilience. A properly organized and
staffed security team needs people with
many different types of expertise and
skills. It requires people to deploy the
technologies, understand what the threats
are, determine what hackers are doing, fix
system and software vulnerabilities, and
counter active threats. Although these
professional capabilities are interdepend-
ent, they are not all interchangeable,
requiring different training and certifica-
tions. Information security leaders also
need the management skills to put the
right governance processes and proce-
dures in place, advocate for security
requirements, and communicate risk to
senior management.

Boards are encouraged to inquire as to
whether the security team has the band-
width and manpower to be able to respond
and remediate a crisis, as well as to handle
day-to-day operations. Security teams
should be organized to focus on what mat-
ters most—immediate threats—and other
resources should be considered where there
are gaps.


element of cybersecurity, but it is a by-product
of a good program, not the measure of effec-
tiveness. Nor is it a guarantee of security, as
illustrated by many recent high-profi le
breaches in which companies had already
met the requirements for one compliance
mandate or another.

Diffi cult decisions about funding can be
made more easily by discussing how exist-
ing resources are allocated. Many business
leaders fear that “we’ll never spend enough,”
but experience shows that a pragmatic
approach to funding the security program is
to focus on effectiveness and prioritization:

� Determine actual vulnerabilities by
regularly testing defenses.

� Detect the perpetrators more quickly by
increasing visibility.

� Predict and mitigate risks more quickly and
effi ciently by applying threat intelligence.

� Apply time, attention, and funding

Companies may also want to consider third-
party providers to monitor, correlate, and
analyze the massive quantity of data that a
mature security program generates. This
allows valuable, and sometimes scarce,
human resources to focus on the actual
threats. A reputable third party can also pro-
vide the testing that determines effectiveness
and be a helpful validator of the program.

Armed with an understanding of what a
mature security program looks like and how
it plays out across the entire enterprise,
boards will be better equipped to discuss the
company’s current strategy and inquire
about assumptions in the metrics.

should hold relevant business leaders and
employees accountable for implementation.
How do you know when procedure isn’t fol-
lowed? Real world testing confi rms not only
the effectiveness of your defenses but also
the process, policies, and procedures that
keep those defenses in place, operational
and optimized for resilience.

■ Summary: A framework for oversight
By the very nature of being connected to
the Internet, companies are targeted 24/7,
365 days a year by anonymous, sophisti-
cated hackers who strive to steal from or
harm the business and its employees. That
ongoing challenge is taking place across
the entire enterprise, not just on the net-
work, so it’s important to remember that
we all play a role in managing the risk:
employees, business partners, and even
board members. There is no silver bullet
piece of technology that will eliminate all
danger, and being resilient is just as
dependent on people and process as it is on
technology. A cybersecurity ‘win’ in this
environment is defi ned as how effectively
and effi ciently the company fi nds and
removes threats from its environment and
whether it remains fully operational in the

Cybersecurity risk is an enterprise risk,
not a function of IT. For boards to provide
reasonable oversight they’ll have to under-
stand what the company is protecting,
inquire about how well the company is
organized to defend those assets, and explore
whether it has the manpower and capabili-
ties to respond and remediate in the event
of a breach. Compliance is an important

Electronic version of this guide and additional content available at:

Cyber risk corporate

87 ■

Palo Alto Networks Inc. – Davis Hake,
Director of Cybersecurity Strategy

The CEO’s guide to driving better
security by asking the right questions

I recently met with a chief information offi cer (CIO)
whose chief executive offi cer (CEO) had just taken a strik-
ing and dramatic interest in cybersecurity. He had read an
article in the paper about cyberthreats to major corpora-
tions and wanted to know what his own company was
doing to solve the specifi c problem described in the arti-
cle. The CIO was incensed, because the question would
inevitably force him to shift priorities for his already
overworked team to an issue that had little to no effect on
their actual security efforts. There is an old saying in the
disaster response community that you shouldn’t exchange
business cards during an emergency. In essence, you need
to familiarize yourself with the risks and relevant people
before an emergency so security teams are not blown in
different directions depending on the new security scare
of the day.

Similarly, CEOs cannot familiarize themselves with
cybersecurity narrowly through the lens of a single inci-
dent that occurs on their network or with one of their
competitors. The danger in responding to a singular event
or threat in isolation—or daily incidents we read about in
the press—is that this is a reactive approach rather than a
holistic, risk-based approach. Cybersecurity is the poster
child for this phenomenon. Executives know that there is
a newfound focus on cybersecurity at the boardroom
level—incidents like Target’s 2013 data breach have been
a wake-up call for many—but there is often still a severe
lack of understanding about the real risks behind the
headlines. The statistics also back up the magnitude of
these anecdotes.

A recent New York Stock Exchange (NYSE) and
Veracode survey looking at boardroom attention to cyber-
security found 80 percent of participants said it is dis-
cussed in most or every boardroom meeting. They noted
specifi cally that “responsibility for attacks is being seen as

■ 88


common problems such as a lack of invest-
ment, absence of high-level strategy, and
failure to integrate into business operations
still plagued many organizations struggling
to address cyberthreats. Seeing this tension
in many of the organizations they were brief-
ing on cyberthreats, the U.S. Department of
Homeland Security worked with current
and former executives to help capture fi ve
simple questions that a CEO could ask his or
her technical team, which would also drive
better security practices. They are:

1. What is the current level and business
impact of cyber risks to our company?
What is our plan to address identifi ed

2. How is our executive leadership informed
about the current level and business
impact of cyber risks to our company?

3. How does our cybersecurity program
apply industry standards and best

4. How many and what types of cyber
incidents do we detect in a normal week?
What is the threshold for notifying our
executive leadership?

5. How comprehensive is our cyber incident
response plan? How often is the plan

The team that coordinated the Cybersecurity
Framework also provided key recommenda-
tions to leadership, to align their cyber risk
policies with these questions. First and fore-
most, it is critical for CEOs to lead incor-
poration of their cyber risks into existing risk
management efforts. Forget the checklist
approach; only you know the specifi c risk-
reward balance for your business, so only
you can understand what is most important
to your company. It seems simple, but with
cybersecurity, the default practice tends to
be for organizations to silo considerations
about risks into a separate category apart
from thinking about their valuable assets.
You have to start by identifying what is most
critical to protect and work out from there.
The process of aligning your core value with
your top IT concerns is a journey and is not

a broader business issue, signaling a shift
AWAY from the chief information security
offi cer (CISO) and the IT security team.”
Where is this shift moving to? “When a
breach does occur, boards are increasingly
looking to the CEO and other members of
the executive team to step up and take
responsibility,” said the authors.

Yet despite this shift in perceived respon-
sibility to the executive level, there does not
appear to be the same drive to connect tech-
nical teams to the board-level focus on con-
cerns about cybersecurity risk. A 2015
Raytheon and Ponemon Institute study of
those with the day-to-day technical respon-
sibility for cybersecurity, CIOs, CISOs, and
senior IT leaders, found that 66 percent of
respondents believe senior leaders don’t
perceive cybersecurity as a priority. What
this means is that while CEOs are increas-
ingly on the hook from their boards for being
savvy about cyber risks, many are not yet
engaging with the necessary parts of their
organization to address cybersecurity issues.

Our hope is that this guide can prime you
to ask productive questions that drive better
people, processes, and technological change
to reduce the risk of successful breaches of
your organization. As the CEO, it is your job
to balance risk and reward within your com-
pany. Cyberthreats are not magic, hackers
are not wizards, and the risks to your spe-
cifi c organization from a breach can be man-
aged just like any other risks that you make
decisions about every day. In fact, these risks
can even be turned into opportunities for
new innovation.

But where to begin? You want to avoid
causing unnecessary work, but you are
required to participate, and often lead, the
conversation around addressing cyber risks.
When the U.S. Government began working
with members of the IT and critical infra-
structure industry on a Cybersecurity
Framework for improving critical infrastruc-
ture cybersecurity, a key point that arose was
the need for nontechnical tools that could be
used at an executive level. Technical best
practices have existed in international stand-
ards and government agencies for years, but

89 ■


not having a cybersecurity background, you
will certainly be able to make valuable con-
tributions about which cyber risks are
acceptable. You will fi nd situations where
the operational priorities that you are
responsible for as CEO, outweigh cybersecu-
rity risks. Your perspective on these matters
is what makes you core to leading cyberse-
curity efforts in your organization.

Finally, as with any risk management
effort, you must plan for the best but prepare
for the worst. Cyberthreats are very real, and
advanced hacking tools once available only
to nation-states are regularly sold on the
online black market. There are technical
architectures that can prevent and limit
damage done by cyberattacks (see Palo Alto
Network’s other chapter, “Designing for
breach prevention”), but no solution is ever
100 percent. Developing an incident response
plan that is coordinated across your enter-
prise and regularly tested is vital for even
the most well-defended organizations. Use
your existing risk management practices and
your leadership team to identify your most
important assets; then plan for what would
happen to your company if those assets were
shut off or inaccessible for a sustained peri-
od of time. Similar to fi re drills, regular prac-
tice also helps you stay aware of cybersecu-
rity’s constantly changing environment and
shows a personal interest that will signal the
issue’s importance throughout your compa-
ny. There are also excellent chapters in this
book to get you started in setting up an inci-
dent response plan, and there are many
good companies that specialize in the sticky
problems of rebuilding your network when
you need to call in the cavalry.

While risk management is a strong
approach to tackling the challenges of
cybersecurity, the bottom line is that it will
often require some investment in new peo-
ple, processes, or technology. A common
myth is that security must be a cost center
for every organization. This view has plagued
IT security experts for years, as their efforts
are viewed as drains on resources that would
otherwise be bringing in revenue. But as
you start to lay out cybersecurity from a

something that can be solved in one lump
investment or board meeting. Just like any
risk analysis, it requires serious considera-
tion and thought about what is most impor-
tant to your core business practices.

Which brings me to the second recom-
mendation to come out of the Cybersecurity
Framework effort: don’t begin your journey
alone! Bring your leadership team, especially
your CIO, chief security offi cer (CSO), and
CISO, into the conversation from the start, to
help determine how your IT priorities match
to your business goals. Building a diverse
team that includes other leaders, such as
your head of human resources, will help
foster a culture that views cyberthreats not
as “someone else’s problem” but as chal-
lenges that should be addressed and dealt
with as an entire organization. For example,
cyber criminals still continue to successfully
use fake emails as a primary method for
gaining access to a company’s network.
Stopping these attacks requires not just a
technical solution but also strong training,
which is often the responsibility of human
resources and not your IT security team.

As more signifi cant challenges arise, and
they will do so often and unexpectedly, lean
on your leadership team to evaluate prob-
lems in relation to the impact to your other
business risks. Then let your team address
them based on your existing business goals.
For example, if you experience a cyber
breach or accidental disclosure of sensitive
information, a diverse leadership team is
incredibly helpful at not just responding to
the technical problems but also ensuring
other areas such as public image, legal
ramifi cations, and revenue impact are taken
into consideration in any mitigation and
remediation efforts. It is your job to help
frame the problem for your team and pro-
vide oversight and guidance, not microman-
age a crisis.

As with normal business operations, you
should also be asking your team to assist
you in day-to-day requirements of your
cybersecurity, such as reviewing IT budgets
and personnel security policies. None of this
is surprising, and you will fi nd that despite


■ 90

know these as web-based email or online
storage services. They are incredibly popular
for their low cost, fl exibility, and availability
across multiple platforms, but they also exist
on servers outside your control and can pre-
sent a huge risk from users accidentally
making company resources available to
external parties. There are now innovative
solutions that can manage these programs
just like any normal application that lives on
your network and even block their use for
only malicious purposes.

True leadership in any issue doesn’t
involve simply throwing more money at the
problem; you must always balance the risks
and rewards of your decisions and invest-
ments into a coherent strategy. Cybersecurity
is no different. Unfortunately, today’s reality
is such that cyberthreats will remain an issue
of fear for boardrooms in the foreseeable
future, leading to default knee-jerk reactions
as new threats evolve. Ultimately, we must
get to a place where cybersecurity is a nor-
mal part of any business’s operational plan.
With cool-headed, rational leadership, you
have the unique ability to help transform
this issue in your company from a crisis to
an opportunity for real innovation.

risk management perspective, you will
be forced to identify your most valuable
assets, pressing vulnerabilities, and core
motivations. This introspective approach
can also drive new ideas applicable to your
core business lines. It is imperative that
you recognize these innovations and make
the right investments to reap both the
benefi ts of better security and new business

For example, take a company that wants
to enable its sales staff to securely meet with
customers face to face away from the offi ce
for consultations. Using mobile devices and
phones to access internal company data,
such as customer accounts, from the fi eld
can open serious cyber risks. In this case you
could ensure that when purchasing a mobile
platform, you also choose a security vendor
that can provide mobile device management
capabilities. This allows your IT department
to secure lost or stolen devices and limit
malicious software that could be accidental-
ly downloaded by employees (or often their
kids), limiting cyber risks and enabling fl ex-
ibility of your sales team.

Another great example is the use of soft-
ware as a service (SaaS) products. You may

91 ■

Coalfi re – Larry Jones, CEO and Rick
Dakin, CEO (2001-2015)

Establishing the structure,
authority, and processes to
create an effective program

Cybersecurity program oversight is currently an unsettling
process for many C-suites and boardrooms. Establishing
structure, authority, and program oversight should be
aligned to existing management processes and structure for
other critical programs. However, cybersecurity programs
remain unsettling. Why?

Simply put, cybersecurity programs address a different
type of risk. Typically, the risk that is being addressed
includes sophisticated attacks that are intended to interrupt
operations or steal sensitive data. In either case, organiza-
tions fi nd themselves under attack. In the case of Sony, a
nation-state attacked the company for the sole purpose of
disrupting the distribution of media. In the case of
JP Morgan Chase, a highly sophisticated adversary launched
a denial of service attack against the service delivery plat-
form to disrupt the fl ow of transactions. Both cases provide
business justifi cation to manage cybersecurity initiatives as
a bet-your-business type of risk management program.

The connection between the boardroom and those
managing the technical infrastructure is critical. However,
no board or C-Suite has the skills or knowledge of the
threat landscape or technologies involved in cybersecu-
rity programs to fl atten the management structure for
top to bottom direct management. Each level of the
organization must participate in an integrated and col-
laborative fashion. The structure and risk management
responsibilities have been documented many times by
well-respected cybersecurity organizations such as the
National Institute of Standards and Technology (NIST) in
a series of special publications. Coalfi re has specifi cally
supported the local adoption and application of these
general principles for the electric utility, fi nancial servic-
es, health-care, and retail sectors. As a result, this chapter
leverages the lessons learned from those previous engage-
ments to provide a condensed but effective approach to

■ 92


cyber risk management and cybersecurity
program creation and oversight.

First, the nature of the threat landscape is
evolving, while the underlying technology
platforms that hold sensitive data are also
changing. In this fl uid environment, man-
agement must create a nimble program of
active cyber defenses informed by an itera-
tive risk management process. For the fore-
seeable future, cybersecurity program over-
sight will not be one that can be reduced to
an annual review process. When cyberat-
tacks go undetected for months and then
bring a company to its knees overnight, the
level of vigilance and communication is
heightened. To be effective, the structure has
to be distributed throughout the organiza-
tion, and risk thresholds have to be set that
cause unplanned alerts to drive manage-
ment action on a regularly scheduled review
and ad hoc incident-response basis.

Often the primary risks to cyber assets is a
cyberattack. The sophistication and determi-
nation of known threat actors drives the exec-
utive team to put on war paint and respond in
kind. Unlike other enterprise risks that can be
managed with traditional controls, cybersecu-
rity requires the mindset of a warrior. Think in
terms of Sun Tzu’s guiding principles pub-
lished in 473 BC, The Art of War: “we must
know ourselves and our enemies and select a
strategy to positively infl uence the outcome of
battle. There is no reason to fear the attack but
there is reason to be concerned about our
readiness to defend ourselves from the attack
and respond appropriately.”

The most common approach for creating
and maintaining an enterprise cybersecurity
program follows a fi ve-step risk manage-
ment process. The process is iterative and
constantly informed by new information.
I am often asked, “When will the cybersecu-
rity program be completed?” Unfortunately,
the answer is never. Cybersecurity has to be
viewed as a process and not an end point,
the proverbial marathon versus sprint.

Each of the steps in the process requires
participation at multiple levels across an





1. Plan
i. Cyber asset inventory and environment

ii. Risk assessment and risk management

iii. Governance and organization structure
2. Protect
i. Program control design, control

selection, and implementation
ii. Training
iii. Maintenance
3. Detect
i. Threat and program effectiveness

monitoring and reporting
ii. Incident alerting and response

4. Respond
i. Event analysis and escalation
ii. Containment, eradication, and recovery
5. Adjust
i. Lessons learned and program

ii. Communications

The rest of the chapter addresses each step of
the cybersecurity program development
process and highlights responsibilities for
stakeholders throughout the organization.

Cybersecurity Program


93 ■


many times that it is more realistic to expect
that vendors have done little to inherently
protect systems or data in the native design
of their systems. In many cases, unless
deployed appropriately, new cloud and
mobile applications can actually decrease
the level of cybersecurity already deployed
on legacy systems. It is the responsibility of
each executive to fully defi ne his or her
operating environment and include critical
third parties in the assessment.

Although lack of cybersecurity integration
by vendors is not universal, we’re seeing some
enlightenment in a few security-focused ser-
vice providers. However, it remains a serious
concern for the majority of new system acqui-
sition and support processes, and cybersecurity
typically shifts to an add-on feature after pro-
curement of a major new system in many
cases. In short, the process of identifying criti-
cal cyber assets and the systems that support
those assets will remain a key part of the cyber-
security program oversight function for the
long term. The process of ‘knowing thyself’
has been expanded to knowing your partners
and vendors and where your sensitive data
has been shared or managed by third parties.

The following is a quick test:

� What are your top 3 most important
business processes, and what systems
support those functions?

� Does the way your CIO answers
the previous question match your
understanding of critical systems?

Risk assessment and risk management strategy
After a solid understanding of the battlefi eld
is established and executives appreciate the
critical cyber assets being protected, an
assessment of risk to those cyber assets is
critical to the design of the cybersecurity pro-
gram. The ability to adjust the program to
meet the evolving threat landscape and tech-
nology architecture shifts is an important
component of organizational security matu-
rity. Responsibilities for conducting an effec-
tive cyber risk assessment are distributed at
three levels, as shown in Figure 2.

■ Plan
Cyber asset inventory and environment characterization
In accordance with the principles of Sun Tzu,
“know thyself.” When cybersecurity pro-
grams are managed at only a technical level,
the focus of the program is at risk of being
misdirected. Sensitive data hosted on an inex-
pensive platform may bely the true value to
the organization. Only senior executives and
business unit managers understand the rela-
tive importance of specifi c operations or data.

Simple cybersecurity program designs
often include some level of network and data
segmentation, encryption, or levels of access.
As a senior executive, one of the things you
should be asking is if your most important
systems and most sensitive data are properly
deployed in the protected zones within your
system architecture. However, the IT team will
never know how to answer that question if
senior management (specifi cally business unit
management) does not specifi cally provide
guidance on the relative importance of busi-
ness functions and their associated systems.

The new generation CIOs and CISOs
understand this principle completely, and
the best of them have structured the operat-
ing environment and security programs to
focus on the most important cyber assets.
However, to assume all CIOs or CISOs
understand this principle of critical asset
classifi cation and environment characteriza-
tion is dangerous, because many do not. The
most important part of this discussion is,
“Does every business unit manager under-
stand what his or her most critical cyber
assets are and where they are deployed?”
Even if the CIO and CISO understand the
relative priorities, senior executives cannot
effectively participate in either cyber risk
management or cybersecurity program over-
sight without fi rst understanding the extent
of the environment being protected.

As a quick warning, many of my clients
have the false expectation that cybersecurity
has become a critical part of the design for
new or more modern platforms being pur-
chased from large vendors and hosting pro-
viders. This expectation has proven false so

■ 94


increasingly popular means of transferring
risk but comes with the requirement that
you understand risk in ways that may not
have been previously considered. It is impor-
tant that the business units and security staff
are able to communicate the constraints as
well as the risk mitigation alternatives for
senior executives to make reasonable deci-
sions on risk management strategies.

Governance and organization structure
The risk assessment management duties and
responsibilities are typically allocated in
accordance with Table 1.

■ Protect
Program design and implementation
The outcome for any cybersecurity program
is the expectation that an organization can
defend its critical cyber assets from irrepara-
ble damage resulting from a cyberattack.
The impact of cyberattack is different for
every organization. As a result, the cyberse-
curity strategy and associated program
must be considered against the potential

The primary objective for a risk assess-
ment is to drive selection of adequate and
rational controls and then assign responsi-
bilities to manage those controls. During the
process the environment will be character-
ized to bring context and the existing system
vulnerabilities, and weaknesses will be
evaluated to select controls to offset the
probability of compromise during an attack.
A comprehensive cybersecurity program
addresses administrative, physical, and
technical controls as an integrated suite.

Once the inherent threats and vulnerabili-
ties are understood within the context of the
impact they could have on the organization,
its clients, and partners, senior executives
must approve the risk management strategy.
Many executives want to see all risk either
mitigated or transferred. However, the bulk
of companies in critical infrastructure indus-
tries end up accepting some level of risk in
their strategy. Cost, continuity of operations,
or other concerns may drive the formation of
the cybersecurity program to mitigate what
is reasonable and accept the residual risk.
Cybersecurity insurance is becoming an

• Actionable policy
and procedures
• Guidance and

• Corporate strategy
• Policy

• Results of
• Feedback

• Results of
• Feedback







Cyber Risk Organizational Structure

and Responsibilities

95 ■



Executive Business Unit Systems Management

� Prioritize critical assets
� Establish risk appetite
� Approve risk
Management strategy

� Mitigate the risk
� Transfer the risk
� Accept the risk

� Approve the program
and policies

� Assign responsibilities
� Provide oversight

� Defi ne boundaries
� Design use case
scenarios to understand
impact from system
attack and compromise

� Identify constraints for
mitigating all risk

� Develop a justifi ed risk
management strategy

� Identify all required
users of systems or
delegates to receive data
on a “need to know”

� Recommend technical
and physical controls

� Identify threats and
system vulnerabilities

� Evaluate the likelihood
and probability of
impact for each threat
and vulnerability

� Estimate the impact on
systems and operations
from a fi nancial,
legal, and regulatory

Although security programs are different
for every company, the principles for devel-
oping the program are fairly consistent. NIST
Special Publication 800-53 has done a good
job in describing the selection of controls for
high-, medium-, and low-level impacts.
Every organization needs access controls, but
only those that result in national security
impact are realistic candidates for deploying
the high-level version of that control. Many
executives are “sold” a package of controls
because they are used by the NSA, but the
question to ask is, “How does the NSA
mission relate to our operations?”

As discussed in the risk assessment seg-
ment, executives have to defi ne their risk
appetite. This is hard during the early days
of cybersecurity program development
because most of the C-suites have an inher-
ently low risk appetite and do not yet under-
stand the impact of lowering the threshold
for control selection. As a result, cybersecu-
rity programs are often a work in process for
several years.

The best cybersecurity programs are the
ones that staff and partners will actually
execute. Contrary to what many vendors
and partners will tell you, the magic is not in

the security solutions selected. Rather, the
magic is in the ability of the organization to
manage those solutions to mitigate risks.
Because the security skills available in the
industry today are low and growing increas-
ingly rare, companies should expect to spend
a disproportionate amount of training dol-
lars on cybersecurity.

Anyone working in forensic response will tell
you that system compromise and data breach
are rarely the result of some sophisticated
attack that no one has ever been seen before.
The bulk of effective attacks use vulnerabili-
ties that have been known for years. Cross-
site scripting, shell or SQL injection, shared
administrator accounts, lack of patching, and
other standard security hygiene issues are
normally the culprits. There are two signifi –
cant operations that go dramatically under-
funded in most organizations: maintenance
of systems and security controls, which leaves
organizations vulnerable to attack.

■ Detect
Program monitoring and reporting
The days of ‘acquire, deploy, and forget’ are
over. For years, senior executives did not
have to participate in cybersecurity program

Levels of Authority and Responsibility

■ 96


oversight, because a combination of fi re-
walls, malware protection, and light access
controls were adequate to defend against
previous generations of relatively static
cyberattacks. Today, continuous monitoring
is critical to see the evolving threat and tech-
nology landscape.

Cybersecurity programs have moved from
a period of static defenses to active defenses,
and we must become more nimble to success-
fully protect critical systems and sensitive
data. From a military perspective, think of
this shift as moving from multiple armored
divisions with signifi cant force and fi repower
protecting cities or regions to the more recent
Special Forces mindset, in which quick detec-
tion and reaction are the key to success.

In the previous section, we mentioned
two areas for increased investment. The sec-
ond area is to develop cybersecurity pro-
grams with a much higher focus on threat
intelligence, monitoring, and alerting. This
requires new security solutions and specially
trained security professionals. The old line
of fi rewalls, malware protection, and access
controls are still required, but much more
active system patching, vulnerability man-
agement, and monitoring are driving mod-
ern security programs.

To avoid the perception of negligence,
senior executives often reinforce old line
security controls that are audited for regula-
tory compliance. However, focusing only on
compliance will not secure an organization.
Cyberthreats are ongoing, while compliance
is a point-in-time review. What is needed to
address increasing cyberthreats is a nimble
program that can suffer an intrusion but
repel the intruder and recover operations
quickly. Just like a good boxer needs to be
able to take a punch and stay in the ring,
companies today must be able to absorb a
cyber punch and keep operating while at the
same time mitigating and recovering.

Incident alerting and escalation
Identifying a potential attack is only half the
solution. Cybersecurity programs must alert
the technology teams and business units
to respond appropriately. One potential

response is to take systems off line. Without
executive and business unit involvement, a
poor decision could be made.

■ Respond
Response capabilities vary after discovery of a
cybersecurity incident, and organizations are
typically faced with two unappealing options:

1. Pull up the drawbridge and stop the
hoards from overrunning the castle.

2. Keep the drawbridge down while trying
to fi gure out where the bad guy is.

The most immediate, and some say rational,
response is to “pull up the drawbridge” to
eliminate whatever access hackers have.
Unfortunately, this alerts the bad guy that you
know he’s inside, so whatever systems and
accounts he may have compromised or what-
ever backdoors he’s created will be unknown.

On the other hand, if a company decides to
take option two, to play it low-key and con-
tinue with business as usual to determine the
scope of the problem, the organization can
determine what systems have been compro-
mised, what new privileged accounts have
been created, and what back doors may exist.
This will give the company a better chance of
long-term success in eliminating the breach
and repairing lost or damaged information.

One response is not necessarily better
than the other, because situations vary.
However, these critical decisions must be
made almost immediately.

■ Adjust
No program is ever perfect. Continuous
monitoring and reporting will enable all
three tiers of responsibility to constantly
adjust the program and inform the other
tiers of actions.

■ Summary
Effective cybersecurity program develop-
ment and oversight requires executives
to implement and manage a distributed
process at three levels within an organiza-
tion: executive level; business unit level;
and operational level (Table 2).



Executive Business Unit Systems Management

Plan � Prioritize systems
and functions for

� Establish risk

� Inventory critical

� Risk assessment

� Select justifi ed

� Develop an
architecture to
integrate controls

� Provide periodic
updates to executives
to help them
understand context
for the program

Protect � Approve
program strategy

� Approve standards
and metrics for
control oversight

� Approve policies

� Train users
� Enforce controls
� Design and
manage physical
and logical

� Design, deploy, and
manage technical

Detect � Receive periodic
threat briefi ngs
and controls

� Receive periodic
education on
changes to the
threat landscape
and emerging

� Incident and
event reporting
form staff,
partners and
third parties

� Operate system and
control monitoring

� Actively participate
in threat intelligence

Respond � Lead Incident
Response Team

� Participate in the
Incident Response

� Containment
� Recovery

Adjust � Allocate resources
for program

� Deploy enhanced

� Deploy updated
and physical

� Provide advice
for control

If Sun Tzu lived today, he would clearly
see the nature of current cybersecurity pro-
grams and responsibilities and recognize that
criticality of executive level management. We

have to take a warrior’s attitude in develop-
ing strategies and programs to be successful
in combatting the cybersecurity challenges
we face today.

Levels of Authority and Responsibility

Electronic version of this guide and additional content available at:

Cybersecurity legal and
regulatory considerations

101 ■

Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Dean Forbes, Senior Associate; Agatha
O’Malley, Senior Associate; Jaqueline Cooney,
Lead Associate; and Waiching Wong, Associate

Securing privacy and profi t in the era
of hyperconnectivity and big data

Companies increasingly use consumer data, including
personal information, to stay competitive; this includes the
capability to analyze their customers’ demographics and
buying habits, predict future behaviors and business
trends, and collect and sell data to third-parties. Consumers’
willingness to share their data centers on trust, however,
and 91% of adults believe that they have lost control over
how their personal information is collected and used (2014
Pew Research Center). So how do companies effectively
manage consumer data while simultaneously building
trust? It has been said that you cannot have good privacy
without good security. A fi rst step is to build an effective
security program while also better understanding what
privacy means and how it can be a strategic business ena-
bler in our era of hyper-connectivity and “big data”.

■ Why does this matter? The data economy
The power and insights driven by consumer data has
changed the corporate landscape. This has created the


of adults “agree” or “strongly agree” that
consumers have lost control over how their

personal information is collected and used by

■ 102


■ Privacy defi nitions vary
“Privacy” may have different meanings to
stakeholders due to factors such as the con-
text, prevailing societal norms, and geo-
graphical location. There is no consensus
defi nition of privacy, which makes it chal-
lenging to discuss, and act upon, a need for
privacy. However, an important central
concept regarding privacy recurs, which is,
the appropriate collection, use, and sharing
of personal information to accomplish busi-
ness tasks. Determining what appropriate
and limited means for your customer is key
to gaining trust and unlocking the potential
of the data economy.

■ What is personal data?
Personal information comes in variations
such as: (1) self-reported data, or information
people volunteer about themselves, such as
their email addresses, work and educational
history, and age and gender; (2) digital
exhaust, such as location data and browsing
history, which is created when using mobile
devices, web services, or other connected
technologies; and (3) profi ling data, or per-
sonal profi les used to make predictions about
individuals’ interests and behaviors, which
are derived by combining self-reported, digi-
tal exhaust, and other data. According to
research, people value self-reported data the
least and profi ling data the most (2015
Harvard Business Review). For many compa-
nies, it is that third category of data, used to
make predictions about consumer needs, that
truly provides the ability to create exciting,
thrilling products and experiences. However,
that same information is what consumers
value the most and seek to protect.

data economy—the exchange of digitized
information for the purpose of creating
insights and value. Companies are building
entire businesses around consumer infor-
mation, including building data-driven
products and monetizing data streams. This
is a supply-driven push made possible by
widespread digitization, ubiquitous data
storage, powerful analytics, mobile technol-
ogy that feeds ever more information into
the system, and the Internet of Things. This
also has a demand-driven effect as more
consumers expect their products to be
“smart” and their experiences to be target-
ed to delight them on an individual basis.

The data economy goes beyond the tech
industry. For example, many supermarkets
now record what customers buy across their
stores and track the purchasing history of
loyalty-card members. The most competitive
companies will sift through this data for
trends and then, through a joint venture, sell
the information to the vendors who stock
their shelves. Consumer product makers are
often willing to purchase this data in order to
make more informed decisions about prod-
uct placement, marketing, and branding.

The enabler of the data economy is data
itself. Individuals generate data. They do
this every time they “check in” to a location
through a mobile app, when they use a loy-
alty card, when they purchase items online,
and when they are tracked through their
Internet searches. Companies gain consum-
ers’ trust and confi dence through transpar-
ency about the personal information that
they gather, providing consumers control
over uses and sharing of such information,
and offer fair value in return.

Facebook users share nearly 2.5 million pieces of content.

Every minute

Twitter users tweet nearly 300,000 times.

YouTube users upload 72 hours of new video content.

Amazon generates over $80,000 in online sales.

103 ■


Gmail service scans emails in order to target
and tailor advertising to the user. In 2013
Microsoft ran TV ads that claim that “your
privacy is [Microsoft’s] priority.”

Companies are also competing to be pri-
vacy champions against government surveil-
lance. For the last few years, the Electronic
Frontier Foundation has published the “Who
Has Your Back” list—highlighting compa-
nies with strong privacy best practices, par-
ticularly regarding disclosure of consumer
information to the government.

■ Challenges and trends
Maintaining compliance
Beyond the moneymaker of the data econo-
my, there is also a need to comply with a
swirl of confl icting regulations on privacy.
For global companies, this task is made more
diffi cult as privacy regulations vary by region
and country. Although international accords
often serve as the basis of national laws
and policy frameworks,1 the local variations
complicate compliance. For example, the
May 2014 ruling of the European Court of
Justice on the “right to be forgotten” set a
precedent for removing information from
search results that are deemed to be no
longer relevant or not in the public interest
by affi rming a ruling by the Spanish Data
Protection Agency. Countries across Europe
have applied the ruling at a national level,
which means that they are not exactly the
same.2 Compliance with this decision has yet
to be fully understood. Google has fi elded
about 120,000 requests for deletions and
granted approximately half of them.3
Compliance is costly and complicated.
Beyond technical issues (which were easier
to solve), Google’s main issue with compli-
ance was administrative—forms needed to
be created in many languages, and dozens
of lawyers, paralegals, and staff needed to
be assembled to review the requests. Issues

■ Privacy and security intersect through

Although privacy and security are two sepa-
rate concepts, the importance of these two
ideas intersect for the consumer if personal
information is not safeguarded. In a nut-
shell, consumers are more likely to buy from
companies they believe protect their privacy.
Large-scale security breaches, such as the
recent theft of credit card information of
56 million Home Depot consumers (2015)
and 40 million Target shoppers (2013), pro-
vide consumers with plenty to worry about.
Breach-weary consumers need to know who
to trust with their personal information, to
ensure that only the company that they pro-
vided the information to can use it. Risk
management for data privacy and security
of that data should guard against external
malicious breaches and inadvertent internal
breaches and third-party partner breaches.

■ Privacy is linked to trust—differentiate
with it

Trust, and the data that it allows companies
to have access to, is a critical strategic asset.
Privacy issues that erode trust can disman-
tle the goodwill that a brand has spent dec-
ades building with consumers. Forward-
leaning companies are already moving
toward proactively gaining the trust of their
customers and using that as a differentiator.
Learning from its issues with the lack of
security on iCloud, Apple now markets all
of the privacy features of their products and
apps. With an eye toward the desires of its
customers, the iPhone’s iOS 8 is encrypted
by default. This makes all “private” infor-
mation such as photos, messages, contacts,
reminders, and call history inaccessible
without a four-digit PIN and numeric pass-
word. In 2012 Microsoft launched its “Don’t
get Scroogled” campaign as a direct attack
on its rival, Google, by highlighting that its

Privacy is very often confl ated with security. While privacy is about the appropriate collec-
tion, use, and sharing of personal information, security is about protecting such information
from loss, or unintended or unauthorized access, use, or sharing.

■ 104


remain, such as the possibility of removing
links from as well as from
country-specifi c search engines.

Compliance with established laws in the
U.S. is often topic- and industry-specifi c. For
example, Congress has passed laws prohib-
iting the disclosure of medical information
(the Health Insurance Portability and
Accountability Act), educational records
(the Buckley Amendment), and video-store
rentals (a law passed in response to revela-
tions about Robert Bork’s rentals when he
was nominated to the Supreme Court).4

Growing data = growing target for hackers
As data availability increases, the attractive-
ness of datasets for hackers increases as well.
Companies in all sectors—health care, retail,
fi nance, government—all have datasets that
are attractive to hackers. Just a few of the con-
fi rmed cyberattacks that targeted consumer
information in 2014 include: eBay, Montana
Health Department, P.F. Chang’s, Evernote,
Feedly, and Domino’s Pizza.5

Beyond personal information
Personal information (PI) is described in
privacy and information security circles as
information that can be used on its own or
with other information to identify, contact or
locate a single person, or to identify an indi-
vidual in context. With the advent of rich
geolocation data, and powerful associative
analysis, such as facial recognition, the
extent of PI is greatly expanded. Regulations
are struggling to keep up with the changes,
and companies can maintain consumer con-
fi dence by collecting, using, and sharing
consumer data with privacy in mind.

■ What to do? Build consumer trust
To unlock the data economy, companies will
need to tune in to their customer ’s needs
and move quickly to earn and retain cus-
tomer trust. Privacy can be a competitive
differentiator for your business—and this
goes beyond lip service. Appropriate privacy
policies are needed internally, this means
building privacy considerations into busi-
ness operations and expected employee

conduct, along with a clearly defi ned means
of enforcement. Externally, this means
building privacy considerations into the
products and services offered to customers.
Some of the ways to do this include the

Create easy-to-understand consumer-facing policies
The average website privacy policy averages
more than 2,400 words, takes 10 minutes to
read, and is written at a university-student
reading level.6 No wonder half of online
Americans are not even sure what a privacy
policy is.7 Writing clear, easy-to-understand
consumer-facing policies can help you
increase the number of people who will
actually read them, and you will gain the
trust of your consumers. No company has a
perfect solution, but many organizations
have come closer. Facebook has recently
rewritten its privacy policy for simplicity
and included step-by-step directions for
users.8 To increase trust, privacy policies
should clearly state the following:

1. the personal information that you will

2. why data is collected and how it will
be used and shared

3. how you will protect the data
4. explanation of consumer benefi t from the

collection, use, sharing, and analysis of
their data.

Additionally, companies should give a clear
and easy opt-out at every stage and only use
data in the ways stated. To ensure that the
data is used in the ways stated, develop clear
internal data use and retention guidelines
across the entire enterprise, limit internal
access to databases, create a procedure for
cyberattacks, and link it directly to the con-
sumer privacy policy.

Go “privacy by design”
The concept of “privacy by design” is inte-
grating and promoting privacy require-
ments and/or best practices into systems,
services, products, and business processes
at the planning, design, development, and


Building consumer trust includes keeping
information safe from hackers, creating easy-
to-understand consumer-facing policies,
and applying the principle of “privacy by
default”. Companies that reframe these
actions as business enablers instead of busi-
ness costs will thrive—and fi nd it easier to
comply with an increasingly complex web of
regulations. Finally, communicating your
good work to consumers will elevate the
profi le of your organization as a trusted part-
ner, and pave the way for future gains.






5. h t t p : / / w w w. f o r b e s . c o m / s i t e s /

6. h t t p : / / w w w. c o m p u t e r w o r l d . c o m /
a r t i c l e / 2 4 9 11 3 2 / d a t a – p r i v a c y / n e w –


b l o g s / t h e – s w i t c h / w p / 2 0 1 4 / 11 / 1 3 /

9. https://fortunedotcom.files.wordpress
. c o m / 2 0 1 4 / 11 / p r i v a c y a n d s e c u r i t y

implementation stages, to ensure that busi-
nesses meets their customer and employee
privacy expectations, and policy and regula-
tory requirements. The approach is a market
differentiator that is intended to reduce
privacy and security risks and cost by
embedding relevant company policies into
such designs. As such, privacy settings are
automatically applied to devices and ser-
vices. Privacy by design and default is
recognized by the U.S. Federal Trade
Commission as a recommended practice for
protecting online privacy, and is considered
for inclusion in the European Union’s Data
Protection Regulation, and was developed
by an Ontario Information and Privacy

Communicate your good work
Privacy policies and actions are more than
legal disclosure; they are marketing tools.
All the actions you take to protect consum-
ers’ privacy should be communicated so
they know you can be trusted. The Alliance
of Automobile Manufacturers, representing
companies such as Chrysler, Ford, General
Motors, and Toyota, publicly pledged more
transparency about how they will safe-
guard data generated by autonomous vehi-
cle technologies. Many groups have pub-
lished data principles that communicate
how data is gathered, protected, and

■ Conclusion
Our current data economy brings exciting
opportunities for companies to grow by
enhancing their products and services. These
innovations rely on consumers to trust your
organization with their personal information.

107 ■

Data Risk Solutions: BuckleySandler LLP &
Treliant Risk Advisors LLC – Elizabeth McGinn,
Partner; Rena Mears, Managing Director; Stephen
Ruckman, Senior Associate; Tihomir Yankov,
Associate; and Daniel Goldstein, Senior Director

Oversight of compliance
and control responsibilities

For too long, cybersecurity has been considered the realm
of the Information Technology (IT) Department, with
corporate executives assuming that the goal of cybersecu-
rity is simply to make sure IT is secure enough to allow
the company to use data reliably to do its business. In
today’s economy, however, data are not only a tool for
doing business but also a core asset of the business itself.
The collection, analysis, and sale of rich data about one’s
products and customers inform decision-making and
business strategy and provide a key revenue generator
for many companies. Because data are now so valuable,
the increasingly pervasive and debilitating nature of
cyberthreats poses an existential threat to the company’s
success. Data’s value to cyber criminals also has the
attention of federal and state regulators concerned with
consumer privacy and safety, posing new legal and com-
pliance challenges.

This is why companies can no longer afford to approach
the oversight of cybersecurity as an IT issue. Simply
because a cyberthreat’s mode of attack usually exploits
vulnerabilities in a company’s IT infrastructure does not
mean that oversight should rest purely with the team that
maintains and repairs that infrastructure. Certainly, a
secured IT infrastructure is crucial and an important fi rst
line of defense. However, the enterprise risk created by
cyberthreats requires a holistic approach that considers
the management of an entire array of impacts—from rep-
utational to regulatory to fi nancial—that transcend core IT
competencies and functions. Because securing today’s
data is central to securing the company’s future, effective

■ 108


encompasses the risks of fi nancial loss; busi-
ness or operational disruption; loss or com-
promise of assets and information; failure to
comply with legal, regulatory, or contractual
requirements; or damage to the reputation of
an organization because of the unauthorized
access to or exploitation of data assets.
Cybersecurity is the protection of data assets
from unauthorized electronic access or
exploitation risks through processes
designed to prevent, detect, and respond to
these risks.1 Effective oversight of cybersecu-
rity is therefore essential to a company’s
oversight of risk management.

Two core components of the company’s
cybersecurity program must be overseen at
the highest levels of management: compli-
ance and controls. Compliance here means
the company’s program for ensuring actual
adherence to internal cybersecurity policies
as well as external privacy and data protec-
tion laws and regulations in the jurisdictions
where the company operates. Controls mean
the company’s systems and processes for
protecting its data infrastructure and carry-
ing out incident response. These components
should be overseen actively to confi rm that
compliance and controls are going beyond
mechanical application of generic cybersecu-
rity rules and standards, which may just
establish a regulatory fl oor for corporate
practices, not a set of industry-leading prac-
tices, and which may not be appropriate or
relevant to the threat landscape and unique
regulatory requirements for the company’s
industry. Moreover, even industry-leading
practices quickly may become dated, because
regulators’ views on “reasonable” cybersecu-
rity are changing all the time.2 The legal risks
from inattentive oversight are limited only
by plaintiffs’ imagination and regulators’
zeal, and the practical risks are limited only
by hackers’ ambition and creativity.

From a risk management perspective, the
key inquiry revolves around the value of
each data asset. For example, data assets
whose business usefulness has long passed
may still be rich in information that may be
embarrassing to the organization if released
publicly. So in a way, cybersecurity risks are

oversight of cybersecurity compliance and
controls requires leadership from the C-suite
and the boardroom.

Critically, this leadership must be coordi-
nated. For a company’s cybersecurity com-
pliance and control programs to be effective,
efforts must be structured in ways that ensure
the board and senior management, including
the C-suite, work together to achieve its risk
objectives. Each has distinct cybersecurity
responsibilities: senior management is
responsible for determining relevant cyber-
related risks and implementing a compliance
program that incorporates appropriate pro-
cesses and controls to mitigate them, whereas
the board is responsible for overseeing the
risk identifi cation process and independently
evaluating whether the program is designed,
implemented, and operating effectively to
meet the company’s cybersecurity risk miti-
gation objectives. Meeting these responsibili-
ties well requires a formalized integrated
approach to cybersecurity risk evaluation,
defi ned roles and responsibilities, implemen-
tation of a program that is supported by the
board, clearly articulated by the C-suite, and
effectively implemented by operational
resources. Disconnect between the board,
C-suite, and operations poses as much of a
challenge to corporate cybersecurity as
cyberthreats themselves.

■ Cybersecurity oversight is risk management

To understand why coordinated C-suite and
board oversight of cybersecurity is essential,
one must understand cybersecurity as a
means of managing and responding to cor-
porate risk. The purpose of risk management
in general is to identify and mitigate the
risks a company faces to a level acceptable to
the enterprise as determined by the board, a
level known as a company’s “risk appetite.”
The strategies and objectives for managing
risks and responding to threats are articu-
lated in the policies, procedures, and con-
trols of the organization and are the respon-
sibility of senior management.

One signifi cant and growing area of risk
for most companies is data risk. Data risk

109 ■


of the organization’s risk management

The board also has to be sure to engage in
oversight of cybersecurity compliance and
controls at all phases of the company’s data
risk management “lifecycle.” See Figure 1.

The lifecycle involves, fi rst, identifi cation—
looking at the company’s cybersecurity risk
profi le, identifying the key data assets that
have to be protected (the “crown jewels”),
and determining the applicable laws and
regulations governing their protection; next,
design and implementation—creating and
implementing operational controls and com-
pliance processes to manage the risks to those
data assets; next, monitoring—actively over-
seeing the compliance processes and controls;
next, evaluation—evaluating the effectiveness
and management of the controls and compli-
ance processes implemented; and fi nally
reporting and reassessment—documenting how
the controls and compliance processes are
working, and reassessing to the extent that
there are gaps. The last phase of the lifecycle
involves internal reporting on capabilities to
respond to threats, external reporting on
those capabilities to stakeholders (e.g., SOC 2
reporting), and adjusting management to
respond to internal drivers (e.g., business
changes) and external drivers (e.g., con-
stantly evolving regulatory requirements
and guidance). Strong C-suite supervision
and board oversight are needed at every

The oversight and compliance need not
rest on the entire board—a standing commit-
tee comprising knowledgeable board mem-
bers, armed with outside expertise where
appropriate, often can provide a more
focused and better informed oversight.
However, whatever oversight activities are
undertaken must be documented so that the
board can show that it is carrying out its
fi duciary duties.

■ Building blocks of effective oversight
of cybersecurity compliance

An organization’s cybersecurity compliance
efforts must support the company’s busi-
ness units and management in their efforts

partially an extension of data retention
risks, for what the organization does not
have (and has no obligation to keep) cannot
be hacked.

Thus, the board and senior management
must approach the oversight of cybersecuri-
ty compliance and control from a broader
risk management vantage point: one that
weighs the value of the data as an asset class
to the organization, the value that may be
assigned by the threat actors who may seek
the asset, and the broader impact and costs—
including but not limited to legal and com-
pliance costs—stemming from the potential
compromise of data.

In this vein, perhaps the board’s most
critical inquiry to senior management is
whether the organization has adopted suffi –
cient processes to inventory and value its
various data assets. From a cybersecurity
perspective, senior management should
then weigh under what circumstances,
through what channels, and on what plat-
forms the organization’s most critically val-
ued data assets should be made accessible.

■ Board of directors’ role in oversight
of compliance and controls

Too often, boards have exercised limited
oversight of cybersecurity, yet monitoring
the management of data risk associated with
cybersecurity is part of the board’s fi duciary
duty to the corporation. The time for the
board to begin to play an oversight role is not
the moment when data actually are put at
risk, through a breach or corporate theft; the
board must build cybersecurity oversight
into its general strategy for overseeing risk
management from day one.

Managing the risks associated with
cybersecurity compliance and control
involves determining one’s risk appetite in a
variety of areas and requires senior manage-
ment to make fundamental judgment calls
about the design of the control environment,
the scope and depth of the compliance
program, and the resource allocation for
each. The board must be well informed of
how the corporate leadership is managing
these risks and able to assess the adequacy

■ 110


obtaining outside review for defi ciencies or
improvements. A mechanism for periodic
updates to the Plan should be included in
the Plan; many companies get into trouble
with regulators for failing to update their
cybersecurity approach as their business
model changes or as regulations or enforce-
ment strategies change.

If the company is operating in the United
States, the Plan must be neither aspiration-
al nor hyper-specifi c. An aspirational
plan—one that sets out where the organiza-
tion envisions its cybersecurity program to
be at some point in the future—may end up
causing the company to look like it is fall-
ing short if regulators come calling.
Similarly, a hyper-specifi c Plan may put the
company at risk of technical noncompli-
ance. In short, the Cybersecurity Risk
Management Plan should match what the
company actually does.

to achieve compliance with government
rules and regulations as well as the organi-
zation’s internal policies and procedures by
(1) identifying risks; (2) preventing risks
through the design and implementation of
controls; (3) monitoring and reporting on the
effectiveness of those controls; (4) resolving
compliance diffi culties as they occur; and
(5) advising and training.3

There are several steps the board and
C-suite should take to provide effective
oversight of the cybersecurity compliance
program’s execution of all of these functions.
First and most important, the C-suite should
implement an enterprise-wide approach to
compliance risk management. As part of this
approach, the organization should create a
formalized Cybersecurity Risk Management
Plan that is reviewed by the board. If the
Plan is developed internally by the corporate
leadership, the board should consider








Data risk management lifecycle

111 ■


well-developed monitoring and assessment
processes that encourage timely internal
communication of potential risks to the
compliance team.

Fourth, consistent with the risk manage-
ment lifecycle, the C-suite should make sure
it has effective means to test compliance in
practice and communicate the results to the
board. It is critical for updates to cybersecu-
rity compliance policies to translate actually
into updated implementation, and the board
must be able to see—and where needed
spur—this implementation. (See the next
section). The C-suite also has to be able to
test to see that cybersecurity compliance is
taking root across the company’s operations
and prevent ‘siloing’ within business lines
or cost centers.

Fifth and fi nally, the board should make
cybersecurity compliance a priority, plain
and simple. None of the above measures will
be prioritized at the senior management
level and below unless they are also the
board’s priority.

■ Building blocks of effective oversight
of cybersecurity controls

Board and C-suite oversight of cybersecurity
controls relates to the control of associated
enterprise risks: legal, fi nancial, regulatory,
and reputational, to name a few. None of
these risks can be fully avoided, but effective
controls can reduce their impact on the
organization, and effective oversight can
ensure that these controls are thorough.

One step a board can take to provide
effective oversight of cybersecurity controls
is to ensure that the controls implemented
by the C-suite contain prevention, detection,
and rapid remediation components. Many
companies focus on prevention and detec-
tion, but not remediation, and then are
caught off guard when they learn of an
intrusion requiring immediate remediation
that went undetected. Prevention measures
include data inventorying, data loss preven-
tion planning, strong perimeter and internal
defenses, and processes for timely patching
core software to plug security holes. Many of
these are IT measures, but prevention is not

Second, the C-suite should extend the
enterprise-wide approach to compliance
risk management to the company’s entire
ecosystem—its vendors and other third-party
partners (e.g., cloud services providers, out-
side data processors). This means ensuring
that oversight is robust for the corporate vet-
ting of cybersecurity practices at third par-
ties and that the contractual relationships
with third parties allow for monitoring and
oversight. Many technological innovations
are leading companies to outsource aspects
of their business involving data, but this
comes with risks of the partners not securing
data to the degree the company is.

Third, the C-suite should ensure—and
the board should monitor—the independ-
ence of the cybersecurity compliance team
from the company’s IT and business units.
Given silos that frequently develop around
the compliance, IT, and business teams, the
C-suite ought to ensure that the compliance
team has the resources and skills to inde-
pendently evaluate the suffi ciency of the
company’s cybersecurity program. If the
compliance team is not equipped to under-
stand what technological steps the IT team is
or should be taking to advance the organiza-
tion’s cybersecurity, and so defers entirely to
their judgment, it may fail to apprehend the
compliance implications of the steps ulti-
mately taken.

Of course, independence should not
mean isolation. It is critical that these teams
can and do speak to each other regularly:
compliance risks arise in the IT and busi-
ness lines, and the compliance team must
be involved in assessing those risks. For
example, if a new business line involves
collection of new pieces of customer data,
failure to ensure that data are properly
secured and kept private from the start cre-
ates compliance risks. Likewise, the IT
Department’s failure to patch software in a
timely manner creates compliance risks.
The compliance team must be suffi ciently in
the loop to ensure steps are being taken to
prevent these failures, without being opera-
tionally involved in the actual prevention
efforts. This can be achieved through

■ 112


As with cybersecurity compliance, for the
above measures to be prioritized, they must
be a board priority. In this vein, the board
should check to see that cybersecurity con-
trols are appropriately funded; none of these
controls can be prioritized without adequate

■ Implementation challenges
Even the best designed data security initia-
tives are prone to failure if not implemented
correctly. A common problem that can occur
even after apparently successful program
implementation is a disconnect between
appropriately drafted policies and proce-
dures on the one hand, and operational
practices and technology infrastructure on
the other (in-house and third party-man-
aged), and a failure of the board to notice.

Cybersecurity policies and procedures
are effective only if they are tailored to the
company’s unique business environment,
applicable regulatory requirements, and
known security risks. However, too often,
boards and C-suite leadership oversee the
development and adoption of boilerplate
policies and procedures that, although per-
haps built on generally appropriate founda-
tions, are either insuffi ciently customized or
implemented inappropriately. The resulting
disconnects may lead not only to damaging
data breaches and unauthorized disclosure
of personal information but also to scrutiny
from regulators and actions from the plain-
tiffs’ bar. For example, the Federal Trade
Commission (FTC) currently views the dis-
connects between cybersecurity policies
and procedures and their actual implemen-
tation as unfair or deceptive trade practices
under Section 5 of the FTC Act, and this is a
trend that senior executives should expect
to continue.

It is critical to the success of a cybersecu-
rity program that the operational uptake
of—and ongoing adherence to—program
requirements are measured effectively.
Monitoring of the program not only enables
effective reporting up to the board but also,
more importantly, identifi es vulnerabilities
in the program and areas for improved

limited to IT and includes building a corpo-
rate culture that is mindful of data risk, as is
discussed more below.

Detection measures include analysis of
operational data and anomaly detection as
well as systems for logging, monitoring, and
testing data moving into and out of the corpo-
rate IT environment and across various devic-
es (e.g., from computer to cloud service or
external storage devices), where legally per-
missible. Rapid remediation measures include
incident response plans that are rehearsed,
implementation of forensic recovery tools,
and measures to quickly restore failed sys-
tems from back-ups. Boards should recom-
mend appointment of a permanent incident
response team—comprising senior manage-
ment from IT, legal, compliance, vendor man-
agement, PR, investor relations, and business
lines—to lead the incident response efforts,
report incidents and remediation plans to the
C-suite and the board, and notify external
regulators and customers when necessary.

In line with the previous point, a key step
the C-suite should take is to oversee lines of
communication among the various parts of
the company that either manage or make use
of the company’s cybersecurity controls. If a
business line is experiencing occasional bugs
in its online customer order processing, for
example, and IT is not informed of the issue
in a timely manner, malware may go unde-
tected. If an employee with database access
quits and HR does not timely inform IT, then
user credentials may remain active long after
they should.

Another key step the C-suite can take is to
prioritize regular training of employees—at
a minimum annually—on cybersecurity
threats and how to avoid them. A surprising
number of threats can be thwarted by
employee education about suspicious
emails, strong password practices, and cau-
tious use of personal devices. The more
employees at every level learn to treat data
as a valuable asset, the more careful they will
be. Conversely, no matter how strong a com-
pany’s cybersecurity controls, it only takes
one employee mistake to expose sensitive
company data.

113 ■


business asset is clearly established; its value
is verifi ed on a daily basis by those who seek
to gain access to business networks and
view, remove, or otherwise exploit the data
residing there. However, resources allocated
to cybersecurity are still frequently an IT line
item, rather than an enterprise-wide issue.
Businesses operating in this environment of
perpetually evolving digital risks must rec-
ognize that data security is no longer a cost
of doing business; it is a core component of
remaining in business. As such, budgets
must be allocated appropriately to meet the
risks. Budgets vary according to business
type, data types and sensitivity, volume of
data, sharing with third parties, and any
number of other of risk factors that must be
considered by the board and executives. The
budgeting process has to enable the compa-
ny to do more than get the right people and
processes in place but also to implement
technology that truly addresses the security
needs of the organization. This process
requires commitment from the C-suite and
oversight from a board that understands the
importance of cybersecurity.

Cybersecurity budgeting also must
include dedicated resources for training of
personnel. As mentioned above, the human
element is frequently the weakest link in an
otherwise solid data security program. Staff
must have the resources they need to be
trained not only to be proactive in taking
steps to safeguard data but also to recognize
attempts by unauthorized parties trying to
gain network access. Phishing, for example,
remains a remarkably effective tool for gain-
ing credentials that open a door to the net-
work and the data therein, and inadequate
training may increase a company’s vulnera-
bility to phishing attacks. Regulators know
this and expect board members providing
cybersecurity oversight to know, too.

The board and C-suite also must bear in
mind that successful initial implementation of
a cybersecurity program does not necessarily
lead to a cybersecurity program that has lon-
gevity. Ongoing success is largely dependent
on top-down involvement by the board and
active management by the C-suite. The board

security. Although evaluating the effective-
ness of a cybersecurity program would
appear to be a core component of any suc-
cessful implementation, many organizations
fail to adequately address this need, often
leading to exploited weaknesses, data
breaches, and programmatic failure.

Effective metrics for evaluation can be
broken down into several categories to ena-
ble more targeted application across the
enterprise. Programmatic metrics measure
the progress of various organizational com-
ponents of the information protection pro-
gram, such as overall program development,
implementation, and maintenance (e.g.,
cybersecurity policies are updated to meet
new regulatory requirements). Operational
metrics measure the performance of (as the
name implies) various operational compo-
nents of the information protection program;
the number of cybersecurity incidents per
reporting period is an excellent example.
And compliance metrics measure individu-
als’ compliance with program requirements.
Such metrics may measure, for example,
whether employees are observing required
data security protocols when sending sensi-
tive customer information to a third party
for processing. In general, the trend for
many of these metrics is toward the meas-
urement of outcomes; metrics that demon-
strate a company’s frequent intrusion detec-
tion scanning are not helpful if the outcome
is still a high number of intrusions each year.

Regardless of whether your organization
is seeking to measure programmatic, opera-
tional, or compliance aspects of your cyber-
security program, the metrics that you
design must be clearly defi ned and meaning-
ful and measure progress against a clearly
stated objective. A properly implemented
metrics program helps leadership ascertain
initial uptake and improve the compliance
with—and performance of—a well-designed
cybersecurity program.

Another challenge for effective imple-
mentation of cybersecurity compliance and
controls—and one that must be closely mon-
itored by the board—is resource allocation.
The recognition of data as a highly valued


■ 114

ensure that these measures are being adopt-
ed. Only with consistent C-suite involve-
ment and strong board oversight—informed
by an understanding of data risk as a central
enterprise risk—can cybersecurity challeng-
es be handled effectively.

1. See NIST, “Framework for Improving

Critical Infrastructure Cybersecurity”
(2014) (defi ning “cybersecurity”). Of
course there are many defi nitions of
“cybersecurity”; the NIST defi nition
adapted here is just a recent American

2. For example, some regulators require
certain data to be encrypted while many
others do not. See, e.g., 201 Mass. Code
Regs. § 1700 (2009).

3. See International Compliance Association,
“What is Compliance?,” available at http://

should be apprised regularly of data security
incidents and emerging data risks, as well as
changes to the regulatory environment. An
actively informed and involved board, work-
ing in harmony with the C-suite, enables agile
enterprise-wide response to evolving threats
and appropriate upkeep and improvement of
a robust cybersecurity program.

■ Conclusion
Today’s cybersecurity risks affect organiza-
tions of all sizes and across industries
and lead to not only IT headaches but also
headaches for the entire business. Companies
are increasingly put into the unenviable
position of needing to put up shields against
a variety of cyberthreats, knowing that no
defense can provide perfect protection.
However, the C-suite nevertheless must
strive to employ strong cybersecurity com-
pliance and control measures that go beyond
mechanical satisfaction of applicable legal
rules, and the board has an obligation to

115 ■

Baker & McKenzie — David Lashway, Partner; John
Woods, Partner; Nadia Banno, Counsel, Dispute
Resolution; and Brandon H. Graves, Associate

Risks of disputes and regulatory
investigations related to
cybersecurity matters

Disputes and regulatory investigations are two of the
more important risk categories related to cybersecurity
matters. These risk categories can create signifi cant fi nan-
cial exposure, brand risk, and distraction. In the worst
case, some of these risks could result in bankruptcy.

The risks related to disputes are traditional (e.g., litiga-
tion, arbitration, and negotiation of contract terms) and
novel (e.g., data ownership disputes). They arise not only
in the context of data breaches but in everyday operations.

Regulatory investigations are another source of risk.
This risk is hard to quantify because there is not clear
statutory authority for all regulatory investigations begun
or threatened. This creates uncertainty for regulated enti-
ties. The costs for non-compliance can be extensive, with
fi nes in the millions of dollars and consent decrees author-
izing audits for 20 years.

These risks affect businesses even in the absence of a
data breach incident. More businesses recognize this fact
and are accounting for these risks in all aspects of their
businesses. Businesses that attempt to deal with risk
related to cybersecurity matters as an afterthought may be
left behind.

Many businesses are international in scope and must
comply with cybersecurity rules and regulations in a vari-
ety of countries. This can create a highest-common-
denominator situation: businesses end up attempting to
comply with the strictest regime in which they operate.

The dynamic nature of cybersecurity matters makes it
impossible to completely enumerate every risk associated
with such matters. This chapter provides a short survey of
some of the most high-profi le risks that all businesses will
face in our current economy.

■ 116


■ Risks of disputes
Businesses have a growing awareness of
cybersecurity matters. As a result, cyberse-
curity matters will increasingly impact tradi-
tional business activities, such as contract

Plaintiffs also have an increasing aware-
ness of cybersecurity-related causes of
action. Courts have been receptive to some
of these causes of action and skeptical of oth-
ers, but plaintiffs continue to make threats in
pursuit of a lucrative settlement.

Dispute risks in business activities
Cybersecurity matters will impact every tra-
ditional business activity, if they do not
already. Two activities, contract negotiation
and data processing, are already subject to
dispute in many industries.

1. Contract negotiation. Contractual parties,
especially government agencies,
are becoming more sophisticated
about requesting provisions related
to cybersecurity during contract
negotiations. Frequently, these provisions
will place additional burdens on the
counterparty, leading to disputes during
negotiation. Many businesses are also
attempting to apply existing contract
provisions to cybersecurity matters.
When this reinterpretation is put forward
in the wake of a security breach, the
reinterpretation can lead to costly litigation.

a) Flow-down provisions. Federal agencies,
especially the Department of Defense,
are including more flow-down
provisions related to cybersecurity in
their contracts with suppliers. Often,
the agency requires its contractors
to include these provisions in their
contracts with subcontractors and
other contractual counterparties. As
these fl ow-down provisions expand
through the supply chain, businesses
with no direct connection with the
federal agency will see requests—or
demands—that they comply with
provisions drafted without their input.

These provisions can include security
standards and breach disclosure require-
ments. For instance, Defense Federal
Acquisition Regulation Supplement
(DFARS) 204.7300 requires “adequate
security” for all contractors and subcon-
tractors with systems on which con-
trolled technical information is resident
on or transits. As with many of these
provisions, “adequate security” is not
defi ned with a checklist but as “protec-
tive measures that are commensurate
with the consequences and probability
of loss, misuse, or unauthorized access
to, or modifi cation of information.”

These same provisions include report-
ing requirements for both actual and
potentially adverse effects on an infor-
mation system, which is a more strin-
gent requirement than many state
data breach requirements.

Compliance with these provisions will
be diffi cult, and the set language creat-
ed by such provisions prevents busi-
nesses from negotiating more concrete
terms, forcing businesses to accept
uncertainty as a cost of entering into
such a contract.

b) Liability/indemnity. Cybersecurity creates
risk, and more businesses are looking
to affi rmatively allocate that risk
through contractual terms. Actuaries
are still developing tables related
to cybersecurity risk (Congress is
discussing legislating on this issue), so
the allocation of risk in a contract may
not be based on methods as rigorous
as those in other risk allocations. This
will create tension between parties
who value the risk differently.

Cybersecurity incidents and the atten-
dant response can be very expensive,
with some sources placing the average
fi nancial cost of a data breach in the
millions of dollars. The allocation of

117 ■


press, which can create tension with
notifi cation provisions.

2. Data ownership/data processing. Most state
breach notifi cation laws differentiate
between data owners and data processors,
but existing contracts do not always
explicitly define these roles. Some
businesses have attempted to understand
these issues and have asserted ownership
(or, in some cases, denied ownership) of
data in the absence of a specifi c ownership
allocation. This can lead to disputes in
long-standing business relationships. One
business may seek to sell information it is
collecting while a contractual counterparty
is attempting to safeguard the same data.
Not all businesses seek to clarify this
relationship prior to selling data, which
can lead to signifi cant disputes when such
sales come to light.

In the context of a data breach
Data breaches expose businesses to many
additional disputes. At times, these disputes
can be more problematic than the intrusion
itself. Contractual counterparties, customers,
and other impacted businesses may all seek
some compensation in the wake of a data
breach. Insurance companies may seek to
avoid payment under policies that arguably
apply, leading to additional litigation.

1. Contractual counterparties. Most contracts
have provisions that are either directly
or indirectly implicated by a data breach.
Some of these provisions are triggered
by a breach, such as obligations to
notify consumers whose information
is exposed. A counterparty may allege
that other provisions are broken by
an intrusion, such as a requirement to
have adequate or reasonable security.
Businesses often struggle with whether a
particular provision requires notifi cation,
either because the provision itself is not
clear or because the business believes
that the intrusion does not rise to the
level contemplated in the contract.

such cost, combined with an increas-
ing chance of an incident triggering
these clauses, is an area likely to be
subject to dispute both during con-
tract negotiation and in the wake of
a breach.

Many contracts already contain liabil-
ity allocation provisions, but those
provisions do not explicitly address
cybersecurity matters. In the wake of a
cybersecurity incident, interpreting
the liability allocation provisions will
be a matter of some dispute.

c) Data security and notifi cation. Laws,
regulations, and political and
consumer pressure have increased
businesses’ focus on the security of
consumer data. At the same time,
consumer data have become a more
valuable commodity. For instance,
AT&T and Apple both contested Radio
Shack’s ability to sell consumer data
during Radio Shack’s bankruptcy.

Recognizing these trends, businesses
are placing more provisions in contracts
that dictate security requirements.
Because the underlying consumer data
are valuable, these provisions may be
subject to signifi cant disputes during
negotiations. Other businesses are
attempting to read existing provisions
as covering security requirements and
privacy responsibility.

Many businesses that entrust sensitive
data to counterparties are including
breach notifi cation provisions in con-
tracts. These provisions vary greatly,
even within a single industry, and cre-
ate various thresholds for notifi cation.
For instance, some provisions require
notifi cation in the event of a breach.
Others require notifi cation if there is
an indication of a breach. Many vic-
tims of a security breach seek to keep
the existence of a breach out of the

■ 118


press, but business customers have also
pressed for indemnifi cation in the wake
of an intrusion.

Disputes with business partners over data
breaches can disrupt normal operations,
above and beyond the disruption caused
by the data breach itself. The need to
resume normal operations can pressure
the victim to quickly agree to a settlement.

Customers will often fi le class actions in
the wake of a data breach. Plaintiffs’ law-
yers are growing more sophisticated in
how and where they fi le these actions.
Both individual consumers and fi nancial
institutions have fi led class actions, and,
in some cases, these class actions are con-
solidated into complicated multidistrict
litigation with multiple tracks for the dif-
fering plaintiffs. This creates expensive
and cumbersome litigation.

3. Other impacted businesses. Contractual
counterparties are not the only businesses
that may sue in the wake of a data breach.
Banks that issued cards implicated in
Target’s data breach are suing Target, even
if they lack any traditional relationship to
Target. Our more interconnected society has
spread the effects of cybersecurity problems,
and affected parties are developing more
creative methods to fi le suit against the
original victim of the intrusion.

4. Insurance. More and more insurance
companies are offering cyber policies,
and more businesses are attempting to
make claims for intrusions under general
policies. Insurance companies are, in
turn, attempting to limit the scope of
coverage. Some insurance companies are
denying claims, while others are carefully
reviewing invoices for services related to
data breaches. The cost to respond to a
breach can be expensive, and insurers will
continue to dispute claims and charges.
In some cases, this will lead to additional
litigation after the data breach response is

Counterparties may disagree with this
interpretation, leading to disputes if the
intrusion does come to light.

Notifi cation provisions often have an
abbreviated time frame for notifi cation.
Attempting to identify and comply with
notifi cation provisions of impacted coun-
terparties can create additional stress
beyond the already signifi cant stress
related to a data breach. Reviewing and
attempting to interpret these provisions
after an intrusion also creates risk of con-
tractual breach, as a business may not
discover the notifi cation provision until
after the required time frame has passed.

In the wake of a breach, a victim’s securi-
ty will come under scrutiny, and a con-
tractual counterparty may argue that the
security was inadequate under the con-
tract. For instance, in the DFARS provi-
sion discussed previously, “adequate
security” is ripe for protracted litigation
in the wake of a cybersecurity incident. It
is diffi cult to defi ne such terms adequate-
ly and still provide fl exibility in the face
of changing threats.

In some industries, such as those that deal
with payment cards, many security
requirements are codifi ed and subject to
audit. The victim of a data breach may be
subject to a more intrusive audit to con-
fi rm its security.

Many contracts that involve confi dential
data have a provision for certifying that
the confi dential data have been destroyed.
A counterparty may rightly inquire how
such a certifi cation was made in the wake
of a cybersecurity incident.

2. Customers. Many intrusions lead to
lawsuits by customers, whether they be
individual consumers or large businesses.
Recent card breaches have resulted in
signifi cant class-action litigation, and
these cases have received much of the

119 ■


■ Risks of regulatory investigations
Certain regulators have explicit statutory
jurisdiction over cybersecurity matters.
Other regulatory agencies do not, but they
attempt to regulate such matters under
their existing, general jurisdiction. As pub-
lic and congressional scrutiny of cybersecu-
rity measures increases, regulators will be
more aggressive in asserting jurisdiction
over their regulated entities’ cybersecurity

Federal regulators
1. Industry regulators. Traditional regulators

have already applied or are planning to
apply standards related to cybersecurity
matters to their regulated entities.
The Federal Financial Institutions
Examination Council (FFIEC), the Federal
Trade Commission (FTC), the Federal
Communications Commission (FCC),
the Department of Health and Human
Services (HHS), and the Department
of Homeland Security (DHS) are some
of the regulators that have sought to
regulate cybersecurity matters among
their regulated entities. In addition,
the National Institute of Standards and
Technology (NIST) publishes documents
that plaintiffs and regulators apply in
analyzing a business’s cybersecurity.

The FFIEC has been one of the leading
regulators with regard to cybersecurity.
The FFIEC has had an IT examination
handbook for several years and is devel-
oping a tool to help fi nancial institutions
assess risk. In addition, the FFIEC requires
fi nancial institutions to require certain
cybersecurity measures of the institu-
tions’ third-party service providers, effec-
tively expanding the FFIEC’s jurisdiction.
The FFIEC has experience in investigating
data breaches and imposing punishments
based on insuffi cient security. Other regu-
lators look to the FFIEC’s examination
handbook to inform their own regula-
tions and investigations.

The FTC has been aggressive in fi ling
administrative complaints against busi-
nesses that, in the eyes of the FTC, do not
adequately protect sensitive consumer
information. The FTC requires, among
other things, “reasonable security” but pro-
vides no formal defi nition. This creates
uncertainty for businesses seeking to
understand their obligations. The FTC is
involved in litigation in federal court
concerning both its jurisdiction over data
security and the standards it applies to
businesses. Congress is considering a bill to
formalize FTC jurisdiction over data secu-
rity, which may further empower the FTC.

The FCC’s Cybersecurity and
Communications Reliability Division
works to maintain the reliability of commu-
nications infrastructure in the face of vari-
ous cyberthreats. In 2014 the FCC began
imposing substantial fi nes on wireless carri-
ers for insuffi cient secured sensitive con-
sumer information.

HHS regulates cybersecurity matters
under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).
Under this authority, HHS has imposed
multimillion-dollar fi nes for insuffi cient
data security.

DHS is involved in coordinating informa-
tion sharing, securing critical infrastruc-
ture, and protecting federal cybersecurity
assets. Currently, its programs for most
private businesses are voluntary, but as
Congress continues to focus on informa-
tion sharing as a key component of reduc-
ing cybersecurity incidents, plaintiffs and
courts will see these programs less as
voluntary and more as the minimum
standard of care.

NIST publishes an array of standards
related to cybersecurity. Although none of
these standards are binding on private
entities (at least as of publication), they


■ 120

are often cited as what is reasonable secu-
rity or as industry standard. In addition,
plaintiffs and regulators look to NIST
standards to inform allegations made in
complaints and investigations.

2. Securities and Exchange Commission. The
Securities and Exchange Commission
(SEC), under pressure from Congress, has
focused on public statements concerning
data breaches. This focus encompasses
both disclosures made after breaches and
risk factors made in market reports. To
date, the SEC has stated that the materiality
analysis for data breaches is the same as for
other risk factors, but there is little formal
notice or adjudication on these statements,
creating uncertainty and risk.

The SEC released guidance on cybersecu-
rity risks in 2011. According to the SEC,
registrants “should disclose the risk of
cyber incidents if these issues are among
the most signifi cant factors that make
an investment in the company specula-
tive or risky.”

The SEC, in conjunction with the Financial
Industry Regulatory Authority, has
engaged in enforcement actions against
the entities they regulate for insuffi cient
security for both customer data and
market data.

State regulators
State regulators and attorneys general are
also involved in cybersecurity matters;
indeed, state attorneys general have been
active in investigating data breaches. Each
state has a different legal environment con-
cerning data breaches. These attorneys gen-
eral typically assert jurisdiction when the
state’s citizens are impacted, potentially
exposing a business to an investigation even
if the business does not typically operate in
the state.

California has generally been the fi rst
state to impose data breach notifi cation
requirements. California passed its data
breach notifi cation law in 2003. In the time
since, California has expanded what data are
covered by the statute, including most
recently usernames and passwords. Most
other states have similar statutes.

Several other states, including Vermont,
New York, and Michigan, have been par-
ticularly active in investigations. For certain
larger breaches, some state attorneys gen-
eral will work together in a coordinated

■ Conclusion
Cybersecurity matters create extensive risks
for business. Foremost among these are risks
related to disputes and regulatory investiga-
tions. These risks are not fully defi ned and
likely never will be.

121 ■

K&L Gates LLP – Roberta D. Anderson, Partner

Legal considerations for
cybersecurity insurance

■ Legal, regulatory, and additional concerns driving
the purchase of cybersecurity insurance

Legal liability, regulatory and other exposures surrounding cybersecurity
and data privacy-related incidents
In addition to a seemingly endless stream of data breaches
and other serious cybersecurity and data protection-
related incidents, the past several years have seen signifi –
cantly amplifi ed legal liability surrounding cybersecurity
and data privacy, a remarkable proliferation and expan-
sion of cybersecurity and privacy-related laws, and
increasingly heightened regulatory scrutiny.

In the wake of a data breach of any consequence, an
organization is likely to face myriad different forms of legal
and regulatory exposure, including class action litigation,
shareholder derivative litigation, regulatory investigation,
the costs associated with forensic investigation, notifi cation
to persons whose information may have been compro-
mised, credit monitoring, call center services, public rela-
tions expenses, and other event management activities.

Beyond third-party liability and event management
activities, organizations face substantial fi rst-party losses
associated with reputational injury and damage to brand in
the wake of a serious breach event. They also face substan-
tial business income loss if an event disrupts normal day-
to-day business operations. Even if an organization’s own
system is not compromised, the organization may suffer
signifi cant losses if an incident affects a key vendor, cloud
provider, or any key third party in the organization’s prod-
uct and service supply chain. Also at stake is the organiza-
tion’s digital assets, the value of which in some cases may
eclipse the value of the organization’s other property.

Cybersecurity insurance can play a vital role in an
organization’s overall strategy to address, mitigate, and
maximize protection against the legal and other exposures
fl owing from data breaches and other serious cybersecu-
rity, privacy, and data protection-related incidents.

■ 122


SEC’s cybersecurity risk factor disclosure guidance and
cybersecurity insurance
In October 2011, in the wake of what it
phrased “more frequent and severe cyber
incidents,” the Securities and Exchange
Commission’s (SEC’s) Division of Corporation
Finance issued disclosure guidance on cyber-
security, which advises that companies
“should review, on an ongoing basis, the
adequacy of their disclosure relating to
cybersecurity risks and cyber incidents.” The
guidance advises that “appropriate disclo-
sures may include,” among other things, a
“[d]escription of relevant insurance cover-
age” that the company has in place to address
cybersecurity risk.

SEC comments in this area have regularly
requested information regarding “whether
[the company] ha[s] obtained relevant insur-
ance coverage,” as well as “the amount of [the
company]’s cyber liability insurance.” More
recently, the SEC is asking not only whether
the company has cybersecurity insurance and
how much the company has but also how
solid the company’s coverage is:

“We note that your network-security insur-
ance coverage is subject to a $10 million
deductible. Please tell us whether this
coverage has any other signifi cant limita-
tions. In addition, please describe for us the
‘certain other coverage’ that may reduce
your exposure to Data Breach losses.”
(Emphasis added.)
“We note your disclosure that an unau-
thorized party was able to gain access to
your computer network ‘in a prior fi scal
year.’ So that an investor is better able to
understand the materiality of this cyber-
security incident, please revise your dis-
closure to identify when the cyber inci-
dent occurred and describe any material
costs or consequences to you as a result of
the incident. Please also further describe
your cyber security insurance policy,
including any material limits on cover-
age.” (Emphasis added.)

The SEC’s guidance provides another com-
pelling reason for publicly traded companies

to carefully evaluate their current insurance
program and consider purchasing cyberse-
curity insurance.

■ The exclusion of cybersecurity and data
privacy-related coverage from traditional
insurance policies

In response to decisions upholding coverage
for cybersecurity and data privacy-related
risks under traditional lines of insurance cov-
erage, such as Commercial General Liability
(CGL) coverage, the insurance industry has
added various limitations and exclusions to
traditional lines of coverage.

By way of example, Insurance Services
Offi ce (ISO), the insurance industry organi-
zation that develops standard insurance pol-
icy language, recently introduced a new
series of cybersecurity and data breach exclu-
sionary endorsements to its standard-form
CGL policies, which became effective in May
2014. One of the endorsements, entitled
“Exclusion – Access Or Disclosure Of
Confi dential Or Personal Information And
Data-Related Liability – Limited Bodily Injury
Exception Not Included,” adds the following
exclusion to the primary CGL policy:

This insurance does not apply to:

p. Access Or Disclosure Of Confi dential Or
Personal Information And Data-related

Damages arising out of:

(1) Any access to or disclosure of any
person’s or organization’s confi dential
or personal information, including
patents, trade secrets, processing
methods, customer lists, fi nancial
information, credit card information,
health information or any other type
of non public information; or

(2) The loss of, loss of use of, damage to,
corruption of, inability to access, or
inability to manipulate electronic data.

This exclusion applies even if damages
are claimed for notifi cation costs, credit

123 ■


■ Types of cybersecurity insurance
Established coverages
There are a number of established third-
party coverages (i.e., covering an organiza-
tion’s potential liability to third parties) and
fi rst-party coverages (e.g., covering the
organization’s own digital assets and income
loss) as summarized in Table 1:

Emerging markets
In addition to the established coverages,
three signifi cant emerging markets provide
coverage for the following:

� fi rst-party losses involving physical asset
damage after an electronic data-related

� third-party bodily injury and property
damage that may result from an electronic
data-related incident

monitoring expenses, forensic expenses,
public relations expenses or any other
loss, cost or expense incurred by you or
others arising out of that which is
described in Paragraph (1) or (2) above.

In connection with its fi ling of the endorse-
ments, ISO stated that “when this endorse-
ment is attached, it will result in a reduction
of coverage. . . .”

Although there may be signifi cant poten-
tial coverage for cybersecurity and data
privacy-related incidents under an organiza-
tion’s traditional insurance policies, includ ing
its Directors’ and Officers’ Liability,
Professional Liability, Fiduciary Liability,
Crime, CGL, and Commercial Property poli-
cies, the new exclusions provide another
reason for organizations to carefully consider
specialty cybersecurity insurance products.



Type Description

Privacy liability Generally covers third-party liability, including defense and
judgments or settlements, arising from data breaches, such as
the Target breach, and other failures to protect protected and
confi dential information

Network security

Generally covers third-party liability, including defense and
judgments or settlements, arising from security threats to
networks, e.g., inability to access the insured’s network
because of a DDoS attack or transmission of malicious code
to a third-party network

Regulatory liability Generally covers amounts payable in connection with
administrative or regulatory investigations and proceedings,
including regulatory fi nes and penalties

PCI DSS liability Generally covers amounts payable in connection with payment
card industry demands for assessments, including contractual
fi les and penalties, for alleged noncompliance with PCI Data
Security Standards

Media liability Generally covers third-party liability arising from infringement
of copyright or other intellectual property rights and torts such
as libel, slander, and defamation, which arise from media-related
activities, e.g., broadcasting and advertising

■ 124


� reputational injury resulting from an
incident that adversely affects the public
perception of the insured organization or
its brand.

Because privacy and electronic data-related
exclusions continue to make their way into
traditional property and liability insurance
policies, and given that an organization’s
largest exposures may fl ow from reputational
injury and brand tarnishment, these emerg-
ing coverages will be increasingly valuable.

■ Strategic tips for purchasing cybersecurity

Cybersecurity insurance coverage can be
extremely valuable, but choosing the right
insurance product presents signifi cant chal-
lenges. A diverse and growing array of prod-
ucts is in the marketplace, each with its own
insurer-drafted terms and conditions that
vary dramatically from insurer to insurer—
and even between policies underwritten by
the same insurer. In addition, the specifi c
needs of different industry sectors, and dif-
ferent organizations within those sectors, are
far-reaching and diverse.

Although placing coverage in this dynam-
ic space presents a challenge, it also presents
substantial opportunity. The cyber insurance
market is extremely competitive, and cyber
insurance policies are highly negotiable.
This means that the terms of the insurers’
off-the-shelf policy forms often can be sig-
nifi cantly enhanced and customized to
respond to the insured’s particular circum-
stances. Frequently, very signifi cant enhance-
ments can be achieved for no increase in

The following are fi ve strategic tips for
purchasing cyber insurance:

Adopt a team approach.
Successful placement of cybersecurity insur-
ance coverage is a collaborative undertak-
ing. Because of the nature of the product and
the risks that it is intended to cover, success-
ful placement requires the involvement and
input not only of a capable risk management
department and a knowledgeable insurance
broker but also of in-house legal counsel and
IT professionals, resources, and compliance
personnel—and experienced insurance cov-
erage counsel.


Type Description

Crisis management Generally covers “crisis management” expenses that typically
follow in the wake of a breach incident, e.g., breach notifi cation
costs, credit monitoring, call center services, forensic
investigations, and public relations efforts


Generally covers the organization’s income loss associated
with the interruption of the its business caused by the failure of
computer systems/networks


Generally covers the organization’s income loss associated with
the interruption of the its business caused by the failure of a
third-party’s computer systems/networks

Digital assets Generally covers the organization’s costs associated with
replacing, recreating, restoring, and repairing damaged or
destroyed computer programs, software, and electronic data

Extortion Generally covers losses associated with cyber extortion, e.g.,
payment of an extortionist’s demand to prevent a cybersecurity
or data privacy-related incident

125 ■



Understand risk profi le and tolerance.
A successful insurance placement is facili-
tated by having a thorough understanding
of an organization’s risk profi le, including
the following:

� the scope and type of data maintained by
the company and the location and manner
in which, and by whom, such data are
used, transmitted, handled, and stored

� the organization’s network infrastructure
� the organization’s cybersecurity, privacy,

and data protection practices
� the organization’s state of compliance

with regulatory and industry standards
� the use of unencrypted mobile and other

portable devices.

Many other factors may warrant considera-
tion. When an organization has a grasp on its
risk profi le, potential exposure, and risk tol-
erance, it is well positioned to consider the
type and amount of insurance coverage that
it needs to adequately respond to identifi ed
risks and exposure.

Ask the right questions.
It is important to carefully evaluate the cov-
erage under consideration. Table 2 shows ten
of the important questions to ask when con-
sidering third-party and fi rst-party cyber

The list is not exhaustive, and many other
questions should be considered, including,
for example, the extent to which the policy

Third-Party First-Party

Does the policy:
cover the acts, errors, and omissions of
third parties, e.g., vendors, for which
the organization may be liable?

Does the policy:
cover business income loss resulting from
system failures in addition to failures of
network security, e.g., any unplanned

cover data in the care, custody, or
control of third parties, e.g., cloud

cover business income loss resulting from
cloud failure?

cover new and expanding privacy laws
and regulations?

cover contingent business income loss resulting
from the failure of a third-party network?

cover personally identifi able information
in any form, e.g., paper records?

cover data restoration costs?

cover confi dential corporate data, e.g.,
third-party trade secrets?

cover business income loss after a network
is up and running, but before business
returns to full pre-incident operation?

cover wrongful or unauthorized
collection of data?

contain hourly sublimits?

cover regulatory fi nes and penalties? contain an hourly “waiting period”?

cover PCI DSS-related liability? contain a sublimit applicable to the
contingent business income coverage?

exclude the acts of “rogue” employees? exclude loss for power failure or blackout/

exclude unencrypted devices? exclude software programs that are
unsupported or in a testing stage?

■ 126


an organization’s cybersecurity and data
protection practices, seeking detailed informa-
tion surrounding technical, complex subject
matter. These questions are often answered by
technical specialists who may not appreciate
the nuances and idiosyncrasies of insurance
coverage law. For these reasons, it is advisable
to have insurance coverage counsel involved
in the application process.

■ Tips for prevailing in cyber insurance
coverage litigation

As CNA’s recently fi led coverage action in the
Columbia Casualty case illustrates, cybersecu-
rity insurance coverage disputes and litigation
are coming. In the wake of a data breach or
other privacy, cybersecurity, or data protection-
related incident, organizations should antici-
pate that their insurer may deny coverage for
a resulting claim against the policy.

Before a claim arises, organizations are
encouraged to proactively negotiate and
place the best possible coverage to decrease
the likelihood of a coverage denial. In con-
trast to many types of commercial insurance
policies, cybersecurity policies are extremely
negotiable, and the insurer’s off-the-shelf
forms can usually be signifi cantly negotiated
and improved for no increase in premium. A
well-drafted policy will reduce the likeli-
hood that an insurer will be able to success-
fully avoid or limit insurance coverage in the
event of a claim.

Even where a solid form is in place, how-
ever, and there is a solid claim for coverage
under the policy language and applicable
law, insurers can and do deny coverage.

When facing coverage litigation, organi-
zations are advised to consider the following
fi ve strategies to prevail:

Tell a concise, compelling story.
In complex insurance coverage litigation,
there are many moving parts and the issues
are typically nuanced and complex. It is criti-
cal, however, that these nuanced, complex
issues come across to a judge, jury, or arbitra-
tor as simple and straightforward. Getting
overly caught up in the weeds of policy inter-
pretive and legal issues, particularly at the

covers, or excludes, cyberterrorism. In all
cases, the organization should request a ret-
roactive date of at least 1 year prior to the
policy inception, given that advanced attacks
go undetected for a median of 229 days.

Beware the fi ne print.
Like any other insurance policy, cybersecuri-
ty insurance policies contain exclusions that
may signifi cantly curtail and undermine the
purpose of the coverage. Some insurers, for
example, may insert exclusions based on
purported shortcomings in the insured’s
security measures. One case recently fi led in
the California federal court on May 7, 2015,
highlights the problems with these types of
exclusions. The case is Columbia Casualty
Company v. Cottage Health System, in which
Columbia Casualty, CNA’s non-admitted
insurer, seeks to avoid coverage under a
cybersecurity insurance policy for the defense
and settlement of a data breach class action
lawsuit and related regulatory investigation.
CNA relies principally upon an exclusion,
entitled “Failure to Follow Minimum
Required Practices,” which purports to void
coverage if the insured fails to “continuously
implement” certain aspects of computer
security. These types of broadly worded,
open-ended exclusions can be acutely prob-
lematic and impracticable. If enforced liter-
ally, they may vaporize the coverage that the
policy is intended to provide. The good news
is that, although certain types of exclusions
are unrealistic given the nature of the risk an
insured is attempting to insure against,
cybersecurity insurance policies are highly
negotiable. It is possible to cripple inappro-
priate exclusions by appropriately curtailing
them or to entirely eliminate them—and
often this does not cost additional premium.

Pay attention to the application.
CNA in the Columbia Casualty case also seeks
to deny coverage based upon alleged misrep-
resentations contained in the insured’s insur-
ance application relating to the risk controls.
The important takeaway is that cybersecurity
insurance applications can, and usually
do, contain a myriad of questions concerning

127 ■


CNA represented in its marketing materials
that the policy at issue in Columbia Casualty
offers “exceptional fi rst-and third-party cyber
liability coverage to address a broad range of
exposures,” including “security breaches”
and “mistakes”:

Cyber liability and CNA NetProtect

CNA NetProtect fills the gaps
by offering exceptional fi rst- and third-
party cyber liability coverage to address a
broad range of exposures. CNA
NetProtect covers insureds for exposures
that include security breaches, mistakes,
and unauthorized employee acts, virus
attacks, hacking, identity theft or private
information loss, and infringing or dis-
paraging content. CNA NetProtect cover-
age is worldwide, claims-made with
limits up to $10 million.

It is important to use the discovery phase
to fully fl esh out the context of the insur-
ance and the entire insurance transaction in
addition to the meaning, intent, and inter-
pretation of the policy terms and condi-
tions, claims handling, and other matters
depending on the particular circumstances
of the coverage action.

Secure the best potential venue and choice of law.
One of the fi rst and most critical decisions
that an organization contemplating insur-
ance coverage litigation must make is the
appropriate forum for the litigation. This
decision, which may be affected by whether
the policy contains a forum selection clause,
can be critical to potential success, among
other reasons because the choice of forum
may have a signifi cant impact on the related
choice-of-law issue, which in some cases is
outcome-determinative. Insurance contracts
are interpreted according to state law and
the various state courts diverge widely on
issues surrounding insurance coverage.
Until the governing law applicable to an
insurance contract is established, the policy
can be, in a fi gurative and yet a very real
sense, a blank piece of paper. The different

outset, risks losing the organization’s critical
audience and obfuscating a winningly con-
cise, compelling story that is easy to under-
stand, follow, and sympathize with. Boiled
down to its essence, the story may be—and in
this context often is—something as simple as
the following:

“They promised to protect us from a cyber
breach if we paid the insurance premium. We
paid the premium. They broke their promise.”

Place the story in the right context.
It is critical to place the story in the proper
context because, unfortunately, many insur-
ers in this space, whether by negligent defi cit
or deliberate design, are selling products that
do not refl ect the reality of e-commerce and
its risks. Many off-the-shelf cybersecurity
insurance policies, for example, limit the
scope of coverage to only the insured’s own
acts and omissions, or only to incidents that
affect the insured’s network. Others contain
broadly worded, open-ended exclusions such
as the one at issue in the Columbia Casualty
case, which, if enforced literally, would large-
ly if not entirely vaporize the coverage osten-
sibly provided under the policy. These types
of exclusions can be acutely problematic and
impracticable. A myriad of other traps in
cyber insurance policies—even more in those
that are not carefully negotiated—may allow
insurers to avoid coverage if the language
were applied literally.

If the context is carefully framed and
explained, however, judges, juries, and arbi-
trators should be inhospitable to the various
“gotcha” traps in these policies. Taking the
Columbia Casualty case as an example, the
insurer, CNA, relies principally upon an
exclusion, entitled “Failure to Follow
Minimum Required Practices,” which pur-
ports to void coverage if the insured fails to
“continuously implement” certain aspects of
computer security. In this context, however,
comprising the extremely complex areas of
cybersecurity and data protection, any insured
can reasonably be expected to make mistakes
in implementing security. This reality is, in
fact, a principal reason for purchasing cyber
liability coverage in the fi rst place. In addition,


■ 128

Importantly, it will give the organization
unique access to compelling arguments based
upon the context, history, evolution, and
intent of this line of insurance product.
Likewise, during the discovery phase, cover-
age counsel with unique knowledge and
experience is positioned to ask for and obtain
the particular information and evidence that
can make or break the case—and will be able
to do so in a relatively effi cient, streamlined
manner. In addition to creating solid ammu-
nition for trial, effective discovery often leads
to successful summary judgment rulings,
thereby, at a minimum, streamlining the case
in a cost-effective manner and limiting the
issues that ultimately go to a jury. Likewise,
counsel familiar with all of the many different
insurer-drafted forms as they have evolved
over time will give the organization key
access to arguments based upon obvious and
subtle differences between and among the
many different policy wordings, including
the particular language in the organization’s
policy. Often in coverage disputes, the multi-
million dollar result comes down to a few
words, the sequence of a few words, or even
the position of a comma or other punctuation.

■ Conclusion
Cyber insurance coverage can be extremely
valuable. Although placing coverage in this
dynamic space presents challenges, it also
presents substantial opportunities. Before a
claim arises, organizations are encouraged to
proactively negotiate and place the best pos-
sible coverage in order to decrease the likeli-
hood of a coverage denial and litigation. In
contrast to many other types of commercial
insurance policies, cyber insurance policies
are extremely negotiable, and the insurers’
off-the-shelf forms typically can be signifi –
cantly negotiated and improved for no
increase in premium. A well-drafted policy
will reduce the likelihood that an insurer
will be able to successfully avoid or limit
insurance coverage in the event of a claim. If
a claim arises, following sound litigation
strategies and refusing to take “no” for an
answer will greatly increase the odds of
securing valuable coverage.

interpretations given the same language
from one state to the next can mean the dif-
ference between a coverage victory and a
loss. It is therefore critical to undertake a
careful choice of law analysis before initiat-
ing coverage litigation or selecting a venue
or, where the insurer fi les fi rst, before taking
a choice of law position or deciding whether
to challenge the insurer’s selected forum.

Consider bringing in other carriers.
Often when there is a cybersecurity, privacy,
or data protection-related issue, more than
one insurance policy may be triggered. For
example, a data breach like the Target breach
may implicate an organization’s cybersecu-
rity insurance, CGL insurance, and Directors’
and Offi cers’ Liability insurance. To the
extent that insurers on different lines of cov-
erage have denied coverage, it may be ben-
efi cial for the organization to have those
insurance carriers pointing the fi nger at each
other throughout the insurance coverage
proceedings. Again considering the context,
a judge, arbitrator, or jury may fi nd it offen-
sive if an organization’s CGL insurer is argu-
ing, on the one hand, that a data breach is
not covered because of a new exclusion, and
the organization’s cybersecurity insurer also
is arguing that the breach is not covered
under the cyber policy that was purchased
to fi ll the “gap” in coverage created by the
CGL policy exclusion. Relatedly, it is impor-
tant to carefully consider the best strategy
for pursuing coverage in a manner that will
most effectively and effi ciently maximize the
potentially available coverage across the
insured’s entire insurance portfolio.

Retain counsel with cybersecurity insurance expertise.
Cybersecurity insurance is unlike any other
line of coverage. There is no standardization.
Each of the hundreds of products in the mar-
ketplace has its own insurer-drafted terms
and conditions that vary dramatically from
insurer to insurer—and even between poli-
cies underwritten by the same insurer.
Obtaining coverage litigation counsel with
substantial cybersecurity insurance expertise
assists an organization on a number of fronts.

129 ■

Wilson Elser Moskowitz Edelman & Dicker LLP –
Melissa Ventrone, Partner and Lindsay Nickle, Partner

Consumer protection: What is it?

From a legal perspective, consumer protection is the
application of rules and regulations to agencies, busi-
nesses, and organizations that require them to protect
their customers from intentional and unintentional harm.
Instead of caveat emptor, or buyer beware, the business
entity has a mandate to protect its customers from the bad
things that may befall them. In essence, the government
has decided it is the business’s responsibility to protect
the least sophisticated consumers from themselves and
what may happen to them.

The intersection of consumer protection and cyber-
security imposes a responsibility on businesses to
protect their consumers’ information. Unlike many
areas of business, when an organization is the victim
of a criminal attack, such as being hacked, the busi-
ness is not considered a victim. Instead, the customers
are considered the victims, and the business becomes
a potential scapegoat—the target of inquiries, investi-
gations, irate customers, reputational harm, and lost
business, even though it was the business that suf-
fered the criminal activity. Leading experts agree that
no organization is immune from cyberattacks and that
impenetrable data security is not possible. Nevertheless
the media and the public continue to vilify and hold
businesses responsible for failing to do what experts
agree cannot be done.

Consumers demand that organizations safeguard
their privacy and protect their information from data
breaches; however, those same consumers are impatient
and intolerant when security measures slow services or
degrade usability. Some may terminate their relation-
ships as a result, jumping ship to underfunded start-ups
simply because consumers want what they want, and
they want it now.

■ 130


What does this mean? Well, according to an
FTC report, this means that an organization’s
data security measures must be “reasonable
and appropriate in light of the sensitivity and
volume of consumer information it holds, the
size and complexity of its data operations, and
the cost of available tools to improve security
and reduce vulnerabilities.” In other words,
the FTC can choose to investigate an organiza-
tion simply because the FTC believes the
organization is doing a poor job protecting
consumers’ information. Confused? You are
not alone. Frankly, it appears that the FTC
views poor cybersecurity practices a bit like
courts view pornography—they know it
when they see it.

Organizations looking for guidance
from the FTC on appropriate security
measures to protect consumer information
may fi nd themselves twisting in the wind
like the last leaf on a tree. The FTC has not
issued any detailed guidelines on what
constitutes “reasonable security measures.”
To be fair, the FTC most likely struggles, as
do many agencies, with establishing guide-
lines that are fl exible enough to apply to a
wide range of organizations in a variety of
industries, yet structured enough to set a

The FTC addressed this argument by

instructing companies to review its previous

consent decrees to identify “reasonable”—

or more appropriately, what it considered to

be unreasonable—security standards. Thus,

in the midst of day-to-day operations, the

FTC apparently expects an organization to

carefully review a multitude of previous

consent decrees to identify what it should be

doing to reasonably protect consumers’

Organizations can also review a 15-page

guide the FTC published in 2011, Protecting
Personal Information: A Guide for Business.
This guide informs organizations that a
“sound business plan” is based on fi ve

� Know what information you have and
who has access to the information.

Adding to the diffi culty of trying to bal-
ance data privacy and security with innova-
tion and usability, organizations must con-
currently maintain compliance with the
myriad of state and federal data privacy
and security laws, regulations, and guide-
lines. It would take several books to outline
all the laws, regulations, and guidelines
that affect consumer protection and cyber-
security. This chapter is designed to pro-
vide organizations with an understanding
of those laws that have the most signifi cant
impact on privacy and security from a con-
sumer protection perspective. There is no
better place to start this discussion than by
examining the recent activities of the
Federal Trade Commission (FTC).

■ Cybersecurity, consumer protection,
and the FTC

The FTC has deemed itself the enforcer of
data privacy and security, the ultimate
authority responsible for protecting con-
sumer privacy and promoting data security
in the private sector. In fact, the FTC com-
monly is considered the most active agency
in the world in this area. Although the
debate continues on whether the FTC has
authority to police data privacy and security
under section 5 of the FTC Act, organizations
must be aware that the FTC and other regu-
lators are monitoring practices and investi-
gating and enforcing various laws under the
guise of privacy and cybersecurity as a con-
sumer protection issue.

The FTC regulates this space under sec-
tion 5 of the FTC Act, which prohibits unfair
or deceptive practices. The FTC may choose
to investigate an organization if it believes
that the organization has made materially
misleading statements or omissions regard-
ing the security provided for consumers’
personal data. Further, according to a pre-
pared statement by the FTC, “a company
engages in unfair acts or practices if its data
security practices cause or are likely to cause
substantial injury to consumers that is nei-
ther reasonably avoidable by the consumer
nor outweighed by countervailing benefi ts
to consumers or to competition.”

131 ■


priority is the strengthening of cybersecurity
in the marketplace, particularly as it pertains
to the fi nancial industry and those businesses
and organizations that provide services in the
fi nancial sector. To that end, in the summer of
2014, the FFIEC completed a cybersecurity
assessment involving more than 500 commu-
nity fi nancial institutions with the goal of
determining how prepared those institutions
were to mitigate cyber risks. The results are
instructive as potential standards for the
efforts an organization should take when its
operations interact with or are tangential to
the fi nancial industry, or simply when a busi-
ness collects, stores, or shares consumers’
private information.

Cyber preparedness—which is the crux
of consumer protection—encompasses the

� Risk management and oversight:
Organizations should proactively train
employees, allocate resources, and exercise
control and supervision of cybersecurity
operations. This includes involving upper-
level management and boards.

� Threat intelligence: A business should
undertake processes to educate, identify,
and track cyber activities, vulnerabilities,
and threats.

� Cybersecurity controls: Businesses
should implement controls to prevent
unauthorized access or exposure of
information, to detect attacks or attempts
to compromise systems, and to correct
known and identifi ed vulnerabilities.
As the industry begins to more fully
recognize the futility of keeping malicious
attackers outside the network perimeter,
companies also should implement
controls that more quickly identify when
malicious activity takes place inside the

� External dependency management:
Organizations should have processes in
place to manage vendors and third-party
service providers and help ensure that
connections to systems are secure, as well
as processes to audit and evaluate the
third-party’s cybersecurity protections.

� Keep only that information needed to
conduct business.

� Protect the information in your control.
� Properly dispose of information that is no

longer needed.
� Prepare a plan for responding to security


Although this may have been an accurate list
in 2011, any company that limits its cyberse-
curity program to these fi ve principles will
quickly discover its inadequacies. The FTC
claims to recognize that there is no one-size-
fi ts-all data security program, no program is
perfect, and the mere fact that a breach
occurs does not mean a company has vio-
lated the law.

Organizations must be aware of the
FTC’s heightened activity in this space.
Right now, data privacy and protection of
consumer information has the public’s
attention and is sometimes used as a politi-
cal platform. Organizations must have an
in-depth understanding of their cybersecu-
rity posture, identify key vulnerabilities,
and have a plan to either mitigate or remedi-
ate problems. Failure to place consumer
protection and cybersecurity at the top of its
priority list may land an organization in the
FTC’s crosshairs.

■ Cybersecurity, consumer protection,
and the fi nancial industry

As in other industries, cybersecurity and
consumer protection in the fi nancial sector
are a patchwork of federal statutes, regula-
tions, agencies, and enforcers. There are fi ve
federal banking regulatory agencies: the
Offi ce of the Comptroller of the Currency
(OCC), the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit
Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), and
the Consumer Financial Protection Bureau
(CFPB). A representative from each of them
sits on the Federal Financial Institutions
Examination Council (FFIEC), which is
empowered to set out principles, standards,
and forms for the uniformity of the supervi-
sion of fi nancial institutions. A top FFIEC

■ 132


regulatory agencies and state insurance

Those entities governed by the SEC
(Securities and Exchange Commission) and
FINRA (Financial Industry Regulatory
Authority) are expressly required to devel-
op written identity theft prevention pro-
grams and, in the face of a breach, will
likely face questions regarding cybersecu-
rity policies and efforts. Further, the regula-
tions imposing these requirements mandate
that upper-level management signs off on
any written program and participates in its
administration. As the goal of these require-
ments is to protect customer information,
an organization should be mindful to
design programs that consider the nature of
the organization’s operations, as well as its
size and complexity, so that the plan can be
effectively implemented to achieve its
desired goals.

The OCC recommends all banks and
fi nancial institutions implement incident
response and business continuity plans
and test those plans regularly. It also sets
supervisory expectations about how fi nan-
cial institutions and third-party service
providers in the fi nancial sector can and
should safeguard sensitive information.
The OCC conducts on-site audits of fi nan-
cial institutions and certain third-party ser-
vice providers to confi rm compliance. The
OCC also gets involved in the aftermath of
cyberattacks to assess the corrective actions
that fi nancial institutions take in response.
The OCC is vested with the authority to
require the banks subject to their regulation
and the banks’ service providers to take
steps to protect systems, prevent loss or
theft of sensitive information, and mitigate
identity theft.

In 2007, under the terms of the Fair and
Accurate Credit Transactions Act, the OCC,
FRB, FDIC, NCUA, and FTC issued regula-
tions requiring creditors and fi nancial insti-
tutions to develop and implement formal
written programs aimed at identifying and
preventing identity theft (the Red Flags
Rule). Large banks have resident OCC
investigators trained to assess cybersecurity

� Cyber incident management and
resilience: Organizations should have
procedures and processes to detect incidents,
respond to those incidents, mitigate the
impact of the incidents, document and
report on the incidents, and provide for
recovery and business continuity.

Within the fi nancial sector, and regarding
businesses that interact with the fi nancial
sector, these can reasonably be considered
the components of due diligence. Efforts to
protect consumers from the dangers of the
exposure of personal information entrusted
to a business involve guiding the organiza-
tion through these steps on a scale appropri-
ate to the size of the business and the scope
of the information involved.

Adding to the complexity of compliance,
there are multiple statutes and regulations
that expressly require businesses to under-
take security measures and notify consumers
regarding privacy and information-sharing
practices. The Gramm-Leach-Bliley Act
(GLBA) and the corresponding regulations
adopted to implement its requirements are
aimed at protecting consumer interests.
Similar to other regulations, businesses are
required by the GLBA Safeguard Rule to
use “reasonable security measures” to pro-
tect consumer information that they collect
and store. In the fi nancial services industry,
this often includes highly sensitive infor-
mation, such as Social Security numbers,
fi nancial account numbers, and income and
credit histories.

Fortunately, the GLBA outlines, at least in
some fashion, what constitutes “reasonable
security measures.” For instance, the GLBA
Safeguard Rule requires the development
and implementation of a written informa-
tion security plan. In addition, the Rule
requires companies to provide an annual
written privacy notice to its customers that
clearly, conspicuously, and accurately
explains its information-sharing practices
and provides customers the right to opt out
of the organization’s sharing practices. Both
of these consumer protections are enforced
by the FTC along with several other federal

133 ■


other organizations that may receive health
information from covered entities while
performing various services. HIPAA is
enforced primarily by the U.S. Department
of Health and Human Services Offi ce of
Civil Rights (OCR). State attorneys general
also have the authority to enforce HIPAA.

OCR’s authority to enforce HIPAA
encompasses covered entities regardless of
size and their “business associates,” a term
that includes fi rst-tier vendors that contract
directly with covered entities and all down-
stream entities that receive PHI in the course
of their business. Perhaps the most helpful
aspect of HIPAA is that it specifi es privacy
requirements that covered entities must fol-
low, as well as identifi es security elements
for covered entities to consider.

The HIPAA Privacy Rule outlines stand-
ards for the use and disclosure of all forms
of PHI and categorizes PHI into three major
“usage” categories: treatment, payment,
and health care operations and sets up rules
associated with each use. Uses that fall out-
side of these categories or that do not
qualify as any of the exceptions described in
the rule require an authorization from the
affected individual. Meanwhile, the HIPAA
Security Rule establishes standards for pre-
serving the confi dentiality, integrity, and
availability of electronic PHI. Specifi cally,
the Security Rule requires covered entities
to have appropriate administrative, physi-
cal, and technical safeguards in place to
protect PHI and contains detailed security
requirements for protecting PHI. For
instance, covered entities must conduct an
assessment of the risks to and vulnerabili-
ties of the protected health information.
These guidelines provide organizations
with concrete examples of steps needed to
protect PHI and hence the consumer infor-
mation in their systems. However, organiza-
tions should be aware that compliance with
HIPAA is a minimum standard. As technol-
ogy continues to change and develop, cir-
cumstances may require organizations to
exceed the minimum HIPAA compliance
requirements to effectively protect consumer

issues. Smaller banks face on-site visits
every 12 to 18 months. In 2013, the OCC
updated its Third-Party Relationship Risk
Management Guidance to set out expecta-
tions for risk assessment and management
of third-party relationships. The senior
management and boards of banks retain
responsibility for cybersecurity even when
third parties are involved. As a result, the
OCC mandates comprehensive oversight
and management of third-party relation-
ships throughout the life of each relation-
ship. This requires extensive due diligence
prior to establishing a relationship, execu-
tion of written contracts that should include
the right to audit the third party, ongoing
monitoring, documentation, and reporting
regarding risk management processes, and
independent review of processes. Further,
the OCC requires that third-party contracts
stipulate that the OCC has the authority to
examine and regulate the services provided
to the bank by the third party.

The fi nancial industry is highly regulat-
ed, and its consumer protection and cyber-
security aspects are no exception. Identity
theft, at its heart, is a consumer protection
issue. Enforceable security guidelines set
out by regulators and aimed at the protec-
tion of consumer information trickle down
to service providers, as the fi nancial institu-
tions are affi rmatively charged with manag-
ing risks associated with vendors and
service providers. The recommendations
and requirements of the fi nancial regulators
make clear that extensive due diligence,
monitoring, planning, and management are
required in the quest to take reasonable
security measures.

■ Health care, cybersecurity, and consumer

Any discussion of consumer protection and
cybersecurity must include a discussion of
the health care industry. The Health
Insurance Portability and Accountability
Act of 1996 (HIPAA) governs protected
health information (PHI) maintained by
various organizations that fall under the
jurisdiction of HIPAA (covered entities) and

■ 134


This is an important point, because in
addition to OCR, the FTC considers itself
empowered to regulate organizations that
are covered by HIPAA. According to the
FTC, HIPAA does not preempt the FTC’s
authority to also regulate covered entities.
Furthermore, in 2010 the FTC issued the
Health Breach Notifi cation Rule, which man-
dates that entities not covered by HIPAA
that experience a breach of a “personal
health record” provide notifi cation to the
affected consumer.

Covered entities and their business asso-
ciates must do more than merely “check the
box” on cybersecurity compliance. If an
organization faces an OCR investigation, it
will be required to provide information
related to its entire data privacy and security
program, not just information related to the
“incident” that triggered the investigation.
Often, organizations are required to provide
evidence of policies and procedures going
back several years.

As part of its efforts to enforce compli-
ance with HIPAA, OCR conducted security
audits of covered entities in 2011 and 2012,
commonly referred to as Phase 1. Although
Phase 2 was delayed until OCR imple-
ments a web portal that enables covered
entities to submit information, in May 2015
OCR began sending the fi rst surveys of
Phase 2 audits, so covered entities and their
business associates should be prepared for
this next phase. Similar to other agencies,
OCR intends to audit the cybersecurity
practices of the organizations that fall
under its jurisdiction. OCR previously
announced that it would conduct a pre-
audit survey of 800 covered entities and
400 business associates, and from that pool
select 350 covered entities and 50 business
associates for a full audit.

The audits will take place over three years
and will focus on:

� Risk analysis and risk management (the
Security Rule)

� Notice of privacy practices and access
rights (the Privacy Rule)

� Content and timeliness of breach
notifi cation (the Breach Notifi cation Rule).

Phase 2 audits will likely not be as compre-
hensive as the audits in Phase 1 and will
focus on key high-risk areas OCR learned of
in its Phase 1 audits.

Health care information is commonly con-
sidered the most sensitive and personal
information a consumer has, and it therefore
deserves increased security controls. This is
perhaps recognized by the authority of the
state attorneys general to enforce HIPAA, a
provision not found in all federal statutes.
Numerous states have passed laws specifi –
cally intended to protect personal health
information, regardless of whether the
organization holding such information is
considered a “covered entity” under HIPAA.
As health care breaches continue to increase
in number, organizations should expect
greater regulatory scrutiny and activity relat-
ed to their efforts to protect consumer health

■ State laws and regulations
In addition to the federal landscape, busi-
nesses should be aware that state laws and
regulations affect consumer protection obli-
gations. Various states have laws that affect
specifi c industries and general consumer
protection laws that may be implicated in
business practices. This is a growing concern
with the increase in e-commerce. Businesses
that in the past would have limited their
footprint to the jurisdiction of a single state
now are more likely to encounter customers
across state lines. Because the applicability
of state laws affecting consumers and
because cybersecurity is often triggered by
the residence of the consumer, even small
businesses can fi nd that they face unexpect-
ed multijurisdictional questions.

■ Recommendations and conclusion
Given the wide range of laws, regulations,
and guidelines—only a few of which could
be covered here—how do organizations
begin to navigate these treacherous waters?


Organizations must build privacy and secu-
rity into their systems, processes, and ser-
vices from the ground up and from the top
down. Education and training for all employ-
ees should start on day one and be continu-
ous. The time and effort required to assess
cyber risk and understand data is minimal
compared with the potential implications of
failing to do so. Technology is constantly
evolving, which means cybersecurity does

as well, and an organization’s efforts to pro-
tect consumer information must similarly
adapt. It is better to have considered a tool
and rejected it because it substantially
degrades the service offered than to ignore
the vulnerability entirely. Organizations
must face cybersecurity risks as an enter-
prise and leverage industry experts to guide
them through this quagmire of laws, regula-
tions, and threats.

137 ■

Fish & Richardson P.C. – Gus P. Coldebella, Principal

Protecting trade secrets in the
age of cyberespionage

The cybertheft of intellectual property (IP) from U.S. com-
panies has, in the words of former NSA director and Cyber
Command chief General Keith Alexander, resulted in the
“greatest transfer of wealth in human history.” And the
data bear that out: by some estimates, the value of IP stolen
from U.S. businesses over the Internet alone is $300 billion
per year—a whopping 6% of our $5 trillion total intellec-
tual property assets. For certain nations, cyber espionage is
a central component of their growth strategies: for exam-
ple, the Report of the Commission on the Theft of U.S.
Intellectual Property (the IP Commission Report) found
that “national industrial policy goals in China encourage
IP theft, and an extraordinary number of Chinese in busi-
ness and government entities are engaged in this practice.”
Cyber espionage of IP assets allows companies and coun-
tries to circumvent the expense and hard work of basic
research and product development—which could take
years or even decades—and instead quickly pursue their
economic agendas based on stolen IP, all to the detriment
of U.S. businesses, jobs, and economic growth.

On May 1, 2014, a federal grand jury brought criminal
charges of hacking, economic espionage, and trade secrets
theft against fi ve offi cers of China’s military. The hackers
are alleged to have penetrated the networks of important
American companies to acquire proprietary and confi den-
tial technical and design specifi cations, manufacturing
metrics, attorney-client discussions about upcoming trade
litigation, economic strategies, and other forms of sensi-
tive, nonpublic information. What was the object of this
indictment? Certainly not to get a conviction: the likeli-
hood of China extraditing the defendants to the U.S. is
negligible. Instead, the U.S. used the indictment to trans-
mit two strong signals. First, it sent a message to China:
that we are aware of this aberrant behavior—in which a
nation-state aims its espionage apparatus not at another
country, but at another country’s companies—and that the

■ 138


patent, the registration of a trademark, and the
creation/publication of copyrighted material.
Cyberthieves generally set their sights on
a company’s trade secrets—the one type of
IP that is not readily available for the world
to see.

Some companies keep their trade secrets
offl ine. Legend has it that one of the most sto-
ried trade secrets, the formula for Coca-Cola,
is on a handwritten piece of paper in a safe in
Coke’s Atlanta headquarters. But air-gapped
trade secrets are rare in the Internet age. Given
this, it is crucial for a company to identify and
locate the trade secrets on its networks, and
those that are being deposited there in the
ordinary course of business. Every company
has such mission-critical secrets: design speci-
fi cations, chemical formulas, computer code,
fi nancial algorithms, customer lists, and busi-
ness plans, to name a few. Finding them is a
key, and sometimes overlooked, part of a top-
to-bottom network vulnerability analysis.
Unless a company knows what trade secrets it
has and where they are located, it cannot
begin to secure them.

Once a company catalogs its online trade
secrets, it should ask several high-level stra-
tegic questions: How are they currently safe-
guarded? Who may access them? What sys-
tems are in place to alert the company that
the trade secrets have been exfi ltrated or
altered? These questions and the protective
measures developed in response are not only
important to thwart cyber attackers—but
also help to prevent all types of attempted
trade secret theft, whether conducted via the
Internet or the old-fashioned way. They also
help to best position the company if it brings
litigation seeking damages, injunctive relief,
or other recompense for the theft. Although
the cybertheft of trade secrets has not yet
yielded many judicial decisions, law books
are rife with cases of companies seeking
damages resulting from current or former
employees spiriting off trade secrets to their
next employer or to a competitor. One of
the central questions in any such litigation
is: did the company make reasonable efforts
under the circumstances to protect the
secrecy of its confi dential information? The

U.S. will expose this misconduct to the
world. Second, the indictment sent a mes-
sage to U.S. companies that, although past
breaches and legal and reputational risk may
have convinced boards and management to
shore up defenses against cyberattacks
involving ‘personally identifi able informa-
tion,’ or PII, the most sophisticated attackers
are interested in other, more mission-critical
data on companies’ networks—intellectual
property. The loss of trade secrets could
cause more harm to a company’s reputation,
value, and future prospects than a PII breach
ever could. The U.S. government is signaling
that companies should focus on taking
immediate, reasonable steps to defend their
intellectual property assets.

In a world where countries persistently
attack companies and compromise of a com-
pany’s networks seems inevitable, manage-
ment may be tempted to throw up their hands
and concede defeat. There are, however,
important legal and practical reasons to fi ght.
In this chapter, we explore reasonable steps
companies can take to prevent the cybertheft
of their IP assets, to mitigate the harm of such
thefts if they occur, and to challenge competi-
tors that use stolen IP assets to unfairly gain
an advantage in the marketplace.

■ Conducting a trade secrets risk analysis
So what types of IP are cyber spies after?
Intellectual property has four broad catego-
ries: patents, trademarks, copyrights, and
trade secrets. A trade secret—according to the
Uniform Trade Secrets Act, or UTSA, adopted
in some form by 48 states and the District of
Columbia—is information that gains its actual
or potential economic value from being not
generally known and reasonably protected
from disclosure. Of the four IP types, only
trade secrets maintain their value, and their
legal protection as trade secrets, through non-
disclosure. If a trade secret is not disclosed, the
economic benefi t it provides and the legal
protection it enjoys can theoretically last
forever. If it is disclosed, those advantages can
be destroyed. Trade secrets stand apart from
other IP, which gains and maintains its legal
protection through disclosure: the fi ling of a

139 ■


the full set of information needed to replicate
a targeted invention, product, or service.” A
company can achieve segmentation in two
ways detailed by Villasenor: fi rst, by divid-
ing a trade secret into modules, distributing
the modules across multiple networks, and
ensuring that there is no easy path from one
network to the next; and second, once the
trade secrets are broken up into modules,
by allowing employees access only to the
modules that are relevant to them. Some
modules can be separated physically and
allow nearly no user access. For example,
‘negative information’—valuable secrets
about what does not work and is often the
result of meticulous collection of data through
extensive, costly research—is not frequently
accessed in a company’s day-to-day opera-
tions and therefore can be segmented and
stored in an extremely limited set of locations.
Implementing robust access control alongside
segmentation makes it more diffi cult for an
adversary to steal a company’s crown jewel
trade secrets in a single attack, and to ‘spear-
phish’ its way into accessing some or all of a
company’s crown jewel data under the guise
of an authorized user.

Monitor data fl ow, not just authorization
Instead of monitoring only for unauthorized
access, companies should fl ag and investi-
gate instances and activity of high-volume or
suspicious data transfers, whether or not the
transferor is ‘authorized.’ Systems that look
only for suspicious behavior by unauthor-
ized users can blind the company to critical
and common cyberattacks. History shows
that trade secret theft frequently is carried
out by authorized users—think about a dis-
gruntled employee downloading the master
customer list, or the trading algorithm, right
before he or she quits to work for a competi-
tor. In another common scenario, when
hackers obtain privileged user credentials to
infi ltrate a company’s network, activity that
appears attributable to ‘Mike in Accounting’
may actually be malicious. Systems should
be designed to monitor the fl ow of key data,
whether or not it is being accomplished by
someone with apparent trust.

reasonable measures identifi ed in these deci-
sions—such as training employees on trade
secret protection, requiring employee confi –
dentiality agreements prior to granting
access, and revoking access upon termina-
tion from the company—apply with equal
force in the cyber context, and companies
should employ them. Below, we discuss
additional cyber-specifi c protective meas-
ures that companies can consider taking.

■ Planning for the worst
Certain adversaries—especially nation-
states and state-sponsored groups targeting
U.S. trade secrets—are highly skilled, tech-
nologically savvy, and persistent. They are
not trolling for just any IP, and they will not
be put off by even best-in-class technical
defenses and move onto the next target
when their mission is to steal your compa-
ny’s secrets. Even with reasonable defenses
in place, companies should assume that an
attack will eventually be successful, and that
a company’s IP and trade secrets may be
compromised as a result. One way compa-
nies can protect themselves is to consider
ways, such as the following suggestions, to
reduce the likelihood that even a successful
intrusion leads to IP theft.

Access controls and segmentation
Companies should implement access con-
trols on crown jewel data. Although almost
every employee requires access to certain
parts of the company’s network, not all of
them need access to fi les containing trade
secrets. Not even all employees that require
access to some trade secrets need access to all.
A smart access control system makes it clear
that secrets actually are treated as secrets—
i.e., only those with a need to know (as
opposed to everyone with a network pass-
word) are given access to the data.

Another related layer of protection is
‘trade secret segmentation,’ which, accord-
ing to John Villasenor in his article Corporate
Cybersecurity Realism (Aug. 28, 2014), is dis-
tributing information “so that no single
cybersecurity breach exposes enough of a
trade secret to allow the attacker to obtain

■ 140


exercised it. Under such a plan, the fi rst call
should be to experienced outside counsel,
who can hire the forensics and crisis PR
teams to investigate and respond to what
happened, and who give the results of the
investigation the greatest chance of being
considered privileged, which is important as
the legal and regulatory consequences of
breaches continue to grow. It is also impor-
tant—especially with potential trade secret
theft—to preserve all information surround-
ing the incident in a forensically sound way.
For example, collecting and analyzing log
information may allow a company to deter-
mine what data were lifted and where they
were sent, which could be critical in investi-
gations by law enforcement and in post-
breach litigation.

■ Taking on the IP thieves and their
benefi ciaries

Adversaries want to steal your trade secrets
for a simple reason: to use, sell, and profi t
from them. Every IP theft contains the
seeds of unfair competition based upon the
stolen secrets. Assume the worst has hap-
pened, and you begin to see the company’s
hard work or research emerge in the mar-
ketplace, embedded in a competitor ’s
product or across the negotiating table.
What options do you have? We discuss
fi ve here:

Misappropriation of trade secrets. The victim
of trade secret theft may bring an action
under state law to enjoin the benefi ciary
of the theft and recover damages. (There
currently is no federal private right of
action for misappropriation of trade
secrets.) As already discussed, most states
have adopted a version of the Uniform
Trade Secrets Act, or UTSA. UTSA pre-
vents using a trade secret of another with-
out consent if the defendant employed
improper means to appropriate the secret,
or “knew or had reason to know that
his knowledge of the trade secret was
derived from or through a person who
had utilized improper means to acquire
it.” UTSA §§ 1(2)(ii)(A); 1(2)(i). UTSA,

Mark and tag secrets
Even in the bygone days of trade secrets
on paper, companies knew to clearly mark
their secrets with a legend. This accom-
plished two things: employees would
know to handle those secrets consistent
with the company’s trade secrets policies,
and if they were stolen, they could be iden-
tifi ed as the company’s property. Just like
cartographers of old intentionally included
fake shortcuts, streets, and even towns to
immediately recognize misappropriated
copies of their maps, tagging digital assets
provides a way to defi nitively prove that
the IP was originally yours. Today, with an
array of technological means at hand, com-
panies can do more, including tagging
digital IP with code that could, say, render
stolen fi les inoperable. The IP Commission
Report correctly recommended that “pro-
tection…be undertaken for the fi les them-
selves and not just the network, which
always has the ability to be compromised.”
It suggested that:

Companies should consider marking
their electronic fi les through techniques
such as “meta-tagging,” “beaconing,”
and “watermarking.” Such tools allow for
awareness of whether protected informa-
tion has left an authorized network and
can potentially identify the location of
fi les in the event that they are stolen.
Additionally, software can be written that
will allow only authorized users to open
fi les containing valuable information. If
an unauthorized person accesses the
information, a range of actions might then
occur. For example, the fi le could be ren-
dered inaccessible and the unauthorized
user’s computer could be locked down,
with instructions on how to contact law
enforcement to get the password needed
to unlock the account. (IP Commission
Report at 81.)

Collect forensic leads as part of incident response
Of course, executives must make sure that
the company has created a robust incident
response plan and has practiced and

141 ■


bureaucratic, that was in the context of
arguing for a quicker method for U.S.
companies to seek exclusion. Our experi-
ence is that § 337 actions tend to be much
quicker than currently available alterna-
tives, including state and federal court
litigation. The ITC process offers U.S.
companies a powerful weapon against
importation of goods containing stolen
trade secrets.

Computer Fraud and Abuse Act (CFAA).
Under certain circumstances, the CFAA
provides a private right of action for com-
panies to bring suit against a party who
knowingly and intentionally accesses a
protected computer without authoriza-
tion, obtains information, and causes
harm. 18 U.S.C. § 1030(g). The victim may
be able to seek damages from not only the
individual who accessed the computer
and stole the information but also the
company profi ting from the stolen trade
secret so long as the victim can plead and
prove that the competitor “conspire[d] to
commit” such an offense (18 U.S.C. §

Call the feds. A company may refer the
theft to federal criminal authorities, which
can bring charges under 18 U.S.C. §§ 1831-
32 for theft of trade secrets and economic
espionage. The economic espionage and
trade secret theft statutes reach not only
parties who steal the trade secret but also
anyone who “receives, buys, or possesses
a trade secret, knowing the same to have
been stolen or appropriated, obtained,
or converted without authorization.”
18 U.S.C. §§ 1831(a)(3); 1832(a)(3). In addi-
tion to imposing hefty fi nes ($5 million for
organizations, unless the theft was intend-
ed to benefi t a foreign government, in
which case it is $10 million), the law also
allows judges to force the criminals to
forfeit “any property, or proceeds derived
from the stolen or misappropriated trade
secrets, as well as any property used or
intended to be used to help steal trade
secrets.” 18 U.S.C. §§ 1834, 2323(b).

therefore, allows an action against the
hacker and the company seeking to ben-
efi t from the stolen trade secrets, if the
plaintiff can show that the competitor had
reason to believe that the data it was
using were stolen from someone else’s
network. The remedies available under
UTSA are powerful and encompass dam-
ages and injunctive relief. UTSA author-
izes a court to award damages for actual
loss and unjust enrichment, including
multiple damages if the misappropriation
was “willful and malicious.” UTSA §§
3(a); 3(b). A court also may enjoin actual
or threatened misappropriation or may
condition the competitor’s future use of
the trade secret on payment of a reasona-
ble royalty. UTSA §§ 2(a); 2(b).

Section 337 of the Tariff Act of 1930. To sty-
mie competitors that import their prod-
ucts into the U.S., a potent option is to
initiate a process at the International Trade
Commission (ITC) under Section 337 of
the Tariff Act of 1930. A company may
petition the ITC to investigate whether
imported goods are the result of “unfair
methods of competition”—which includes
incorporating stolen trade secrets—so
long as the unfairness has the potential
to injure or destroy a domestic industry.
19 U.S.C. § 337. Because § 337 investiga-
tions are brought against goods, not par-
ties, there is no need to prove that the
specifi c company profi ting from the stolen
data was actually behind the cyberattack,
only that the product was made or devel-
oped using misappropriated trade secrets.
Even though the ITC cannot award dam-
ages under § 337, the remedy it can issue
is potent against any company seeking to
import misappropriated products in the
U.S.: it can issue an order, enforceable
by Customs and Border Protection, pre-
venting goods from entering the country
and enjoining sale of such products
already here.

Although the IP Commission has criti-
cized the § 337 process as too lengthy and


■ 142

Of course, there are always pros and cons to
be weighed before bringing civil litigation
or involving federal law enforcement
authorities. For example, law enforcement
has a greater array of tools to compel pro-
duction of evidence quickly, unlike in a civil
suit, although a parallel criminal action
may affect the company’s ability to seek
civil discovery if the defendants seek a stay
or exercise their Fifth Amendment right not
to testify. There are also practical and busi-
ness considerations that may argue for or
against such a suit, including its potential to
affect existing or future commercial rela-
tionships and continued access to foreign

Future action: Report cyberspies and their
benefi ciaries under Executive Order 13694.
In response to high-profi le cyberattacks,
the President and the federal government
recognized that cyber espionage is a seri-
ous threat to the nation’s economy and
national security but acknowledged that
it is not always possible to take criminal
or civil action against perpetrators
because they are often outside the juris-
dictional reach of U.S. courts. For that
reason, the U.S. has devised another
method for reaching these malefactors,
punishing them for their actions, and
deterring future attacks. On April 1, 2015,
the President signed Executive Order
13694, authorizing the Offi ce of Foreign
Assets Control, or OFAC, within the
Treasury Department, to (i) identify for-
eign hackers, the parties who aid them,
and the parties who benefi t from their
activity by using their stolen information
to profi t and (ii) respond by freezing their

U.S. assets and imposing sanctions. OFAC
will add foreign individuals identifi ed as
being responsible for, contributing to,
complicit in, or profi ting from signifi cant
malicious cyber-enabled activities to its
list of Specially Designated Nationals
(SDNs). To earn a spot on the SDN list, the
associated attack has to be “reasonably
likely to result in, or have materially con-
tributed to, a signifi cant threat to the
national security, foreign policy, or eco-
nomic health or fi nancial stability of the
United States.” Although OFAC cannot
assist a company with recovering lost
information or barring products from
entering the market, reporting the perpe-
trators of particularly serious cyberat-
tacks to OFAC can serve as a powerful
deterrent. It is important to note that E.O.
13694 is, at the writing of this chapter, so
new that OFAC has yet to promulgate
fi nal regulations governing the SDN-
designation process, so companies should
consult with counsel to understand their
options once fi nal rules are in place.

■ Conclusion
Trade secrets are high on the list of assets
that cyber spies are interested in stealing.
Careful planning will help your company do
its best to prevent the theft of these valuable
assets and to thwart a competitor’s attempt
to profi t from its crimes if an attack is suc-
cessful. If the worst-case scenario material-
izes and you discover that your company’s
IP has been stolen, take immediate steps to
engage experienced outside counsel to assess
your best options to investigate the breach,
recover damages, enjoin unfair competition,
and seek justice.

143 ■

Latham & Watkins LLP – Jennifer Archie, Partner

Cybersecurity due diligence in M&A
transactions: Tips for conducting
a robust and meaningful process

To begin with a tautology, when you buy a company, you
buy their data—and the attendant risks to that data.
Cybersecurity risks are not limited to consumer-facing
businesses, whose recent losses of cardholder or patient
data grab news headlines. Indeed, few businesses today
have assets and liabilities that are not in some sense data
driven. For most business combinations—whether M&A,
joint venture, or leveraged buyout—cybersecurity should
be a risk category in its own right. Buyers should review
not just historic breaches but also cybersecurity risk man-
agement. Even though these risks are hard to quantify, the
analysis will inform deal terms, deal value, and post-deal
indemnity claims.

■ First step: Get an early read on cyber readiness
at the engagement stage

Buyers should begin all cybersecurity risk assessments
early in the engagement process, with the goal of clearly
articulating as early as possible the target company’s
most important information assets, systems, and busi-
ness processes. Every target business should be able to
readily identify which information technology (IT) sys-
tems and data sets are most valuable to the business and
explain at a high level how the company protects and
exploits them. Even at the earliest stages, the seller
should be prepared to identify and discuss the following
at a high level:

� What types of information or computer systems and
operations are most important to your business? What
sensitive types of data do you handle or hold relating
to natural persons (which data elements in particular)?

� Where is sensitive information stored?
� How is it protected in transit, at rest, and in motion?
� What are the most concerning threats to information,

networks, or systems?

■ 144


government investigations from the Federal
Trade Commission (FTC) or other agencies
may be poorly understood. Federal investi-
gations tarnish brands, especially if enforce-
ment results. Investigations are expensive
and distracting, and may lead to a sweeping
10- or 20-year permanent injunction dictat-
ing how future information security will be
managed and monitored. Compliance with
such a decree is expensive and limits a com-
pany’s independence and fl exibility in sig-
nifi cant ways. After a breach, management is
often surprised to learn how persistent and
aggressive the FTC or state attorneys general
can be, even if the company sees itself as a
victim of harm, not a perpetrator of con-
sumer injury. If the target’s legal or business
representatives are not knowledgeable about
the regulatory and enforcement environ-
ments, buyers should not place much weight
on a seller’s lulling statements or assurances
that there have been no incidents or that risk
of a cyber event is low.

■ Check for integrated cyber risk awareness
and mitigation and a comprehensive security
management program

Another sign of a mature security program
is a management team with cross-function-
al awareness on these points at the CEO
and board levels, as refl ected in board min-
utes or other documentation. A security
program will not be effective if it is a silo
inside the IT or information security func-
tions. All substantial stakeholder depart-
ments should be involved in cybersecurity
risk management, including business unit
leaders, legal, internal audit and compli-
ance, fi nance, human resources, IT, and risk

Diligence questionnaires should ask the
target company to generally summarize the
administrative, technical, and physical infor-
mation security controls currently in place to
safeguard the most critical business data sets.
Such controls include technical measures
(such as boundary and malware defense,
data encryption, intrusion detection systems,
anomalous event monitoring, and access
controls), administrative measures, and

� Have there been prior incidents?
� What is the cybersecurity budget?
� What are your recovery plans if

critical information or systems become

If the front line deal-facing personnel
respond, “I don’t know, I’d have to ask,” this
is a telling and interesting sign that the target
company’s security management program is
likely not well integrated into the senior
leadership ranks. Sellers thus should be pre-
pared in early discussions to showcase a
sophisticated understanding of data security
risks and how those risks may materially
affect the company’s operations, reputation,
and legal risks (or not). A buyer’s key dili-
gence objective should be to probe and test
whether the target company has imple-
mented a mature risk management organiza-
tion to evaluate the accuracy of management
assurances about lack of historical breaches,
payment card industry (PCI) compliance,
protections against competitor or insider
theft, and business continuity. Too often in
hindsight, a target’s statements made in dili-
gence turn out to have been good faith
impressions, or even merely aspirational or
refl ective of paper policy, but not operational

■ Tailor diligence to what types of information
are handled and how important is
information security to the bottom line

Beyond these general questions, the buyer
should directly probe whether the target
management has a sophisticated under-
standing of potential cyber-related liabilities
and the regulatory environment. Unlike
environmental or traditional fi re or natural
disaster scenarios, cyberattack-related liabil-
ities are multi-faceted and unique. In some
industries—such as energy, transportation,
fi nancial institutions, health care, defense
contracting, education, and telecommunica-
tions—government oversight can be active
and intrusive, and the target’s subject matter
expertise will likely reside within the legal,
compliance, and/or IT functions. In other
industries, however, exposure to costly

145 ■


been adopted, budgeted and scheduled, or
already implemented.

For companies whose vendors hold com-
pany-sensitive data or access systems, the
company should have implemented—prior
to engaging in a business relationship—a
formal vendor management program that
specifi cally assesses risk and identifi es
potential security or data privacy concerns
and appropriate remediation next steps.
After a decision to engage, the company
should mitigate data security risks through
written agreements and supervision. These
third parties should have data security
insurance coverage and/or the agreements
should require such a party to defend and
indemnify the target company for legal lia-
bility arising from any release or disclosure
of the information resulting from the negli-
gence of the vendor or other third party.
Third-party agreements involving data
exchange or access also should articulate
breach notifi cation procedures, cooperation
levels, information sharing, and expressly
assign incident control and reporting

Cloud-based or other software-as-a-
solution (SAAS) solutions as well as mobile
devices present their own cybersecurity risks
and should not be overlooked in diligence.
Does the company permit employees to use
cloud-based fi le-sharing services? Does it
rely on SAAS solutions for critical or other
business needs such as contact relationship
management or HR? Email? How are the
security and compliance risks presented
being managed? Companies that issue or
support mobile devices should have policies
and procedures in place designed to protect
sensitive information in those environments.

■ Use subject matter experts to assess cyber
readiness and liabilities

Given the importance of the above ques-
tions, the buyer should pay careful atten-
tion to who asks these questions on behalf
of the buyer or underwriters, in what set-
tings, and with what time allowances. Put
simply, deal teams ideally should embed
subject matter experts on the business side,

physical security. The company should have
a current documented crisis management/
incident response plan in place, including
pre-staging of legal and forensic experts and
a public relations strategy, all approved by
senior management. A seller should specifi –
cally inquire about and assess what fi nancial
resources are applied to data security, in the
context of the target’s overall approach to
risk containment and specifi c to its industry.
Also, sellers should ask the following to
gather detailed information about how the
company has organized the management of
cybersecurity and risk:

� Is there a single designated person with
overall responsibility? To whom does he
or she report? (Risk Offi cer? CTO? CIO?

� Describe board oversight. Have directors
and senior managers participated in data
security training/been involved in the
development of data security protocols?

� Does the company have legal counsel
regularly advising on data security
compliance? Is counsel internal or
external, and if external, who?

� How does the company educate and train
employees and vendors about company
policies, information security risks, and
necessary measures to mitigate risk?

� How can employees or members of the
public (such as independent security
researchers) report potential vulnerabilities/
breaches, including irregular activity or

� What is the plan to recover should critical
or other necessary systems become
unavailable? What are the recovery point
and recovery time objectives? How have
these and other elements of the plan been
correlated to business needs?

If the company has in the last year or two
completed an internal or external audit or
assessment to determine compliance with
company security policies and/or external
security standards, this should be requested,
or at a minimum the target company should
report whether all recommendations have

■ 146


network. The attacker then acquired elevat-
ed rights that allowed it to navigate portions
of the company’s systems and to deploy
unique, custom-built malware on self-check-
out systems to access the payment card
information of up to 56 million customers
who shopped at U.S. and Canadian stores
between April 2014 and September 2014. In
fi scal 2014, alone, Home Depot recorded $63
million in pretax expenses related to the data
breach, partially offset by $30 million of
expected insurance proceeds for costs
believed to be reimbursable and probable of
recovery under insurance coverage, result-
ing in pretax net expenses of $33 million.

What this sort of fi nancial and reputa-
tional exposure means for M&A diligence
within the retail sector is that buyers should
devote expert and highly substantive atten-
tion to how cardholder data are collected,
stored, handled, and secured. Payment pro-
cessing services are material to all retail
businesses, and all payment processing
agreements have PCI compliance as a mate-
rial term. So just as the SEC always wants to
know about where that relationship stands
in its review of risk factors, buyers too want
to pay special attention in this area. If PCI
compliance is lacking, the seller should at
least be able to disclose a specifi c remedia-
tion timeline and a budgeted plan that is
hopefully supervised and accepted by the
payment processor.

PCI compliance handled correctly is costly
and involves constant adaptation and opti-
mization to new threats and new standards.
It is not an annual “check-a-box” process.
Within the data security space—as was true
for Home Depot, Target, and many others—
good business practice assumes that a com-
promised merchant will have a recent,
valid, self-certifi cation or even third-party
certifi cation of PCI compliance. However, a
buyer should not rely simply on the inclusion
of such a report or certifi cate in a virtual data
room. Many a breached retailer has held a
current PCI certifi cation. Accordingly, the
buyer should always test the security of
cardholder data independently, at a process

the technical side, and even the legal side
early on—to do the following:

� Pose questions orally
� Follow up with document requests
� Assess the documentation
� Conduct on-site testing and analysis

where appropriate
� Assess and advise on the maturity

and suitability of the program to the
underlying data risks

� Review and advise on deal terms or costs
to remediate gaps in compliance or risk

Very importantly, the deal team also must be
nimble and focused upon the specifi c indus-
try, because cybersecurity risks are highly
variable across industry sectors; threats,
liabilities, and government expectations for
adequate security are evolving constantly.
For example, if hackers acquire and then re-
sell large databases of cardholder data to
identity thieves—as happened to Target and
Home Depot—the types of expenses and
liabilities a buyer could expect are well doc-
umented in SEC fi lings. Expenditures
include the following:

� Costs to investigate, contain, and remediate
damaged networks and payment systems
and to upgrade security

� Liability to banks, card associations, or
payment processors for fi nes, penalties,
or fraudulent charges

� Card reissuance expenses
� Expense of outside legal, technical, and

communications advisors.

■ For retail sector, diligence surrounding
PCI compliance should seek more than
a “yes” or “no” response

Buyers of companies who accept, process,
store, or handle cardholder payment data
streams of course will want to pay particular
attention to compliance with current PCI
standards. At Home Depot, for example, an
attacker used a vendor ’s username and
password to gain access to Home Depot’s

147 ■


email and no way to process employee
benefi ts or time cards (Source: http://www.
tack-on-sony-60-minutes/). To add insult to
injury, much of the exfi ltrated material is
now readily available (and free text search-
able) on WikiLeaks.

The potential for outright theft of intellectu-
al property by competitors should not be over-
looked. In DuPont v. Kolon (United States v.
Kolon Industries, Inc. et al.), for example, the
manufacturer of Heracron, a competitor prod-
uct to DuPont’s Kevlar, misappropriated
DuPont’s confi dential information by hiring
former DuPont employees as consultants and
pressuring them to reveal Kevlar-related trade
secrets. DuPont sued the competitor, Kolon, in
2009, and in 2012 the Department of Justice
brought criminal trade secret misappropriation
charges against Kolon and fi ve of its executives
pursuant to 18 U.S.C. § 1832. In light of the
parallel charges, Kolon settled, paying $360
million in damages—$85 million in fi nes and
$275 million in restitution. (Source: Department
of Justice Offi ce of Public Affairs, http://www.
trade-secrets). To assess these sorts of risks,
acquirers should ask:

� Are there former employees who had
access to critical intellectual property or
other company confi dential information
who have recently left for competitors?

� What agreements are in place to protect
the proprietary information they have?

U.S.-based businesses, academic institutions,
cleared defense contractors, and government
agencies increasingly are targeted for eco-
nomic espionage and theft of trade secrets by
foreign competitors with state sponsorship
and backing. In the last fi scal year alone,
economic espionage and theft of trade
secrets cost the American economy more
than $19 billion. According to the FBI,
between 2009 and 2013, the number of
arrests related to economic espionage and
theft of trade secrets—which the FBI’s

level if necessary. The same security consult-
ants who arrive post-breach to assess root
cause and damage can examine card-related
data security very meaningfully in the M&A
setting, even with only a few days of on-site
interviews and document collection. If PCI
compliance concerns arise in diligence, deal
terms can be arranged that mandate and
appropriate funding for third-party inde-
pendent assessments and implementation of
recommendations. Moreover, many retailers
now are migrating to new payment systems,
and this is a unique technology risk because
of the likelihood of delay, interruptions, and
budgetary over-runs.

■ Understand and assess awareness
and mitigation of risks of trade secret
theft, nation-state espionage, and denial
of service attacks

Beyond payment card security risks, theft of
trade secrets by competitors and insiders,
state-sponsored espionage that is exploited
for economic advantage, and cyberattacks
that disable or cripple corporate networks
are less publicized but can be equally dam-
aging to a target business. For example, the
high-profi le, studio-wide cyberattack at
Sony Pictures in November 2014 at the
hands of a group calling itself #GOP, aka
the Guardians of Peace, starkly illustrates
the potential to cripple a business. The
attack, which the FBI attributed to North
Korea, resulted in the theft of terabytes of
company internal email and documents,
release of unreleased movies to fi le-sharing
networks, deletion of documents from Sony
computers, threatening messages to the
company and individual employees, theft
and apparent exploitation of sensitive
human resources data, and a near complete
and prolonged disruption of the company’s
ability to transact business and communi-
cate electronically over its networks and
systems. In an interview with CBS News,
Sony’s outside cyber investigator, Kevin
Mandia, disclosed that 3,000 computers and
800 servers were wiped, and 6,000 employ-
ees were “given a taste of living offl ine”—no

■ 148


� What is known about the attackers and
the attack vector?

� What data do you suspect or know were

� How long between the fi rst known
intrusion and discovery of the incident?

� Do you suspect or know whether the thief
or intruder attempted or made fraudulent
or competitive use of exfi ltrated data?

� During the past three years, have you
experienced an interruption or suspension
of your computer system for any reason
(not including downtime for planned
maintenance) that exceeded four hours?

A buyer should assess a target’s measures to
prevent and detect insider threats, including
whether basic protections are in place to
identify and mitigate insider threats, such as
the following:

� Pre-employment screening via dynamic
interviews, background checks, and
reference checking

� Workforce education on warning signs
� Internal network security measures such

as website monitoring, blocking access
to free (unauthorized) cloud-storage sites
such as Dropbox, turning off USB drives

� Automated monitoring of Web, deep
Web, or peer-to-peer network searching
for leaked data.

Private and state actors have made use of
denial of service attacks to disrupt the busi-
ness of a company that meets with their disap-
proval (or as an extortion scheme). Material
impact on ecommerce, on-line entertainment,
email, and other critical systems are the result.
An acquirer might reasonably ask:

� Has the target company evaluated its
exposure to such attacks?

� What measures does it have in place to
defend itself?

� How would it know if such an attack was

� Have any such attacks occurred?

Economic Espionage Unit oversees—at least
doubled, indictments more than tripled, and
convictions increased sixfold. These num-
bers grossly understate the frequency of
such attacks or losses. Last year, the United
States Department of Justice indicted fi ve
Chinese military hackers on charges includ-
ing computer hacking, identity theft, eco-
nomic espionage, and trade secret theft
from 2006 to 2014. The alleged actions
affected six U.S.-based nuclear power,
metal, and solar product companies. The
indictment, fi led May 1, 2014, alleges that
the defendants obtained unauthorized
access to trade secrets and internal commu-
nications of the affected companies for the
benefi t of Chinese companies, including
state-owned enterprises. Some defendants
allegedly hacked directly—stealing sensi-
tive, nonpublic, and deliberative emails
belonging to senior decision makers, as
well as technical specifi cations, fi nancial
information, network credentials, and stra-
tegic information in corporate documents
and emails—while others offered support
through infrastructure management. Charges
were brought under 18 U.S.C. §§1028, 1030,
1831, and 1832. (Source: Department of Justice
Offi ce of Public Affairs, http://www.justice.
g o v / o p a / p r / u s – c h a rg e s – f i v e – c h i n e s e –

Many companies choose not to publicly
disclose or discuss these sorts of attacks or
disruptions, which may go undiscovered for
many months and often years. Even when
attacks are discovered, breaches may not be
reported to law enforcement or even to
affected commercial partners. Questions
about historical incidents during due dili-
gence therefore should be open-ended but
also very direct:

� Have you suffered thefts of confi dential
data (wherever stored)?

� Has your network suffered an intrusion?
� Did you retain outside experts to



buyers should closely examine policies for
what is covered, deductibles, coverage peri-
ods, and limits. Diligence experts should
also evaluate post-closing opportunities to
enhance the insurance program if signifi –
cant unmitigated risks of third-party liabili-
ties or direct expense from an attack have
been identifi ed.

■ Conclusion
If there was ever an era when minimizing
or commoditizing assessment of cybersecu-
rity risks in the M&A space was sensible,
that time has surely passed. Expertise in
assessing data-driven risks should be
embedded on the front end of every transac-
tion and tracked throughout the deal, so
that deal terms, deal value, and post-closing
opportunities to strengthen security can
be considered against a fully developed
factual picture of the target company’s
cyber readiness and exposure.

■ Assessing cyber insurance
Finally, buyers should evaluate the extent
to which cyber risks are mitigated by
insurance coverage, including whether
enhancements to the cyber program may be
available post-closing. Most cyber insur-
ance policies today cover the data breach
and privacy crisis management expenses
associated with complying with data breach
notifi cation laws. Those costs include the
costs of expert legal, communications, and
forensic advisors, benefi ts such as credit
repair or monitoring to affected individu-
als, and even costs of responding to govern-
ment investigations or paying fi nes. Cyber
coverage is also widely available for extor-
tion events, defacement of website, infringe-
ment, and network security events, even
arising from theft of data on third-party
systems or malicious acts by employees.
Because of the volatility and variability of
the cyber insurance market at this time,

151 ■

Kaye Scholer LLP – Adam Golodner, Partner

International infl ection point—
companies, governments,
and rules of the road

In the attorney general’s conference room at the United
States Department of Justice is a mural on the ceiling—on
one end a heavenly depiction of justice granted, and on
the other a depressing tableau of justice denied. These
images help remind us that principles matter, choices
matter, and in many situations divergent outcomes are
possible. We are at this kind of infl ection point in global
cyber. Technology, software, hardware, and physical and
social networks are embedded everywhere today. Into the
future the Internet of Things and the Industrial Internet
will bring the next wave of global hyper connectedness
and drive business innovation, new markets, effi ciency,
and consumer benefi ts globally. Every business today is a
technology business, and every society increasingly a
technology society. We all benefi t from it. It is good. The
world has changed, but it has also stayed the same.

In some sense, cyber issues are not new. They are the
same issues countries and societies have been dealing
with for centuries—theft, fraud, vandalism, espionage,
and war. Over time, societies have created rules to deal
with these domestically and globally. But cyber presents
new facts. Activities and incidents happen at machine
speed, and distance hardly matters. Masking who you are
is easier. Some seemingly anonymous person can reach
out and touch you instantaneously from anywhere. The
kind of information we collect is quantitatively and quali-
tatively different than the past. We must appreciate and
understand these facts and what they mean.

With a future of embedded everything and hyper con-
nectivity, we have to create acceptable ‘rules of the road’
that ensure we get the promise of the future, not a world
where governments or individuals turn that promise on
its head and abuse the very same connectedness. Countries
and companies have to defi ne acceptable ‘rules of the
road’ for behavior in cyberspace—what’s okay and not
okay for governments to do to each other, companies, and

■ 152


strategies, and next generation innovation
from U.S. companies, with that very same
stolen intellectual property being given by
the governments that stole it to favored
domestic champions for the purpose of com-
peting against that very same victim of the
theft. Companies share these concerns. No
company wants to have its operations,
brand, or competitive advantage under-
mined or destroyed. Despite these concerns,
nation-state, non-nation-state, hacktivist,
and criminal activity continues. In fact by all
accounts it’s increasing in all categories
across the governmental and commercial

Although some policy makers have begun
to talk about cyber ‘norms,’ there has not
been sustained multi-lateral head-of-state to
head-of-state work to set rules of the road.
However, it has to begin. The issues are big
enough and complex and signifi cant enough
that we have to set the right path now. We
can build rules that the majority of the fam-
ily of nations can agree to and then bring the
outliers along. Most commentators are of the
view that a formal treaty is premature, if it
ever makes sense. This sounds right to me.
However, the time is right to up-lever the
conversation to the head of state level and
convene the heads of state of some core
countries (such as U.S., U.K., Germany, France,
Sweden, Estonia, India, Brazil, Japan, Korea,
Australia, Canada) to start to build out
offensive, defensive, law enforcement, and
commercial rules of acceptable behavior. Of
course, other countries, such as China, could
join in short order if it turns out they are in
fast agreement, but the work of building out
the core should move ahead without waiting
for everyone to be on board. An additional
benefi t of doing this is that it reduces the
impulse of countries to complain about the
activities of other countries when the activity
at issue is one that all countries fi nd to be
acceptable, and in the converse, gives weight
to complaints about activities outside of the

Why should companies care? Why should
they be integral to these discussions? First,
companies own the enterprise networks and

individuals in cyberspace. Analogies can
and should be made to longstanding princi-
ples relating to theft, fraud, vandalism, espi-
onage, and war—and how countries deal
with each other on these issues. After all,
technology is a tool; we have had tools in the
past, and we have applied age-old principles
to new tools throughout history. However,
the pace of change is accelerating. That
means we need to move fast to apply new
facts to old principles now and help shape
the future. Like the mural on the ceiling on
the attorney general’s conference room, dif-
ferent future outcomes are possible. What
principles and rules will secure goodness
into the global technology future? What are
the roles of companies, boards of directors,
and CEOs in shaping that future? We discuss
these questions in this chapter.

There are three areas in which companies
and their leaders can help: rules of the road,
cyber laws globally, and security and privacy.

■ Rules of the road
Cyber is a top issue for the U.S., E.U. Member
States, China, India, Russia, Brazil, Australia,
and Japan, and the heads of state in each of
these countries spend signifi cant time on the
issue. For the last three years the U.S. has
said that cyber is the number one national
security threat to the U.S.—not nuclear, bio-
logic, or chemical, but cyberthreat. All these
countries view cyber as a national security
and economic security issue. In national secu-
rity, cyber is both an offensive and a defensive
issue. On the offensive side, cyber tools and
techniques can be a means of espionage, war,
or deterring a threat. On the defensive side,
conversely, countries are concerned that
companies in critical infrastructure sectors
(fi nancial, communications, defense, electric,
energy, transportation, health care, chemical,
public services) can have their operations
affected, data compromised or destroyed,
or public safety threatened—in effect, bring-
ing important segments of the economy
to a halt.

U.S. policy leaders also are highly con-
cerned about other nation-states stealing
core intellectual property, business and deal

153 ■


security? What tools in the toolbox are
acceptable to curb behavior—prosecution,
sanctions, trade, covert action? Is it OK for
national security services to steal intellectual
property of companies? Is it OK for intelli-
gence services to give it to competitors?
What collection of information of or about
individual citizens of another country is
acceptable or unacceptable? What is the
standard? What collection on other govern-
ments and their leaders is acceptable?

Most of these questions have some
grounding in existing principles and laws,
but the cyber facts have to be understood
and applied to start to enunciate these
rules of the road. Although work has cer-
tainly begun on cyber ‘norms,’ the time is
right for taking the work to the next level.
Furthermore, because the playing fi eld is
made up of private networks and elements
of technology services and products, the
outcomes should by defi nition be of inter-
est to companies, CEOs, and boards of
directors. Good rules of the road should
help build trust in networks and technolo-
gy globally. So, companies should engage
in helping set the global rules of the road
today. It affects their future.

■ Cyber laws globally
Given that cyber runs the gamut from
national security concerns to consumer pro-
tection, and countries around the world
have different values and interpretation of
what laws protect their country and citizens,
it should come as no surprise that companies
doing business globally will face a myriad of
sometimes divergent laws on a range of
cyber topics.

An in-depth review of these laws is
beyond the scope of this chapter, but it is
important to note the categories in which a
company, CEO, general counsel, and per-
haps even the board must understand that
their activity may trigger a compliance issue
or affect their ability to provide a product or

With regard to compliance and security,
there is a saying that ‘compliance does not
equal security.’ There is no doubt that driving

databases in which cyber activity takes
place—domestic companies and global com-
panies. Companies own the software, hard-
ware, the information, and the upstream and
downstream relationships where this contest
takes place. Think of the Internet—every lit-
tle bit of it is owned by somebody, and the
vast majority is owned by public companies
globally. Although cyber is the fi fth fi ghting
domain (along with land, sea, air, and space),
it is the only one owned essentially by pri-
vate companies. Second, information tech-
nology and communications services and
products are created and sold by the private
sector. If a government acts on those services
or products, it acts on services and products
with a private sector brand. The same brand
used by other companies. Third, the future
of the global interoperable, open, secure,
network is at stake. Will companies be able
to continue to drive innovative business
models, or will they be stifl ed by the rules
and activities of governments, hacktivists,
and criminals playing in their playing fi eld?

Here are some ‘rules of the road’ that
should be in play. What cyber activity is an
act of war? What cyber activity is acceptable
espionage? What is cyber vandalism, and
what is the appropriate response? What
activity by a nation-state is acceptable on a
bank, stock exchange, energy, transporta-
tion, electric, or life sciences company? What
if it’s a non-nation-state activity? What action
is acceptable to proactively stop a planned
cyber activity? What principles should ani-
mate the decision to use a cyber tool of war
on a target connected to the Internet? Is it
OK to deliver cyber means through private
networks or technologies? What is an accept-
able response to another country’s cyber or
kinetic act? What are the principles for dis-
closing or stockpiling zero-day vulnerabili-
ties or interdicting a supply chain? How can
we make global assurance methodologies
such as the Common Criteria for Information
Technology Security Evaluation (Common
Criteria) for products even more useful?
Should there be requirements for govern-
ments to share cyberthreat information with
other countries and companies to improve

■ 154


data localization (Russia), U.S.-E.U. Safe
Harbor (allowing for transfer of E.U.
privacy information to U.S.)

� speech and content: protection (U.S.
Constitution), limits (France, Germany,
Russia, China)

� consumer protection: unfair or deceptive
security practices (U.S. FTC)

� criminal law: laws against hacking
(U.S. CFAA, Budapest Convention on
Cyber Crime, many countries), mutual
legal assistance (MLATs) (U.S. and many
countries for cross-border investigation
and extradition)

� multilateral agreements: Wassenaar
arrangement (obligation to limit export
of dual-use technologies, including
security), mutual defense treaties (e.g.,
NATO and Article 5 cyber obligations),
WTO and technical barriers to trade
agreement (obligation of WTO members
to use international standards, including
technology), WTO government procurement
agreements (many countries, rules opening
government procurement markets for
foreign tech products).

Over the past decade there have been many
skirmishes to try to limit the impact of pro-
posed laws that would splinter the global
market for technology products and servic-
es and protect the ability of companies to
continue to drive innovation in products
and services. Particularly in the post-
Snowden world, where trust of countries
and technologies has been strained, compa-
nies must pay particular attention to legis-
lative and regulatory proposals that would
undermine the global interoperability or
security of the network, or use security as a
stalking horse to protect or promote domes-
tic manufacturers.

■ Security and privacy
As technology and economics continues to
drive connectivity, cloud, mobility, data ana-
lytics, the Internet of Things, and the
Industrial Internet, we must deal effectively
with security and privacy. It’s not just the
Snowden effect. People are still working

to ‘real security’ is the goal, and one that will
likely get you where you need to be for com-
pliance as well.

Here is a list of categories of laws to be
concerned about and a few specifi c-use

� infrastructure security: voluntary public-
private partnerships (U.S., U.K.), regulation
of critical infrastructure (China, pending
in E.U., pending in Germany), sector-
specifi c regulation (India telecoms, U.S.
chemical, Russia strategic industries)

� incident notifi cation: data breach (U.S.
in 47 states, E.U. telecoms, pending new
E.U. Privacy Directive), SEC disclose
material adverse events (U.S. SEC)

� tort, contract, product liability: in the
absence of specifi c regulation, a company
must use ‘reasonable care’ to secure
their and third-party data, continue to
provide service, build secure products,
and protect IP (U.S., E.U., India and for
contract, globally)

� board of directors corporate: the board
must use its ‘business judgment’ to secure
the assets of the company and provide
reasonable security (U.S.)

� acquisition of information by nation-
states: lawful intercept telecoms (most
countries), requests from non-telecoms by
judicial or administrative process (most
countries), collection outside of home
country (most countries)

� technology controls, national security
reviews, and certifications: export
control commercial technologies (U.S.),
export control of military technologies
ITAR (U.S.), certifi cation of IT product
(26 countries Common Criteria evaluation,
China own requirements, Russia own
requirements, Korea pending), import
restriction on encryption (China, Russia),
in-country use of encryption (China,
Russia), national security reviews for
M&A (U.S. CFIUS & FCC, China).

� privacy: economy-wide limits on
collection and transfer of information
about individuals (E.U.), sector specifi c
(U.S. health care HIPAA, fi nancial GLB),


questions companies can and should ask
when providing service, domestically, but
particularly globally. There no doubt is com-
petitive advantage in providing solutions
that don’t raise privacy concerns.

■ Conclusion
Cyber is by defi nition a global issue for any
company, CEO, and board. The company’s
networks are global, products are global,
and adversaries are global. Furthermore, the
company must have relationships with gov-
ernments globally. Many companies are
‘global citizens’ and have a majority of their
sales outside their home country. Where the
cyber issue is in the top of the mind in each
of the major markets these companies serve
and where governments have not yet sorted
out acceptable global ‘rules of the road,’ it is
incumbent on company leadership to help
fi gure out what the future is going to look
like. Without common ground about what’s
OK and not OK for governments to do with
regard to each other, companies, and citi-
zens, we will face an uncertain technology
future. I am optimistic about the future and
about the ability to master the cyber issue.
However, it will take moving through the
problem set. We are at an infl ection point—
as we continue to embed devices, software,
and hardware into everything, we need to
have a view, a path, a structure that gives us
confi dence. Therefore, when we sit down in
an offi ce such as the attorney general’s or a
board of directors and ponder the better and
lesser proclivities of mankind, we must be
confi dent we are driving rules-based deci-
sions to the happier side of the ledger—one
that ensures we reap the benefi ts of this
terrifi c, accelerating, age of technology.

through what they think about security and
privacy. Most want both. Some regions have
differing views. In the U.S., we limit what the
government can do through Constitutional
Fourth Amendment restrictions on unrea-
sonable searches and seizures, but we freely
give personal information to commercial
companies in exchange for free content and
other services we like. In Europe, it’s the
opposite. The E.U. presumptively limits
what information relating to individuals the
private sector can collect and share but often
has minimal legal procedures regulating
government activities to collect information
about its citizens. China has its own view on
national security and information, as does
Russia. In any event, companies have an
important role to play in the future of the
intersection of security and privacy.

Most people talk in terms of balancing
security and privacy. This may be a false
dichotomy. I think the better approach is to
drive to security and privacy. Try to get both
right. Do what you need to secure a system
or crown jewels or an enterprise, and use
techniques and technologies that help
ensure privacy. I think this is the challenge
for the future and likely an area that will
spur great innovation. How can we work
effectively with anonymized data? How can
we implement machine-to-machine anoma-
ly detection without identifying the indi-
vidual or that a device belongs to a particu-
lar individual? How can we manipulate
encrypted data at scale? Can we know
enough from encrypted data streams across
the enterprise or network to understand and
stop an exfi ltration or an attack? How can
we share cyberthreat information that is
anonymous and actionable? These are the

157 ■

Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner

Managing third-party liability
using the SAFETY Act

One of the most pressing questions directors and offi cers
of publicly listed companies is how to manage third-party
liability in the post 9/11 era. In particular, directors and
offi cers continually struggle with the issue of whether
‘enough’ security measures have been deployed to protect
not only corporate assets and employees but also innocent

Before 9/11, courts typically would not hold makers of
items such as ammonium nitrate fertilizer liable for the
misuse of their product by terrorists (fi nding that such
terrorist acts were ‘unforeseeable’ and that the fertilizer
manufacturers did not have a duty to protect the unfortu-
nate victims of the attacks).

Unfortunately, a series of decisions completely changed
the legal landscape post 9/11. In one case stemming from
the 1993 World Trade Center attack, New York state courts
initially held the Port Authority of New York and New
Jersey partially liable for the losses suffered by the victims
of the 9/11 attacks. In that particular case, the Port
Authority was held to a standard in which if it knew or
should have been aware of the possibility of a terrorist
attack, then it was obligated to take all reasonable meas-
ures necessary to mitigate the possibility of said attacks.

Even considering that the decision was ultimately
overturned on a technicality (the Port Authority was
found to have a unique form of ‘sovereign immunity’
and therefore could not be held liable under any circum-
stances), the initial decision set forth a blueprint that
other courts are sure to follow in future cases involving
terrorist or cyberattacks.

Similarly, claims fi led against the manufacturers of
airplanes used in the 9/11 attacks were also allowed to
proceed, leading to signifi cant costs for those companies.
In that instance, a federal court in New York allowed
claims alleging that the cockpit doors on planes made by
Boeing were negligently designed—thereby allowing

■ 158


receive liability protections under the

In addition, entities that purchase or
deploy SAFETY Act approved security prod-
ucts and/or services also will have the ben-
efi t of immediate dismissal of third-party
liability claims arising out of, related to, or
resulting from a declared ‘act of terrorism’
(a term that encompasses physical or cyber-
attacks, regardless of whether there is any
motive or intent that could be deemed ‘polit-
ical’ in nature).

The reader should remember that at the
time of the drafting of this article, no litiga-
tion specifi cally involving the SAFETY Act
has occurred, and so there is no established
legal precedent interpreting the statute itself.
However, the fundamental principles of the
SAFETY Act are based on the “government
contractor defense,” a well-established com-
mon law affi rmative defense to third-party
litigation that has been reviewed and upheld
by the U.S. Supreme Court.

Accordingly, this article is based on inter-
pretations of the SAFETY Act, the Final Rule
implementing the SAFETY Act, and the
underlying theory of the government con-
tractor defense.

■ Background of the SAFETY Act
The SAFETY Act provides extensive liability
protections to entities that are awarded either
a ‘Designation’ or a ‘Certifi cation’ as a
Qualifi ed Anti-Terrorism Technology (QATT).
Under a ‘Designation’ award, successful
SAFETY Act QATT applications are entitled
to a variety of liability protections, including
the following:

� All terrorism-related liability claims must
be litigated in federal court.

� Punitive damages and pre-judgment
interest awards are barred.

� Compensatory damages are capped at
an amount agreed to by the Department
of Homeland Security (DHS) and the

� That damage cap will be equal to a set
amount of insurance the applicant must
carry, and once that insurance cap is

terrorists to gain control of the planes—
were allowed to proceed. The court’s ration-
ale in that case was that a jury could fi nd
that Boeing should have foreseen that a ter-
rorist would want to breach the cockpit and
hijack the plane, and thus its cockpit doors
should have been more strongly designed.

Because those claims were allowed to
proceed, Boeing on average paid 21⁄2 times in
settlement fees what the plaintiffs (here the
families of persons killed in the 9/11 attacks)
would have received if they had elected to
participate in the 9/11 Victims Compensation

In light of the above, it is obvious that
directors and offi cers of publicly listed com-
panies must be very concerned about post-
attack litigation. Even if a court or jury ulti-
mately fi nds that there is no culpability on
the part of a director, offi cer, or the company
itself, the stark reality is that the legal fi ght to
reach that decision will be expensive and

So, the key question that directors and
offi cers of publicly listed companies must
ask themselves is, ‘How do we manage/
minimize third-party liability in a post 9/11
world?’ Insurance is certainly an option, but
obtaining a comprehensive policy can be
very expensive, and further coverage is
uncertain. Again using 9/11 as an example,
many companies paid immense amounts in
legal fees to force their insurance carriers to
honor terrorism-related claims under the
policies they issued.

Understanding the limits of insurance,
the question then becomes what other risk
mitigation tools exist that could limit by stat-
ute or eliminate third-party claims? Based on
a review of existing statutes, regulations,
and alternative options such as insurance
coverage, the best opportunity for limiting
liability is the Support Anti-Terrorism By
Fostering Effective Technologies Act
(‘SAFETY Act’). Under the SAFETY Act,
‘sellers’ of security products or services
(a term that also includes companies that
develop their own physical or cybersecurity
plans and procedures and then uses them
only for internal purposes) are eligible to

159 ■


loss to citizens or institutions of the United

The Secretary has broad discretion to declare
that an event is an “act of terrorism,” and
once that has been declared, the SAFETY Act
statutory protections will be available to the
seller of the QATT and others.

A cursory review of this defi nition reveals
that there is no need to divine a motivation
for the attack and that the language used can
be interpreted to include physical attacks as
well as cyberattacks. The only ‘intent’ that
must be demonstrated under the SAFETY
Act then is that the attack is intended to
cause destruction, injury, or other loss to the
U.S. or its interests. This is important to
remember because it means that cyberat-
tacks also trigger the protections of the

■ SAFETY Act protections available
to customers and other entities

One of the most signifi cant additional bene-
fi ts of the SAFETY Act is that the liability
protections awarded to the seller of the
QATT fl ow down to customers, suppliers,
subcontractors, vendors, and others who
were involved in the development or deploy-
ment of the QATT. In other words, when a
company buys or otherwise uses a QATT
that has been either SAFETY Act ‘Designated’
or ‘Certifi ed,’ that customer is entitled to
immediate dismissal of claims associated
with the use of the approved technology or
service and arising out of, related to, or
resulting from a declared act of terrorism.

The bases for these expanded protections
are clearly set forth in the SAFETY Act stat-
ute and in the Final Rule implementing the
SAFETY Act. Both are detailed below:

With respect to the protections offered to
entities other than the Seller of the QATT,
the SAFETY Act statute states as follows:

IN GENERAL.—There shall exist a
Federal cause of action for claims arising
out of, relating to, or resulting from an act
of terrorism when qualifi ed anti-terrorism

reached no further damages may be
awarded in a given year.

� A bar on joint and several liability
� Damages awarded to plaintiffs will be

offset by any collateral recoveries they
receive (e.g., victims compensation funds,
life insurance).

Should the applicant be awarded a
‘Certifi cation’ under the SAFETY Act for their
QATT, all of the liability protections awarded
under a ‘Designation’ are available. In addi-
tion, the seller of a QATT will be entitled to an
immediate presumption of dismissal of all
third-party liability claims arising out of, or
related to, the act of terrorism.

This presumption of immunity can be
overcome in two ways: (1) by demonstrat-
ing that the application was submitted with
incorrect information and that that informa-
tion was provided though fraud or willful
misconduct or (2) by showing that the
claims asserted by the plaintiff related to a
product or service are not encompassed by
the QATT defi nition as written by the
Department of Homeland Security. Absent
a showing of element, the attack-related
claims against the defendant will be imme-
diately dismissed.

For the SAFETY Act protections to be trig-
gered, the Secretary of Homeland Security
must declare that an “act of terrorism” has
occurred. The defi nition of an “act of terror-
ism” is extremely broad, and includes any
act that:

(i) is unlawful;

(ii) causes harm to a person, property, or
entity, in the United States, or in the case of a
domestic United States air carrier or a United
States-fl ag vessel (or a vessel based principally
in the United States on which United States
income tax is paid and whose insurance cover-
age is subject to regulation in the United
States), in or outside the United States; and

(iii) uses or attempts to use instrumentalities,
weapons or other methods designed or intend-
ed to cause mass destruction, injury or other

■ 160


DHS, as set forth in the preamble to the
SAFETY Act Final Rule, agrees with this
interpretation, stating:

Further, it is clear that the Seller is the only
appropriate defendant in this exclusive
Federal cause of action. First and foremost, the
Act unequivocally states that a “cause of
action shall be brought only for claims for
injuries that are proximately caused by sellers
that provide qualifi ed anti-terrorism technol-
ogy.” Second, if the Seller of the Qualifi ed
Anti-Terrorism Technology at issue were not
the only defendant, would-be plaintiffs could,
in an effort to circumvent the statute, bring
claims (arising out of or relating to the perfor-
mance or non-performance of the Seller’s
Qualifi ed Anti-Terrorism Technology) against
arguably less culpable persons or entities,
including but not limited to contractors, sub-
contractors, suppliers, vendors, and custom-
ers of the Seller of the technology.

Because the claims in the cause of action
would be predicated on the performance or
non-performance of the Seller’s Qualifi ed
Anti-Terrorism Technology, those persons or
entities, in turn, would fi le a third-party
action against the Seller. In such situations,
the claims against non-Sellers thus “may
result in loss to the Seller” under 863(a)(2).
The Department believes Congress did not
intend through the Act to increase rather than
decrease the amount of litigation arising out
of or related to the deployment of Qualifi ed
Anti-Terrorism Technology. Rather, Congress
balanced the need to provide recovery to plain-
tiffs against the need to ensure adequate
deployment of anti-terrorism technologies by
creating a cause of action that provides a cer-
tain level of recovery against Sellers, while at
the same time protecting others in the supply

Within the Final Rule itself, the Department
also stated:

There shall exist only one cause of action for
loss of property, personal injury, or death for
performance or non-performance of the

technologies have been deployed in
defense against or response or recovery
from such act and such claims result or
may result in loss to the Seller. The sub-
stantive law for decision in any such
action shall be derived from the law,
including choice of law principles, of the
State in which such acts of terrorism
occurred, unless such law is inconsistent
with or preempted by Federal law. Such
Federal cause of action shall be brought only
for claims for injuries that are proximately
caused by sellers that provide qualifi ed anti-
terrorism technology to Federal and non-
Federal government customers.

The SAFETY Act statute also reads:

JURISDICTION.—Such appropriate district
court of the United States shall have original
and exclusive jurisdiction over all actions for
any claim for loss of property, personal injury,
or death arising out of, relating to, or result-
ing from an act of terrorism when qualifi ed
anti-terrorism technologies have been deployed
in defense against or response or recovery
from such act and such claims result or may
result in loss to the Seller.

The key language, which comes from 6
U.S.C. Section 442(a)(1), states that the claims
arising out of, relating to, or resulting from
an act of terrorism “shall be brought only for
claims for injuries that are proximately
caused by sellers that provide qualifi ed anti-
terrorism technology to Federal and non-
Federal government customers.”

Furthermore, in Section 442(a)(2), the
SAFETY Act states that U.S. district courts
shall have original and exclusive jurisdiction
for claims that “result or may result in loss to
the seller.”

The language in 6 U.S.C. Section 442(a)(1)
and (a)(2) reads such that terrorism-related
claims that have or could have resulted in a
loss to the seller may only be brought in U.S.
district courts against the seller. Nothing in
the statute would give rise to claims against
other parties who use or otherwise partici-
pate in the delivery and use of the QATT.

161 ■


Further, based on the extensive analysis con-
ducted above regarding the applicability of
the SAFETY Act statute and Final Rule, buy-
ers of security QATTs will be considered
‘customers’ for SAFETY Act purposes, and
therefore entitled to immediate dismissal of
claims related to an approved security tech-
nology or service. Thus, the SAFETY Act can
and should serve as an excellent tool to miti-
gate or eliminate said liability.

Accordingly, sellers and customers of
‘QATTs’ are entitled to all appropriate pro-
tections offered by the SAFETY Act, whether
those offered by Designation, the presump-
tion of dismissal offered by Certifi cation, or
the fl ow-down protections offered to cus-
tomers and others. QATT customers and
sellers could still face security-related litiga-
tion should the Homeland Security Secretary
not declare the attack to be an “act of terror-
ism” or if the claims do not relate to the
QATT as defi ned by DHS.

■ Conclusion
Entities that are potentially at risk for third-
party liability claims after an attack can be
materially protected through the SAFETY
Act. Users of SAFETY Act-approved security
products or services will also receive direct
and tangible benefi ts.

The SAFETY Act provides strong liability
protections that will fl ow down to such cus-
tomers per the language of the SAFETY Act
statute and Final Rule. A wide variety of
attacks, products, and services, including
cyberattacks and cybersecurity products and
services, are covered by the language of the
SAFETY Act, and thus, such products and
services are also eligible to provide dramati-
cally limited litigation and for such litigation
to be limited to ‘sellers,’ not ‘customers.’

Certainly not every attack will result in
liability for security vendors or their custom-
ers, particularly with respect to third-party
liability. Should such liability occur, howev-
er, it can be mitigated or eliminated using
the SAFETY Act.

Perhaps most importantly for directors
and offi cers of publicly listed companies, the
SAFETY Act should always be considered

Seller’s Qualifi ed Anti-Terrorism Technology
in relation to an Act of Terrorism. Such
cause of action may be brought only against
the Seller of the Qualifi ed Anti-Terrorism
Technology and may not be brought against
the buyers, the buyers’ contractors, or down-
stream users of the Technology, the Seller’s
suppliers or contractors, or any other person
or entity.

Thus, the SAFETY Act statute and the Final
Rule implementing the law make it clear that
when there is litigation involving a SAFETY
Act QATT (whether Designated or Certifi ed)
alleging that the QATT was the cause, direct-
ly or indirectly, of any alleged losses, the
only proper defendant in such litigation is
the Seller of the QATT. Customers and oth-
ers are not proper defendants and are enti-
tled to immediate dismissal, because allow-
ing litigation to proceed against customers
would be contrary to the SAFETY Act statute
and Congressional intent.

■ Practical application of SAFETY Act
protections to limit third-party claims

Considering the above, companies that sell
or deploy security QATTs, as well as their
customers, are entitled to extensive benefi ts.
Sellers of cybersecurity QATTs are entitled to
the broad protections from third-party liabil-
ity claims offered under a ‘Designation’ and
a ‘Certifi cation.’

As explicitly set forth in the SAFETY Act
statute and the SAFETY Act Final Rule, the
only proper defendant in litigation following
an act of terrorism allegedly involving a
SAFETY Act Designated and/or Certifi ed
QATT is the seller itself. In this case, the
‘Seller’ would be the security vendor or
company that deploys its own internally
developed security policies, procedures, or
technologies with the QATT being said
Certifi ed or Designated security policies,
procedures, or even technologies.

The basis for this analysis rests upon the
fact that sellers of security QATTs will have
received the QATT Designation or
Certifi cation, thus conferring upon them
specific statutory liability protections.


■ 162

Given the relative paucity of case law
defi ning what constitutes ‘adequate’ or ‘rea-
sonable’ security, directors and offi cers
should look to the SAFETY Act as a way to
help determine whether their company’s
security plans and programs could be con-
sidered to have achieved those benchmarks.
Doing so will not only help improve security
but also almost assuredly decrease the com-
pany’s risk exposure.

when examining risk mitigation strategies
associated with the company’s internal secu-
rity programs (physical and/or cyber) as
well as security goods and services pur-
chased from outside vendors. The SAFETY
Act offers powerful liability protections and
can doubly serve as evidence that the com-
pany exercised ‘due diligence’ and ‘reason-
able care’ when designing and implement-
ing its security programs.

163 ■

Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group

Combating the insider threat:
Reducing security risks from
malicious and negligent employees

“Edward Snowden,” the affair that bears his name dem-
onstrates the extreme damage that a privileged insider
can cause, even to an organization with the most sophis-
ticated security technology and one of the largest cyber-
security budgets. Although Snowden may have been a
contractor, survey after survey demonstrates that
employees, whether through negligence or malice, are
the most common cause of security incidents. According
to the Vormetric Insider Threat Report 2015, 89% of
respondents globally stated that their organization was
more at risk than ever from the insider threat, and 55%
identifi ed employees as the #1 internal threat. PwC’s
Global State of Information Security 2015 found that
current employees are the most frequently cited cause of
security incidents, well ahead of contractors, hackers,
organized crime, and nation-states.

These studies confi rm that there has been no abatement
in the insider threat in recent years. Just as PwC’s study
found in 2015, a 2013 Ponemon Institute study, entitled
the “Post-Breach Boom,” also reported that negligent and
malicious insiders were the cause of 61% of security
breaches experienced by respondents, substantially
exceeding other causes, such as external attacks and sys-
tem error or malfunctions.

Employers can take a wide range of relatively low-cost,
low-tech steps to reduce the risk of insider threats. These
steps track the stages of the employment lifecycle, ranging
from pre-employment screening at the outset of the
employment relationship to exit interviews when that rela-
tionship ends. Between those endpoints, employers can
reduce the insider threat by implementing and managing
access controls, securing mobile devices (whether employ-
er-owned or personal) used for work, carefully managing
remote work, providing effective training, and following a
myriad other steps discussed in more detail below.

■ 164


check adequately protects their organiza-
tion. Currently, the vast majority of employ-
ers do not conduct background checks after
the job application process has been com-
pleted. However, several service providers
now offer “risk alerts,” either directly to
employers or indirectly through the employ-
er ’s background check vendor. These risk
alerts notify the employer and/or the back-
ground check vendor of post-hire risk fac-
tors available through public records
sources, such as pending criminal charges,
criminal convictions, and bankruptcies.
Employers may consider using such “con-
tinuous monitoring” services to help iden-
tify employees who become security risks
over time.

■ Employee-oriented safeguards for sensitive
corporate data

Even employees who have been thoroughly
screened and have proven their trustworthi-
ness can expose an organization’s sensitive
data to loss or theft. Organizations and the
employees themselves can take the basic
precautions described below to mitigate
these risks.

A. Safeguarding electronic data
1. Access control lists: Restricting access

to information, particularly sensitive
customer, employee, and business
information, on a need-to-know basis is
a fundamental principle of information
security. Employees in the accounts
payable department, for example,
should be barred from accessing
human resources information. In
addition, access to information by
employees with a need to know should
be limited to the minimum necessary
to perform their job responsibilities.
Organizations should implement
a process for establishing the access
rights of new hires based on their
job responsibilities, for modifying
access rights when job responsibilities
change, and for promptly terminating
access rights when the employment
relationship ends.

■ Pre-employment screening and post-hire
risk alerts

Effective background screening can eliminate
the insider threat before it ever occurs by
identifying job applicants who pose a
threat to the employer’s information assets.
Employees responsible for evaluating back-
ground reports should be looking not only
for prior convictions for identity theft but
also for other crimes involving dishonesty,
such as fraud and forgery, which indicate an
applicant’s propensity to misuse informa-
tion. Employers that rely on staffi ng compa-
nies should consider not hiring temporary
workers for positions involving access to
sensitive employee, customer, or business
data, such as positions in the human resourc-
es or R&D departments or those responsible
for processing credit card payments. If such
hiring is imperative, the employer should
impose on the staffi ng company, by contract,
background check criteria for temporary
placements that are at least as stringent as the
employer’s own background check criteria.

Employers should beware that pre-
employment screening can itself expose an
employer to signifi cant risks. In the past few
years, the plaintiffs’ class action bar has
aggressively pursued employers for alleged
violations of the federal Fair Credit Reporting
Act (FCRA), which regulates the procure-
ment of background checks from third-party
consumer reporting agencies. As of mid-
2015, nearly 20 jurisdictions—states, coun-
ties, and municipalities—have enacted “ban-
the-box” legislation to restrict private
employers’ inquiries into criminal history. At
the same time, the U.S. Equal Employment
Opportunity Commission (EEOC) has fi led
several lawsuits against large employers,
alleging that their pre-employment screen-
ing practices have a disparate impact on
African American and Hispanic job appli-
cants. Consequently, organizations should
carefully review their pre-employment
screening practices for compliance with the
many federal, state, and local laws aimed at
helping ex-offenders secure employment.

Employers also should consider whether
a one-time, pre-employment background

165 ■


password protection, automatic log-
out after a short period of inactivity,
automatic log-out after a small number
of unsuccessful log-in attempts, and
remote wipe capability. In addition,
employees should be routinely
reminded of the need to physically
safeguard their mobile device, for
example, by not sharing the device
with others and by securing the device
(for example, in a hotel safe) when the
device is left unattended. In addition,
employees should be instructed to
immediately report the loss or theft
of the device to a person or group
designated to respond to such reports.

5. Remote work security: Corporate spies
can tap into unsecured WiFi connections
to steal sensitive data. To reduce this
risk, employees should be required to
use a secure/encrypted connection,
such as a virtual private network
(VPN), to access the corporate network
when working remotely. In addition,
employees should generally be required
to use that secure remote connection to
conduct business involving sensitive
data rather than storing the sensitive
data on a portable storage medium,
such as a thumb drive or a laptop’s
hard drive. Where local storage is a
business imperative (e.g., when work
must get done during a long fl ight),
employees should be required to use an
encrypted portable storage medium to
store sensitive data.

6. No storage in personal online
accounts: Once an organization’s
sensitive data move to an employee’s
personal email or cloud storage
account, the organization effectively
loses control of the information.
Absent the employee’s prior written
authorization, the email or cloud
service provider generally cannot
lawfully disclose the organization’s
data to the organization. At the same
time, employees often will hesitate
to sign such an authorization out of
concern that the employer will gain

2. Protecting log-in credentials:
Employees should be regularly
reminded of the importance of
protecting their log-in credentials.
They should be instructed not to share
their log-in credentials with anyone.
Hackers may pose as IT professionals
on the phone or send phishing emails
purporting to originate with the
employer’s IT Department, to trick
(“social engineer”) employees into
revealing log-in credentials. Employees
also should be instructed not to write
down their log-in credentials and
to immediately change their log-
in credentials when they suspect the
credentials have been compromised.
Finally, each employee should be
required to acknowledge that only he
or she is the authorized person to access
and view the organization’s information
through his or her log-in credentials and
is personally responsible for all activity
using those log-in credentials.

3. Screen security: Employees can reveal
sensitive data to “shoulder surfers”
in airplanes, at coffee shops, and
even at work by failing to adequately
protect their computer monitor or
screen. Employees should be reminded
to position their monitor or screen
to reduce the risk of viewing by
unauthorized individuals. In locations,
such as airplanes, where that may
not be possible, employees should
use a privacy screen to prevent
unauthorized viewing. Regardless of
location, employees should activate a
password-protected screen saver when
they leave their screen unattended.

4. Mobile device security: One of the
most common causes of security
breaches is the exposure of sensitive
data through the loss or theft of
employees’ mobile devices. To reduce
this risk, organizations should push
security controls to all mobile devices—
whether employer-issued or personally
owned—that are used for work. These
controls should include encryption,

■ 166


secure remote connection. When there
is a business need, employees should be
required to keep the paper documents
with them at all times or to secure the
documents when unattended, just as
employees should do with a mobile

4. Require secure disposal of paper
documents: Pharmacies and other
health care providers around the
country have been the subject of
scathing publicity and government
investigations after journalists-
cum-dumpster-divers discovered
unshredded patient records discarded
in bulk behind the facility. Whether
working from the offi ce or from
home, employees should be required
to shred paper documents containing
sensitive data or to discard them in
secure disposal bins.

5. Private conversations are meant for
private places: In today’s world of
mobile telephony, employees often
can end up discussing sensitive
information while walking down the
street, riding in public transportation,
or sitting in a crowded restaurant. Even
when working at the corporate offi ce
or the home offi ce, employees must
be aware that they are not discussing
sensitive data over the phone where
unauthorized individuals can
overhear them.

■ Employee monitoring
Monitoring technology has become increas-
ingly sophisticated and can now help employ-
ers root out the insider threat. For example,
recently developed email and Internet moni-
toring software uses “Big Data” techniques to
identify patterns of conduct for the workforce
as a whole, for particular groups, or for par-
ticular individuals to establish a norm for
expected online conduct. When an employee
deviates from the norm—for example, by
downloading an unusually large number of
fi les to an external storage device or by send-
ing an unusual number of emails to a per-
sonal e-mail account—the software alerts the

access to private information stored
in the account, and employees almost
always will fl atly refuse to sign if
they are disgruntled or after they have
left the organization. Consequently,
employers should unambiguously
communicate to their workforce that
storage of the organization’s sensitive
data in a personal online account is

B. Safeguarding sensitive data in paper and
oral form
1. Clean desk policy/secure storage:

Whether employees are working at the
employer’s offi ce or their home offi ce,
paper documents containing sensitive
data can easily be viewed or stolen
by those not authorized to access the
information, such as maintenance
personnel at the offi ce or those making
repairs at the home. Employees
should be reminded to secure paper
documents containing sensitive data
in locked offi ces, desk drawers, fi ling
cabinets, or storage areas and to
remove papers containing sensitive
data from their physical desktop when
it is unattended.

2. Beware of printers, scanners, and
fax machines: Office equipment
located in unrestricted areas poses a
risk to sensitive data in paper form.
Employees should be instructed to
promptly remove print jobs, scans,
and faxes from these machines so that
sensitive data cannot be viewed by
unauthorized individuals.

3. Avoid off-site use of paper documents:
Massachusetts General Hospital agreed
to pay $1 million to settle alleged
HIPAA violations after one of its
employees left the medical records of
192 HIV patients on the Boston subway.
Organizations can avoid incidents like
this by prohibiting employees from
taking paper documents with sensitive
data off-site unless there is a strong
and legitimate business need to do so.
Typically, employees will be able to
access the same information through a

167 ■


Millennials admitted to compromising their
organization’s IT security as compared to
5% of Baby Boomers. Given this “culture of
noncompliance,” employers should consid-
er three methods for reminding employees
of their responsibilities as stewards of the
employer ’s sensitive data.

First, employers should consider requir-
ing that all new hires whose responsibilities
will involve access to sensitive data execute
a confi dentiality agreement. In addition to
identifying those categories of information
that employees must keep confi dential, the
agreement should summarize some of the
key steps employees are required to take to
preserve confi dentiality, require return of the
employer’s sensitive data upon termination
of the employment relationship, and confer
on the employer enforcement rights in the
event the employee breaches the agreement.
Employers should note that several federal
regulators, including the Securities &
Exchange Commission (SEC), the National
Labor Relations Board (NLRB), and the
EEOC, have been fi nding unlawful overly
broad confi dentiality agreements that effec-
tively restrict employees’ rights to engage in
legally protected conduct, such as whistle-
blowing or discussing the terms and condi-
tions of employment with co-workers.
Consequently, any confi dentiality agreement
should be scrutinized by legal counsel before
it is distributed to new hires for signature.

Second, educating employees on informa-
tion security is critical. Training should
address a range of topics, including (a) the
employer’s legal obligations to safeguard
sensitive data, (b) the types of information
falling within the scope of this legal duty,
(c) the consequences for the employer’s bot-
tom line of failing to fulfi ll those legal obliga-
tions, (d) the steps employees can take to
help the employer fulfi ll its legal obligations,
and critically (e) the situations that consti-
tute a security incident and to whom the
incident should be reported. Training should
be recurring and supplemented with peri-
odic security awareness reminders. These
reminders could take the form of email,
posts on an internal blog, or text messages

employer of the deviation from the norm, so
the employer can investigate further.
Employers concerned about the insider threat
should consider investing in monitoring soft-
ware that can perform this type of “user-
based analytics.”

Employers also should consider installing
data loss prevention (DLP) software on their
networks. This software fl ags communica-
tions, such as outbound emails containing
sensitive data, for further action. For exam-
ple, DLP software may identify strings of
digits resembling Social Security numbers in
an outbound email, quarantine the email
before it leaves the organization’s network,
and alert the employer’s IT department of a
potential data theft.

Although network surveillance software
can substantially enhance other information
security measures, implementation can pose
risks for the organization. Although case
law applying the Federal Wiretap Act to
real-time email interception is somewhat
sparse, the cases suggest that employers
who capture email content in real time with-
out robust, prior notice to employees may
be exposed to civil lawsuits and even crimi-
nal prosecution. Multinational employers
face broader, potential exposure for violat-
ing local data protection laws, particularly
in the European Union. Consequently,
employers should conduct a thorough legal
review before implementing new monitor-
ing technology.

■ Confi dentiality agreements, employee
training, and exit interviews

Although many of the safeguards described
above may appear to be common sense,
they likely will appear to be inconveniences
to many employees, especially to the Gen-Y
members and Millennials in the workforce
for whom the broad disclosure of sensitive
information through social media has
become natural. Cisco’s 2012 Annual
Security Report bears this out, reporting
that 71% of Gen-Y respondents “do not obey
policies” set by corporate IT. Similarly,
Absolute Software’s 2015 U.S. Mobile
Device Security Report found that 25% of


■ 168

the one hand, and the groups responsible for
information security—the IT Department, the
Chief Information Security Offi cer, and/or
the Chief Privacy Offi cer—on the other. The
former group views information security as
the sole responsibility of the latter, and the
latter group views employees (and employee
data) as the sole responsibility of the former.

However, HR professionals and in-
house employment counsel can play a criti-
cal role in enhancing an organization’s
information security. They typically are
responsible for evaluating whether to reject
applicants based on information reported
by the employer ’s pre-employment screen-
ing vendor. They routinely train new hires
and current employees on a wide range of
topics and could easily partner with infor-
mation security professionals to conduct
information security training. They often
negotiate contracts with service providers
who receive substantial quantities of
employees’ sensitive data. They regularly
receive and investigate complaints of sus-
pected employee misconduct, which may
include reports generated by DLP software
or other online surveillance software or
about employees’ otherwise mishandling
sensitive data. They also typically are
involved in disciplinary decisions, includ-
ing those based on employees’ mishan-
dling of sensitive data.

In sum, by making human resources pro-
fessionals and in-house employment counsel
valued members of the organization’s infor-
mation security team, organizations can sig-
nifi cantly enhance the effectiveness of their
overall information security program.

and can include critical alerts, such as notifi –
cation of a recent phishing email sent to
members of the employer’s workforce or
warnings against clicking on links or open-
ing attachments that could result in the
downloading of malicious code.

Third, employers should consider modi-
fying their exit interview process to specifi –
cally address information security. At the
exit interview, the employer can accomplish
the following:

� provide the employee with a copy of his
or her executed confi dentiality agreement
and remind the employee of his or her
ongoing obligation not to disclose the
employer’s sensitive data to unauthorized
third parties;

� obtain the return of all employer-owned
computers, mobile devices, and portable
storage media on which sensitive data
may be stored;

� arrange for the remote wiping, or other
removal, of the employer’s sensitive data
from any of the employee’s personal
mobile devices allowed to access corporate
information systems;

� confi rm that the employee has not stored
any of the employer’s sensitive data in
personal email accounts, personal cloud
storage accounts, personal external
storage media, or anywhere else.

■ HR and in-house employment counsel need
a seat at the “information security table”

In many, if not most, organizations, there is a
chasm between the Human Resources depart-
ment and in-house employment counsel, on

Electronic version of this guide and additional content available at:

Comprehensive approach
to cybersecurity

171 ■

Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate

Developing a cybersecurity
strategy: Thrive in an evolving
threat environment

The Internet and ‘always on’ connectivity is transforming
how we live, work, and do business. Game-changing
technology, powered by our increasingly connected soci-
ety, offers more effi cient workers, new revenue streams,
and stronger customer relationships. Technology is not
optional; it is a core business enabler. That means it must
be protected.

Cybersecurity was once widely considered just another
item in a long list of back-offi ce functions. Vulnerability
patching? Device confi guration? These were IT problems
for the IT team to worry about. However, that has
changed. A series of high-profi le cybersecurity attacks—
from Stuxnet to Target—demonstrate that cybersecurity
represents a business risk of the highest order. The C-suite
and board are taking notice.

However, as cybersecurity makes its way onto the
executive agenda, it is simultaneously time to rethink
our strategies. The ‘Internet of Things’ is more than a
fad. Suddenly, and increasingly, everything is connected.
Business leaders get it: to fend off emerging players
and ensure market competitiveness, companies are re-
architecting their business models around this concept.
It will drive success. It also requires new cybersecurity
strategies that take a broader view of risk. Developing
strategies that recognize risk beyond back-end IT sys-
tems is critical, to include products, customer interfaces,
and third-party vendors. Above all, the new challenges
in cybersecurity demand an organizational-wide
approach to protecting, and ultimately enabling, the
business. It is time to cast the net wider, and more effec-
tively, than ever before.

■ 172


3. Product/service development: the research,
design, testing, and manufacturing
environments for your products and

4. Customer experience: the operational
realms where customers use and interact
with your products or services

5. External infl uencers: all external entities
that affect how you guide your business
to include regulators, law enforcement,
media, competitors, and customers.

A cybersecurity strategy at this scale requires
enterprise-wide collaboration. It will take
the whole organization to manage cyber
risk, so it is imperative to cast a wide net
and include representatives from across
business units in strategy formulation dis-
cussions. It requires a multidisciplinary
team effort to develop a security strategy
that refl ects the scale and complexity of the
business challenge.

■ Elements of cyber strategy at scale
Building a cybersecurity strategy can seem
overwhelming, but it doesn’t have to be.
Start with a vision, understand the risk,
identify controls, and build organizational
capacity. Every element builds on each other.

1. Set a vision: It all starts with a creative
vision. It’s critical to paint a high-level
landscape of the future that portrays
how cybersecurity is intertwined with
the most critical parts of your business.
Think about the how value is created
within your company. Is it a cutting-edge
product? Is it by delivering world-class
customer service? Craft a short story on
how cyber protects and enables that.

2. Sharpen your priorities: You have
limited resources, just like every other
company. You can’t protect everything, so
you better be certain you’re focusing on
the most critical business assets. The fi rst
step is to fi gure out what your company
determines to be its ‘crown jewels.’ Once
you’ve defi ned what truly matters, it’s
time you evaluate how exposed—or
at-risk—these assets are. That will give

■ The value of getting cybersecurity right
An effective cybersecurity strategy must
start with placing it in the context of the
business—what your company uniquely
provides as products or services really deter-
mines how to approach the challenge. For
old-school IT security hands, this is a differ-
ent way of thinking. It means getting out of
the IT back offi ce and learning the nuances
of what makes the business go. Take the
view of the CEO and board. It isn’t just that
it is the right thing to do or because compli-
ance matters. There are more meaningful
answers to uncover.

The right cybersecurity strategy is guided
by two related considerations: (1) ‘How does
cybersecurity enable the business?’ and
(2) ‘How does cyber risk affect the business?’
From this perspective, cybersecurity breaks
out of its technical box and IT jargon. It
focuses on competitive advantage, and it
positions cybersecurity as an enabler and
guarantor of the core business, whatever
business you’re in. If done right, cybersecu-
rity helps drive a consistent, high-quality
customer experience.

■ It takes an enterprise
A cybersecurity strategy grounded in your
unique business ecosystem will quickly
reveal what must be protected. Enterprise IT
still matters; it moves, analyzes, and stores
so much of your business-critical data.
However, a cybersecurity strategy must now
go further. Your industry should shape the
fi ne-tuning of the scope here, but we can boil
the components of your ecosystem ‘map’
down into several key features:

1. Enterprise IT: the back-end technology
infrastructure that facilitates company-
wide communications; processes, stores
corporate, and transfers data; and enables
workforce mobility

2. Supply chain: the fl ow of materials
and components (hardware and
software) through inbound channels
to the enterprise, where they are
then operationalized or used in the
development of products and services

173 ■


undesirable will most certainly happen.
Incident response is more than just having
the right technology capabilities in place,
such as forensics and malware analysis. In
fact, real success in cyber incident response
usually comes down to the people aspect.
How plugged in are you with your
company’s legal, privacy, communications,
and customer sales units? They are all
critical to success; and with this expanded
scope of players, you can imagine how a
cyber matter can quickly rise to become a
top-line business matter.

7. Transform the culture: The best
organizations out there today do this
well. Because people are the core of your
business, it comes down to them ‘buying
in’ to cybersecurity as something that they
care about. From your dedicated cyber
workforce, to business unit leaders, to
those that manage your company’s supply
chain, you’ll need all hands on deck, each
doing their part in advocating for and
implementing cybersecurity measures. A
security organization can make this easier
by fi nding ways to make cyber relevant
for each part of the business by sharing
innovations that excite and enable the

■ Bringing the strategy to life
Perhaps the best measure of an effective
cybersecurity strategy is its ability to be
implemented and make a visible change in
how the business is operated. With a strate-
gy in hand, the next move is to build momen-
tum with ‘quick wins’ while investing in
long-term capability development.

The fi rst step is to use your strategy’s risk
framework to assess where you must apply
new or enhanced controls. Look broadly. The
biggest cybersecurity challenges may not be
where your organization usually expects to
see them. There are multiple ways to assess
how well the organization is performing,
including workshops, external assessments,
tabletop exercises, or war games.

To appropriately assess the organization,
you need to know what ‘good’ looks like.

you a basis for right-sizing your security
program around these assets.

3. Build the right team: Once you defi ne
what matters and how much security
makes sense, think about the people. What
does your direct and extended workforce
have to look like to be uniquely successfully
at your company? These days, you can’t
get by with your security program being
fi lled with technologist majority. Time to
weave in an accompanying set of skill
sets that will help you propel you to
success, to include organizational change
management, crisis management, third-
party risk management, and strategic

4. Enhance your controls: This is largely
about scope. With your company’s
quickly expanding ‘map,’ you’ll need to
adopt new methods for treating risk.
For example, if you deliver a ‘connected’
product to consumers, you’ll have to
ensure strong embedded device security,
as well as protections over the airwaves.
Without this, your brand could be at
stake. Fortunately there’s a great deal
of momentum in the world today, with
new methodologies, technologies, and
skill sets continuously being developed to
meet the challenge of today’s expanding
cyberattack surface.

5. Monitor the threat: Unfortunately,
cybersecurity isn’t only about reducing
risk behind your fi rewalls. It must also
include maintaining awareness of the
threat landscape—external and internal.
Because the threat is always changing
and always determined, you have to take
on that same adaptive mindset. Whether
that’s employing strong monitoring and
detection capabilities, consuming threat
intelligence feeds, or participating in
an industry-level information sharing
forum, there many avenues that you
should strongly consider using.

6. Plan for contingencies: No one can ever
be 100% secure, so it’s vital to have a
strong incident response capability in
place to manage the ensuing events when
something happens, because something

■ 174


This is different for each organization and
industry, but relying on industry bench-
marks and existing standards/frameworks
(e.g., NIST Cyber Framework) is a good
place to get a quick read on your maturity.
However, don’t adopt these standards
blindly; fi gure out what’s applicable to
your needs and what’s relevant for your

Once you’ve assessed your priorities and
set a maturity target, the next move is to
build a roadmap that pairs ‘quick wins’ with
more strategic and enduring capabilities.
Right away, you’ll want to ensure that you
are doing the basic blocking and tackling of
cybersecurity. Many call this instilling prop-
er ‘cyber hygiene,’ or putting a foundational
layer of protections and capabilities in place.
Once you’ve gained a solid foothold, time to
take the next step, such as establishing pre-
dictive intelligence mechanisms that help
you anticipate the next threat, instead of
reacting to it when it hits.

Perhaps the best way—and the biggest
challenge—to bringing your strategy to life
is to remember it isn’t policy or technology
that matters most, but people. Once you’ve
embraced this idea and put the person at the
center of all of your decisions, you can really
start to envision what it’ll take for cybersecu-
rity ‘change’ to happen in your organization.

■ What getting it right looks like
It is easier to write about the concepts of a
good cyber strategy than it is to deliver one
for your organization. However, getting
cybersecurity right for the organization has
benefi ts far beyond IT. A strong cyber strategy
drives security capability development and
ultimately has the power to transform the
business into a more successful one. An effec-
tive cyber strategy looks different depending
on the industry and individual business, but
they all share some key features.

It’s driven from the top. First, a strong cyber
strategy won’t be locked away in a fi le cabinet,
buried in a hard drive, or lost in the cloud.
Instead, it will be part of your organization’s

core message, and it will feel alive. That tone
will be set from the top, with senior executives
explaining how cyber will drive the future suc-
cess of the business.

It’s at the beginning of every new story.
Whether you’re designing a new product or
launching into a fresh multinational joint
venture, cyber is a conversation that will
always take place. Requirements are built in
from the beginning and brought to life as the
venture evolves. Remember, it’s always easier
and cheaper to implement cyber earlier rather
than later in the lifecycle.

Cyber is communicated in simple busi-
ness language. Don’t be paralyzed by those
who only want to ‘speak geek.’ Simple, easy-
to-understand logic should prevail when com-
municating how cybersecurity is enabling
your business.

You’ve established a predictive edge. If
you’ve evolved your strategy in a disciplined
manner, some really amazing things start to
come to life. One powerful aspect is that
you’re using multiple sources of intelligence
to understand the world around you, and you
are able to anticipate the adversary’s next
move. Sometimes this can feel like playing a
fun video game, but it could really mean sav-
ing the lifeblood of your business.

The puzzle pieces come together. With all
that you’ve invested in cybersecurity, the real
payoff comes when you see the component ele-
ments work in harmony as a system. A unifi ed
construct that links constituent technologies,
processes, and people together will prove
highly effective in monitoring and responding
to events and engaging the broader business
ecosystem to get things done.

You play a role in the community.
Cybersecurity is not something you should
attempt alone as an organization. The com-
plexity of vulnerability and the highly
resourced threats today are simply over-
whelming for any one entity. Cybersecurity


the ‘map’ of your business, and you now
understand all the points where cybersecuri-
ty must play a part. Success at this point
means that you’ve carefully and deliberately
initiated dialogue and worked with different
elements of the business to embed security in
places beyond Enterprise IT and extended it
into broader touchpoints across the external

Your enterprise embraces it. From senior
leadership to customer-facing sales teams,
cybersecurity is integrated as part of your
cultural DNA. You hear about it all the time,
and you see how it’s factored into all major
business decisions. Your organization has
evolved to the point where your organization
is now living the principles of good cybersecu-
rity without even thinking about it.

requires the power of community, new ideas,
and security capabilities coming to life. When
successful, your organization is an active part
of key dialogues with industry and govern-
ment. Threat intelligence and best practices
are shared two ways, but more importantly,
you integrate into the fabric of a very impor-
tant and very valuable community.

‘Change agents’ are swarming. You’ll need
these thought leaders to move across all ele-
ments of the business to shift mindsets and
anchor new behaviors. These advocates help
spread the cybersecurity vision broadly and
provide ‘on the ground’ feedback to make your
security strategy stronger.

Security is now embedded across your
ecosystem. You’ve taken a long, hard look at

177 ■

Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Jason Escaravage, Vice President; Ernie
Anderson, Principal; and Christian Paredes, Associate

Designing a Cyber Fusion
Center: A unifi ed approach
with diverse capabilities

Since the early 2000s, organizations have focused cyberse-
curity efforts around a preventative, “defense-in-depth”
approach. The multiple layers of security are intended to
thwart attackers; this trend has become known as the
“moat-and-castle” defense: higher walls, a deeper moat,
and other fortifi cations to deter or prevent the enemy
from breaching the castle grounds.

Within the past several years, high-profi le breaches
across the fi nancial, government, retail, health-care,
defense, and technology sectors have spotlighted the need
for a better incident response (IR) capability to detect,
contain, and remediate threats. These breaches are evi-
dence that prevention alone is no longer a suffi cient
approach. However, many organizations lack a mature IR
capability and end up spending millions of dollars to out-
source IR services. Furthermore, once the incident is
remediated, organizations are still left wondering how to
effectively secure themselves for the highest return on
investment (ROI).

Prevention remains a critical component of an effective
security program. And organizations are increasingly
investing in native detection and response capabilities, or
a Security Operations Center (SOC). But the people, pro-
cesses, and technologies that are the backbone of SOC
must be integrated within one Cyber Fusion Center (CFC)
that also combines functions such as Cyber Threat
Intelligence (CTI), Red Teaming, and Attack Surface
Reduction (ASR).

The Cyber Fusion Center. The CFC is a comprehensive,
integrated approach to security. The CFC mission is to
protect the business—its assets, people, clients, and
reputation—so that it can thrive and operate without
costly disruptions.

■ 178


centralize threat knowledge and analysis,
unify the organization’s security strategy,
and ultimately maximize the value of invest-
ments in cybersecurity.

Although the security functions that
make up the CFC are not new, the CFC
approach represents a complex interaction
between the security teams with multiple
“touch points,” parallel workfl ows, and con-
stant feedback mechanisms. With the right
design and implementation considerations
organizations can:

� increase operational effectiveness by
orchestrating the security functions and
information fl ow from threat intelligence,
through security and IT operations

� improve security readiness by enabling
stronger detection mechanisms and
awareness of threats

� accelerate security maturation by
reducing the costs associated with
coordinating complex security functions
across multiple teams.

The CFC is distinguished not by its individ-
ual parts but by the integration and interde-
pendencies across its functions. More than
just a security approach, the CFC is a secu-
rity mind-set that organizations can imple-
ment to better secure themselves, protect
their customers, and reduce costly business

■ Building a robust SOC to detect and respond
to threats

Organizations are quickly recognizing the
need to detect and respond to a variety of
threats; simply blocking threats isn’t
enough. The Security Operations Center
(SOC) is the organization’s fi rst line of
defense against all forms of threats and is
the heart of the CFC. The SOC will handle
any suspected malicious activity and work
closely with the other teams in the CFC. A
well-designed and maintained SOC will
focus on gaining effi ciencies though contin-
uous analyst training and mentoring, and
constant evaluation of the organization’s
security technologies.

The CFC approach does not guarantee
that there will be no security incidents; this is
an impossible feat. Rather, it ensures that all
security efforts are coordinated effi ciently by
leveraging the benefi ts of proximity (either
physical or logical) and easy communication
between security teams.

The CFC is designed to integrate key
security functions into a single unit without
stovepipes or prohibitive bureaucracy:

� Security Operations Center (SOC): the
heart of the CFC and the fi rst line of
an organization’s defense responsible for
detecting, responding to, containing, and
remediating threats, as well as proactively
identifying malicious activity. The SOC is
also home to Threat Defense Operations
(TDO), the dedicated “hunting” arm
of security and intelligence operations
responsible for actioning intelligence,
conducting in-depth malware analysis,
and continually building and improving
prevention and detection methods.

� Cyber Threat Intelligence (CTI): the
“forward observers” responsible for
identifying threats to the organization
and disseminating timely, relevant, and
actionable reporting to the SOC, C-Suite,
and other stakeholders.

� Red Team: the “attackers” who simulate
the tactics, techniques, and procedures
(TTP) of threats relevant to your
organization. The Red Team will
continually “stress test” your SOC, driving
improvements in detection, response, and
SOC analyst threat understanding.

� Attack Surface Reduction (ASR): the
proactive defense group responsible
for identifying and mitigating
vulnerabilities, unnecessary assets, and
nonessential services. More than just
patch management, optimized ASR
teams focus on continually improving an
organization’s hardening and deployment
procedures to eliminate vulnerabilities
before systems go live.

By integrating these functions, the CFC aims
to break down communication barriers,

179 ■


malware analysis that yields valuable techni-
cal intelligence (TECHINT) that can be used in
detection logic and further enriched by CTI.

Managing all the security alerts (aka “alert
fatigue”). This process—building detection
solutions and then identifying and mitigat-
ing threats—is where many organizations
struggle. Oftentimes, implementation of effi –
cient and effective SOC processes are stifl ed
by an overwhelming number of consoles,
alerts, threat feeds, and tools that prohibit
seamless workfl ows for analysts. While
security managers should continually iden-
tify potential feeds and technologies to
invest in, their impact on the SOC analyst
should always be a primary consideration:

� How many new alerts will this technology
or new data feed produce?

� Who will tune the technology to limit the
number of false positives it produces?

� Is the technology fi lling a gap in detection
capabilities or adding on to existing

� How does the introduction of this new
technology affect the SOC workfl ow?

The main point to remember is that more
technology, tools, and threat feeds do not
necessarily enable your SOC to operate more
effi ciently. Designs that emphasize smooth

A tiered SOC structure. The SOC can be
designed around a simple detect, identify,
and mitigate model. Analysts at various tiers
investigate malicious activity (aka alerts or
events) with these three stages in mind: Tier
1 analysts are charged with classifying the
severity of the event and correlating the
event with any historical activity. If neces-
sary, Tier 1 analysts will escalate incidents to
Tier 2 and 3 analysts, who will conduct in-
depth investigations and perform root-cause
analysis to determine what happened.

Threat Defense Operations (TDO).
Additionally, specialized analysts within the
SOC—Threat Defense Operations (TDO)
analysts—are responsible for creating detec-
tion logic in the form of signatures, rules,
and custom queries based on CTI-provided
threat intelligence. TDO engineers deploy
the detection logic to a range of devices,
appliances, tools, and sensors that make up
an organization’s security stack. The rules,
signatures, and queries create a threat-based
preventative sensor network that generates
network and host-based alerts that Tier 1–3
analysts in the SOC respond to.

TDO analysts will then fi ne-tune their
detection logic based on SOC feedback, cre-
ating an effi cient CFC that won’t waste time
investigating false alarms. The TDO team is
also responsible for providing in-depth

Case Management Approach

Manage Standardize Measure
• Case Mgt. Dashboard
• Monitor, Detect, and
Contain Metrics
• Real-Time Improvements

• Formal Shift Change Process
• Process and Procedures
• Business Process Reengineering


Enable Detection

Mitigate Threats

Identify Threats

SOC 24/7 Organizational Framework


First-level responder responsible for detecting and assessing cybersecurity
threats and incidents across the environment

“Operationlize” threat intelligence to enable automated detection and
manual analysis within and across prevention and detection technology

Conducts in-depth analyses of security incidents with specific ability to
identify Indicators of Compromise, perform root-cause analysis, and execute
containment strategies

• Shift Leader Oversight
• Case Mgt. Tracking Tool
• 24/7 Structure

■ 180


Instead of looking to new technology fi rst,
successful organizations will constantly
evaluate their security posture and frequent-
ly train their analysts on how to react to new
threats. Organizations must carefully con-
sider how new technology and tools will
impact the analysts’ workfl ow and their abil-
ity to detect and respond to threats while
focusing on processes and procedures.

■ Using Cyber Threat Intelligence to anticipate

Cyber Threat Intelligence (CTI) has become
the security buzzword of 2015. Many prod-
ucts and services claim to provide threat
intelligence and promise to prevent a major
incident. As this term has saturated the mar-
ket and security circles, the true meaning
and value of threat intelligence has become
clouded. As a result, the usefulness of threat
intelligence is, in some cases, dismissed.

However, true threat intelligence is incred-
ibly powerful—it can serve as a force-multi-
plier for your CFC, helping to improve aware-
ness of threats and offering the means by
which these threats could be prevented or

So what is threat intelligence? First, and
most important, only humans can produce
threat intelligence through focused research,
a synthesis of multiple sources (aka “all-
source analysis”), and clear, concise commu-
nication that explains the relevance of threats
to your organization. Generally, threat intelli-
gence feeds will not provide much intelli-
gence value unless they are thoroughly vetted
by human analysts fi rst; feeds are more likely
to generate false alarms than to indicate mali-
cious activity. Additionally, good threat intel-
ligence will be implemented in a way that
demonstrates the following characteristics:

Cyber Threat Intelligence is timely. Cyber
intelligence addresses an impending threat
to the business environment. Receiving that
intelligence before the threat is realized is
crucial to the organization. Dissemination of
strategic and tactical intelligence, including
indicators of compromise (IOCs), can take
the form of indications and warning (warn-
ing of an imminent threat), daily or weekly

workfl ows and “painless” methods of data
collection (e.g., analysts do not need to con-
tact other teams to access certain data) are
more likely to succeed than those that prior-
itize technology. Organizations should focus
on technology that enables SOC investiga-
tors to spend less time collecting data and
more time investigating the root cause of the
activity they’ve been alerted to.

Implementing 24/7 operations and managing
investigations. Design and implementation
should focus on standardizing daily opera-
tions, case management, and methods of
“measuring success.” Modern-day threats
necessitate that SOCs operate 24/7, 365 days
a year, requiring well-thought-out shift
schedules and defi ned roles. Leaders with
managerial and technical experience can aid
in workfl ow management and provide ana-
lyst training.

Having a well-integrated, easy-to-use
case-management system that doesn’t get
in the way of investigations and seamlessly
interacts with other SOC tools is key. This
tool ideally provides metrics on how effec-
tively your SOC monitors, detects, and
contains cases and will allow an organiza-
tion to identify gaps in people, processes,
and technologies.

Standardizing your standard operating pro-
cedures. Successful implementation also
demands accurate and up-to-date docu-
mentation. This includes documentation on
network architecture, standardized operat-
ing procedures (SOPs), and point-of-contact
lists. If the SOC is considered the “heart”
of the CFC, then SOPs act as its beat, guid-
ing analysts in situations ranging from col-
lecting forensic evidence to stopping data
exfi ltration.

These procedures change as new technol-
ogy and organizational structures are imple-
mented. Many organizations fail to update,
train, and test their staff and leaders on
SOPs, hurting their response times and con-
tainment metrics.

The bottom line. The SOC provides core
security functions within the CFC and can
achieve effi ciencies through close integration
with other teams such as CTI and TDO.

181 ■


Oftentimes, business decisions have to be
made without all the information. An under-
standing of the threat landscape can help to
make these business decisions, however. For
example, attacks on organizations in related
industries can serve as an indication that
your business might soon be targeted (or has
already been targeted).

Although the SOC team is your organiza-
tion’s fi rst line of defense, it can operate more
effectively and effi ciently with the support of
CTI. Your security team will handle a wide
array of potential threats and must be able to
quickly triage events, determine the threat
level, and mitigate incidents. CTI can help
SOC analysts to prioritize these alerts, can aid
in investigations, and can help SOC analysts
attribute malicious activity to specifi c threats
or threat groups. Over time, by leveraging
technical intelligence the SOC will develop a
stronger understanding of the threats they
face, enabling them to act more quickly. The
TDO component of SOC will also closely
coordinate with CTI to conduct analysis and
develop creative detection mechanisms.

The bottom line. Real, human-developed
Cyber Threat Intelligence will enable your
organization to pre-empt threats, assess
risk, and take appropriate defensive actions.
Benefi ts such as avoiding the cost of poste-
vent recovery and remediation, and pre-
venting the theft, destruction, and public
release of critical data, make Cyber Threat
Intelligence critical to your organization.

■ Conducting Red Team exercises to “stress-
test” and strengthen your Cyber Fusion

A fundamental question for every business
is: Will your cybersecurity organization be
ready when an attack comes? An important
means of assessing and “stress-testing” your
CFC is to actively attack it. Through coordi-
nated Red Team exercises, your CFC per-
sonnel can learn to detect and respond to a
variety of threats.

Simulate threat actors’ TTP. Red Team oper-
ations will ideally be designed to simulate
the tactics, techniques, and procedures of
threats that your CTI team has assessed to be

reports (highlights on relevant threats), and
executive briefs (assessments on major and
specifi c cyber issues for C-suite stakehold-
ers). Depending on the audience, other tech-
nical or nontechnical reports can also be

Cyber Threat Intelligence is relevant. For
many organizations thresholds for relevan-
cy are tricky to defi ne, especially when
media reports constantly warn about a
range of threats. A cyber breach in a distant
industry—even a major one—may not con-
cern you as much as a breach within your
own sector; a vulnerability in a technology
platform you don’t use is obviously less
important than a potential zero-day vulner-
ability in your enterprise-enabling plat-
form. Relevant threat intelligence produces
valuable insights on not only issues occur-
ring in the global business environment but
also on specifi c issues within your industry
and related to your IT environment. Even
further, it strives to give you unique insight
into specifi c adversaries targeting your
organization or peers, by assessing their
intentions and capabilities.

Cyber Threat Intelligence is actionable.
Actionable threat intelligence is created
when analysts fi lter through large volumes
of data and information (from human sourc-
es, technical feeds, criminal forums, etc.),
analyze why specifi c pieces of information
are relevant to your organization, and com-
municate how that information can be used
by various stakeholders. C-suite executives
need strategic “big picture” intelligence to
inform business decisions such as risks asso-
ciated with an increasingly global IT foot-
print. On the other hand, your SOC, TDO,
and ASR teams need tactical and technical
intelligence to support current investiga-
tions, create detection logic, and prepare for
potential attacks. Technical intelligence will
also be used to determine if certain mali-
cious actions or indicators have already been
present on your network.

Strategic and tactical threat intelligence.
Today’s corporate leaders face a serious
challenge in that it is not always possible to
accurately predict a cyberattack or its effects.

■ 182


strained—no SOC likes to lose, and often-
times the Red Team has the advantage. This
can make after-action review of an incident
stressful for both teams. However, a healthy,
competitive relationship between the SOC
and Red Team can foster improvements in
the CFC, particularly in detection and
response capabilities. Although the SOC and
Red Team functions contrast, their missions
are the same: to protect the organization and
improve its security capabilities.

Implementation of Red Team operations
should therefore emphasize the interde-
pendency between the SOC and Red Team
mission. The Red Team should assist the
SOC during remediation efforts to ensure
any uncovered vulnerabilities are no longer
susceptible to exploitation.

The bottom line. Fundamentally, Red Team
design and implementation takes a human-
centric approach. The benefi ts of placing your
“attackers” in close (physical or logical) prox-
imity to your SOC analysts cannot be under-
stated. SOC analysts learn to develop an
appreciation for the fact that they are fi ghting
people who make decisions to achieve an
objective—it’s not just about the malware.

■ Reducing your organization’s attack surface
Efforts to protect your organization will be
signifi cantly diminished if your IT systems
have easily exploitable vulnerabilities, unnec-
essary services, and nonessential assets. On
the other hand, shutting down all protocols,
services, and data resources is not a viable
option. Thus, the goal of Attack Surface
Reduction (ASR) is to close all but the required
doors to your technical infrastructure and
limit access to those doors through monitor-
ing, vulnerability assessment/mitigation,
and access control.

The ASR team is dedicated to identifying,
reducing, and managing critical vulnerabili-
ties, services, and assets, while also focusing
on preventing the introduction of vulnera-
bilities via improved hardening procedures.

Understanding and prioritizing your “attack
surface.” Implementing ASR is all about iden-
tifying and understanding your most critical
business applications and services—the

a risk to your organization. Your SOC could
also be a valuable source of input as you
determine how to implement your Red Team
operations. What types of threats does your
SOC regularly observe? More important,
what types of threats does your SOC typi-
cally not see? Does your SOC fi nd that there
are gaps in detection? What does your SOC
think they detect/mitigate well and is worth
testing? Where does your SOC have limited
detect/mitigate capabilities?

It is the Red Team’s responsibility to test
these questions and the limits of your SOC
and broader CFC. For example, if it is known
that the SOC rarely encounters web shells—
a type of malware installed on web servers—
your Red Team may choose to directly attack
a web server.

An important aspect of a Red Team
operation is that only select leaders are
aware of operations (often referred to as
the “white team”), adding to the realism of
the event. This implementation allows
those who are aware to observe the event
as it unfolds, particularly how teams inter-
act with each other, how information is
passed along, how stakeholders are
engaged, and how the teams handle a vari-
ety of attack scenarios. These leaders can
also help to scope Red Team activities to
ensure no critical data or operations are
actually compromised or exposed.
(Remember to loop in the legal department
prior to the exercise as well.)

After-action improvements. The end result
of a Red Team activity should be valuable
insight your security team can use to
improve its capabilities. For example, during
a web server attack exercise, the CFC will
need to evaluate how it handled the inci-
dent. At what point did the SOC detect the
attack? Are there changes that could be
made in how security tools are confi gured to
improve future detection of this type of
attack? These sample questions frame the
improvements that can be implemented
within the cybersecurity organization.

The nature of the Red Team’s operations
means that communication between the
SOC and Red Team can sometimes be


Organizations require continuous scans and
costly-to-maintain confi guration manage-
ment databases (CMDB) to track and ensure
the attack surface hasn’t expanded beyond
the organization’s acceptable risk level. And,
new exposures often emerge throughout the
course of normal business as new IT systems
are introduced or upgraded.

While there are many technologies avail-
able to aid organizations in managing vul-
nerabilities and assets, human analysts can
leverage contextual understanding of vul-
nerabilities and the attack surface in ways
that scanning software cannot provide.

Experienced ASR security professionals—
who possess a deep understanding of network
engineering, IT concepts, and security—are
able to synthesize disparate pieces of informa-
tion that can point to a previously undetected
or contextually important attack vector.

The bottom line. Attack Surface Reduction
enables organizations to proactively reduce
security vulnerability-related risk prior to
implementation and to mitigate existing and
other inevitable risks. Importantly, the ASR
function is designed so that humans comple-
ment the technology to minimize the attack
surface to an optimized level that balances
security risks and day-to-day realities of
enterprise business operations.

■ Cyber Fusion Center attention
The seemingly endless string of breaches
across major U.S. sectors—fi nance, technol-
ogy, manufacturing, and others—leaves
C-suite executives wondering, “Will we be
next?” or even, “Have we already been
breached?” New tools, technologies, and
data sources may help in preventing an
attack, but threat actors are clearly capable of
scaling the castle walls, or forging the castle
moat. Yet by developing a Cyber Fusion
Center, organizations develop the speed, col-
laboration, coordination, information fl ows,
and C-suite awareness necessary to not only
survive but thrive.

“crown jewels”—including their functions,
supporting infrastructure, scope, and inherent
vulnerabilities. This process entails a series of
vulnerability scans, security documentation
review, architecture assessments, host discov-
ery scans, nonintrusive penetration tests, and
targeted interviews with IT personnel.

Next, the ASR team should prioritize each
asset, considering their critical value to oper-
ations and the ability for the most relevant
threat actors—as assessed by your CTI
team—to leverage these assets in an intru-
sion. In addition, the impact of these attacks
must be considered. The assets that are most
likely to be the victim of a high-impact attack
or leveraged in a high-impact attack (such as
Adobe Flash) should receive the highest pri-
ority, most robust security controls, and
attention from the CFC.

More than just patch management. While
vulnerability and patch management is a core
ASR function, achieving a vulnerability-free
organization is not a realistic goal.
Vulnerabilities must be identifi ed and man-
aged appropriately—keeping a focus on pre-
venting and quickly responding to the most
critical. Continually improving deployment
and hardening procedures, especially for
publicly facing services and services that may
permit attackers to access high-trust zones, is
a critical ASR process for facilitating preven-
tive measure and effective mitigation timing.

As such, the ASR function should be
ongoing. ASR closely collaborates with other
CFC functions, especially CTI and TDO,
which can develop rules to detect exploita-
tion of new vulnerabilities. For example, CTI
may become aware of new vulnerabilities
that threat actors are leveraging. ASR will
work with CTI to prioritize the most relevant
vulnerabilities based on reports of their
exploitation “in the wild.”

A highly technical function that demands
strong human analysis. Maintaining complete
asset awareness is increasingly diffi cult in
today’s dynamic business environment.

Electronic version of this guide and additional content available at:

Design best practices

187 ■

Intercontinental Exchange & New York
Stock Exchange – Jerry Perullo, CISO

What are they after?
A threat-based approach to
cybersecurity risk management

Given fi nite resources and the ongoing threat of the “next
big hack,” cybersecurity is not the place to let a thousand
fl owers bloom. How does a governance body that is bal-
ancing this complex topic with so many other complex
risks pick the right questions to ask? The spectrum of
popular guidance ranges from an end-to-end program
that generates hundreds of inspection points to a kneejerk
reaction to the latest headlines. Distilling the truly critical
areas of focus requires a balanced approach that is well
served by beginning with the end in mind and asking,
“What are they really after?”

Traditional guidance has centered security program
construction and audit on comprehensive standards-based
frameworks. Although the popularity of specifi c standards
has waxed and waned, general principles have revolved
around identifying assets, establishing a risk management
program around those assets, and establishing preventa-
tive, detective, and corrective controls to protect those
assets. There is nothing wrong with this recipe at the tacti-
cal level. In fact, boards should expect a continuous pro-
gram cadence around this type of strategy and expect to
see third-party auditors, customers, vendors, and regula-
tors use this approach in examination. Controls should be
mapped to an established framework and any gaps or
vulnerabilities identifi ed. The challenge, however, is that
this produces a massive corpus of focus areas and controls
that cannot be digested in a single targeted governance
session. And fi nally, it does not produce a ready answer to
the top board concern: “How could we be hacked?”

Likewise, reacting to headlines and rushing to establish
the controls and technology cited in the latest news story
will divert all resources to someone else’s vulnerability,
whereas yours may be very different. Simply asking,
“Could what happened last week happen to us?” may at
best result in a false sense of confi dence or a mad dash to

■ 188


allow identity theft. Capturing 100 or 1000 is
not, however, alluring enough. Do you have
bulk card or PII data? Card processors, retail
institutions, and health-care providers are
clear targets for this type of penetration. If
this is your world, the major breaches of the
day serve as case studies. Lessons learned in
these areas lead to an emphasis on the follow-
ing questions:

� Do we know all the places where these
sensitive data live, and have we limited
it to the smallest set of systems possible

� Is access to the systems housing this data
tightly controlled, audited, and alarmed,
including via asset-based controls?

� Is this data encrypted in a manner that
would thwart some of the specifi c tactics
observed in major breaches?

If you do not hold easily monetized data,
these questions may not be the right place to
start. Again, this does not mean that data
theft is acceptable in any organization.
Confi dential email, intellectual property,
customer login credentials, and trade secrets
are some of the many examples of data we
must protect. Close examination often shows
that ring-fencing, asset-focused controls,
encryption, and other concentrations born of
the rash of recent card and PII breaches may
not be appropriate for more common and
less frequently targeted data, however. If
the data you are protecting are much more
valuable to you than to an assailant, tradi-
tional controls such as company-wide access
control, permission reviews, and identity
management are probably the right empha-
sis and should not be neglected in pursuit of
stopping a phantom menace.

■ Threat category 2: Activism
Is your organization the target of frequent
protest or activism? Perhaps the issue is cli-
mate change. Perhaps it is labor relations.
Perhaps you are caught up in the storm of
anti-capitalism, anti-pharma, anti-farming,
or simply high profi le. You may or may not
know if there are groups with an ideological

address a gap that isn’t relevant to your
organization. Vendors cannot be faulted for
preying on this tendency, and the result is a
barrage of solutions to the last headline’s
problems: “You desperately need encryp-
tion.” “You need behavioral technology to
baseline administrator activity and to alert
unusual access times or locations.“ “You
need to give up on securing everything and
only focus on the critical assets.” “You need
stronger passwords.” All of these solutions
have their place, but if they are not respon-
sive to the threats facing your business, they
may cause more distraction than protection
based on your unique requirements.

Identifying a relevant and reasonable
agenda for a governance session requires a
targeted and balanced approach. Let us
group the major cyber headlines of the last
decade into several large categories. With a
fi nite grouping of threats, we can begin to
model what each threat would look like to
your organization, which leads to an assess-
ment of likelihood and impact. With this
picture of viable threats, the board can hone
in on specifi c questions that will produce the
most value. By all means, all of the threats
listed below should receive treatment in
some capacity in any cybersecurity plan, but
prioritizing which are most relevant to your
organization will expose the most valuable
areas to explore with limited time. Further,
identifying business practices that expose
you to a particular threat category may lead
you to reconsider them in light of new costs
that were not included in previous assess-
ments. The calculus around maintaining a
lower profi le or outsourcing targeted data
may change when you factor in cybersecu-
rity risk.

■ Threat category 1: Data theft
Do you manage assets that can be easily mon-
etized? Credit numbers and social security
numbers—in bulk—are the drivers behind
many newsworthy breaches. Criminals have
established the proper fencing operations and
can justify enormous risk and effort to cap-
ture millions of card numbers or pieces of
personally identifi able information (PII) that

189 ■


If this type of threat is not applicable to your
organization, focusing controls and review
on mitigating such attacks may not be the
best allocation of resources.

■ Threat category 3: Sabotage
Are you a provider of critical infrastructure?
Do you or your key executives issue politi-
cally charged statements publicly? Would
the interruption of your business further an
extremist objective? Although these threats
require more sophisticated tactics and more
time to perpetrate, they often bring highly
motivated and coordinated threat actors.
Adversary objectives in this area usually go
well beyond website attacks. Physical con-
trol systems, data integrity, or even the func-
tionality of employee workstations may be
the target in this type of attack. Although
there are many vectors for this type of attack
and several are often used in conjunction, a
common theme quickly becomes targeting
employees individually. Social engineering
and phishing preys on common habits and
assumptions to dupe people into disclosing
a password, clicking a malicious web link,
or opening an attachment. These attacks can
be the most diffi cult to defend against, but
their reliance on persistent access and a
longer lifecycle to build towards the fi nal
goal makes detective and corrective controls
more valuable and decreases reliance on
absolute prevention. Additionally, the actors
involved and potential impact to national
interests likely make mitigation assistance
available to you if you focus on detection
and have the right contacts in place. Good
questions to ask if you are at risk of this
category of attack include the following
(and employees includes contractors and

� Do individual employees recognize the
importance of their role in securing the
organization and what an attack may
look like?

� Are employees routinely reporting
suspicious activity?

� Are employees educated and incentivized
to act responsibly with regard to cyber?

motivation to put a black eye on your busi-
ness. Cyber opens up a whole new realm of
ways for people to accomplish this, and
often with anonymity. When attacks fall into
this category, the most likely impact is an
action that can be touted in public. This usu-
ally means one of two things: Denial of
Service (DoS) or defacement. The former
category will attempt to demonstrate your
powerlessness by rendering a component of
your business unavailable to your customers
or the general public. Although attacking
customer access or more internalized sys-
tems may be more damaging in reality,
remember that the goal is to make a splash
on a big stage with minimal effort or expo-
sure. More often than not, that means attack-
ing your public website. The same target
(plus social media accounts) is most com-
mon for defacement attacks. The only thing
more satisfying to an activist than rendering
your service unavailable is replacing it with
a pointed message. High-profi le attacks in
this category include the near-incessant
Distributed Denial of Service (DDoS) attacks
against major banks, particularly those with
names evoking western countries. Targets of
defacement include Twitter and Facebook
profi les of targeted companies and govern-
ment entities. If this type of threat is likely to
be pointed at your organization, good ques-
tions to ask include the following:

� Can we sustain a DDoS attack on the
order of magnitude recently observed in
the wild?

� If we have a DDoS mitigation plan, how
long would it take to activate during an
attack? Is an outage for this duration
acceptable, or would it be considered a
failure in the public eye?

� Are we continuously scanning our primary
website(s) for common vulnerabilities
that may allow unauthorized changes?

� If our website were defaced, how long
would it take to restore?

� Are credentials to offi cial company social
media accounts tightly controlled by a
group outside marketing that is more
security conscious?

■ 190


advanced threats. At a minimum, automated
attacks look to procure access to your IT envi-
ronment so that your computing resources
can be made available for more nefarious
aims. Even if you do not host critical infra-
structure or easily monetized data, commod-
ity threats look to compromise your comput-
ers so that they can be used as agents of more
sophisticated attacks. Malware looks to enlist
your computing, storage, and bandwidth to
help criminals blast out junk email, store
pirated media, or contribute to a Denial of
Service attack. Attackers in this category do
not care (or often know) if your computers
belong to a fi nancial services fi rm, manufac-
turer, university, home network, or hospital.
Protecting your organization from these
common attacks requires being less exposed
than the next target. Ask yourself:

� Have we identifi ed a role in our
organization that is responsible for

� Are only absolutely required services
exposed to the Internet?

� Are PCs and email servers protected
from common viruses and malware in an
automated fashion?

� Does our corporate email employ controls
to fi lter out the most common virus and
spam campaigns?

� Does our corporate Internet access
incorporate controls to block access to
malicious websites?

One special form of opportunistic attack
involves ransom. Some malware encrypts
the content of infected computers so that it
becomes unavailable until a payment is
made. This type of attack can be crippling. In
addition to the preventative controls out-
lined above, you should ask the following:

� Are our fi le servers backed up and tested
regularly, and could we recover quickly if
all current data were unavailable?

� Have we, via policy and practice,
established the principle that PCs and
laptops are disposable, that data on these

� Are systems detecting suspicious employee
behavior that may indicate credentials
under the control of an outsider?

� Has contact been established with incident
response fi rms and law enforcement, and
could they quickly be mobilized if a
compromise is detected?

■ Threat category 4: Fraud
Do you operate a system that makes or pro-
cesses payments? Although any pay-for-
service you offer may be the target of some-
one looking for a free ride, nothing attracts
the sophisticated criminal element like cash.
If you offer the ability to move money, you
should have a focus here. Although fraud is
certainly not a new challenge, Internet con-
nectivity has certainly brought it to new
levels. If this is relevant to your organiza-
tion, you have likely been dealing with the
ramifi cations long before cyber considera-
tions were added. The following questions,
however, may be helpful to ensure cyberse-
curity efforts are aligned with traditional
fraud protections:

� Have we deployed and enforced two-
factor authentication such as text
messages, mobile phone apps, or physical
tokens to require our customers to have
more than a username or password to

� Are we using adaptive authentication
to identify suspicious locations, access
times, or transaction patterns in addition
to classic credentials?

� Are we tracking and trending the sources,
frequency, and value of losses?

� Are we working closely with peer
institutions and competitors to share
threat intelligence and identify common
patterns we should detect and/or block?

■ Threat category 5: Commoditized hacking
Although specialized threats are associated
with specifi c targets, all organizations have
exposure to the most common family of com-
moditized threats. These threats are oppor-
tunistic and warrant different controls than


around mission critical infrastructure and
data. Attention to governance has ramped up
dramatically in a short period, and it can be
diffi cult to sift through the advice of experts.
Investing time in analyzing threats and iden-
tifying what assets adversaries are truly after
is a critical fi rst step in establishing an effec-
tive governance policy around cybersecurity.

devices should not be relied upon, and
that network storage should be used to
house any critical data?

■ Conclusion
Although cybersecurity is a relatively new
fi eld, it has already grown into an expansive
area requiring monitoring and controls

193 ■

Palo Alto Networks Inc.

Breaking the status quo: Designing
for breach prevention

■ Today’s reality and commoditization of threats
The statistics regarding the success of advanced
cyberthreats paint a very grim picture. The increasing
speed at which new security threats appear, and the
growing sophistication of criminal hackers’ techniques,
make fi ghting cybercrime a constant challenge. A recent
study by Cyber Edge found that 71 percent of the secu-
rity professionals polled said their networks had experi-
enced a breach, up signifi cantly from the previous year
(62 percent). And half of those respondents felt that a
successful cyberattack against their network was likely in
the next 12 months, compared to just 39 percent in 2013.

Unfortunately, there isn’t a week that goes by these
days when we aren’t learning about some new data
breach. To say that keeping up with attackers’ evolving
techniques and advanced threats is diffi cult is an under-
statement. These attacks come from multiple angles,
through the edge of the network and directly at the users
of our digital infrastructure. Not only are they more tar-
geted in nature, the mechanisms that attackers use increas-
ingly utilize a growing pool of software vulnerabilities.
Some vulnerabilities are known only to the attacker,
referred to as zero-days. Others are known to the general
public but have yet to be fi xed by the software vendor. A
fact attackers are very much aware of.

Additionally, new attack methods and malware are
shared readily on the black market, each more sophisticat-
ed than the last. The cat-and-mouse game between attack-
ers and defending organizations is no longer a competition.
Attackers have not only pulled ahead, they’ve gained so
much distance that most security teams have given up on
the notion that they can prevent an attack and are instead
pouring investment into trying to quickly detect attacks,
and defi ning incident response plans rather than trying to
stop them. Why? Because legacy security offerings consist

■ 194


� blocking the different techniques attackers
might use to evade detection and establish
command-and-control channels

� preventing installation of malware—
including unknown and polymorphic

� blocking the different techniques that
attackers must follow in order to exploit
a software vulnerability

� closely monitoring and controlling data
traffi c within the organization to protect
against the unabated lateral movement
when legitimate identities are hijacked.

■ Cyberattack lifecycle
Despite the headlines, successful cyberat-
tacks are not inevitable, nor do they happen
by magic. Often it is a ‘window’ that is left
open or a ‘bag’ that is not screened that lets
an attacker slip into a network undetected.
After they are inside a network, attackers
will sit and wait, patiently planning their
next move, until they are sure they can
reach their objective. Much like a game of
chess, it is only at the end of a long and
logical series of steps that they will try to
act. Knowing the playbook of a cyberattack
can help us disrupt and prevent not just
well-understood attacks but also highly
sophisticated new attacks used by advanced

Despite different tools, tactics, and proce-
dures used by an attacker, there are certain
high-level steps in the attack lifecycle
that most cyberattacks have in common.
Traditional approaches to security focus on
installing a feature to disrupt only one point
along this lifecycle. This approach often
comes from the fact that different parts of an
IT security team have different objectives:
network administrators care about connec-
tivity and the fi rewall, info security analysts
care about analytics, and so forth. They
seldom have to really work together in a
coordinated manner because this approach
was previously useful at stopping low-level
threats that involved opportunistic target-
ing, such as the infamous email scam from a
foreign prince needing to transfer $1 million
to the U.S.

of a set of highly disjointed technologies that
only allow detection of attacks once they are
already on the network or endpoint.

Organizations cannot hire their way out
of this problem by throwing more people at
navigating a legacy architecture or making
up for the inherent gaps between the siloed
technologies. Instead, organizations should
be considering next-generation technology
that natively integrates security to deliver
automated results, preventing attackers
from achieving their ultimate objectives.
Given the sheer volume and complexity of
threats, it’s important to use automation to
accelerate detection and prevention with-
out the reliance on a security middleman.

Despite the growing cybersecurity chal-
lenge we are all facing, we cannot give up on
our digital infrastructure. Customers are
becoming more and more reliant on the
Internet and our networks to do business
and access commercial services. They use
these systems because of the trust they place
in them. This trust underpins everything
they do online and extends to an organiza-
tion’s brand and place in the market. Legacy
security approaches that focus only on detec-
tion and remediation, or rely on a series
of disjointed tools, abandon this trust and
can introduce signifi cant risk by failing to
consider how to prevent cyberattacks in the
fi rst place.

A new approach is needed in order to
prevent modern cyberattacks. This new
approach must account for the realities that
today’s attacks are not only multidimensional
in nature but also use an increasingly sophis-
ticated set of techniques that are constantly in
a state of change. As these techniques evolve,
the risk of breach increases, and, as we all
know, an organization is only as strong as its
weakest entry point. Therefore, an effective
strategy must work to disrupt an attack at
multiple points, including:

� developing a Zero Trust security posture
that focuses on only allowing legitimate
users and applications, as opposed to
trying to block everyone and everything
that is bad

195 ■


intellectual property and fi nancial informa-
tion, disrupt digital systems, or cause embar-
rassment. It is against these patient and
persistent advanced adversaries that tradi-
tional single-point approaches fail. However,
by targeting every step of an attacker’s play-
book, it is possible to architect a solution that
offers much greater odds at stopping the
attacks before they can reach their objective.
At the very least, putting preventative meas-
ures in place that take the complete lifecycle
into consideration will raise the cost for the
attacker, potentially forcing him to look else-
where for an easier victim. Let’s take a look
at the steps an attacker goes through to get
into and out of a network.

However, today’s attacks have become
more and more sophisticated as advanced
tools have proliferated and as effective attack
strategies have been developed and shared
among criminal and nation-state adversaries.
These attacks are often called advanced per-
sistent threats (APTs), so named because they
use advanced tools and persistently target an
organization again and again until they get
in. They are patient and stealthy, preferring
to forego a quick boom and bust for a longer
payoff of high-value information.

While APTs used to be the domain of
nation-state espionage, today organizations
large and small face these high-level threats
from actors seeking to steal sensitive

Advice along the cyberattack lifecycle
Reconnaissance. Just like burglars and thieves, advanced attackers carefully plan their attacks.
They research, identify, and select targets, oftentimes using phishing tactics or extracting
public information from an employee’s public online profi le or from corporate websites.
These criminals also scan for network vulnerabilities and services or applications they can

� Even job websites can be a gold mine of information. If you are looking to hire a new
engineer who is familiar with a certain security product, an attacker can deduce what
you are using to protect your network and will know where common gaps are in your

� You can’t stop all reconnaissance activity, but you certainly shouldn’t make it any
easier for the attacker! People and processes are just as important to security as
technology. Good training and strong security practices will help limit reconnaissance
and harden your security profi le. You should be aware of what your adversary can
learn from your corporate website and ensure that members of your organization with
high-level access receive training to be security conscious.

� Finally, there are many services that offer advanced ‘red-team’ exercises to help you
identify weaknesses in your security posture. These simple steps can also put in place
policy ‘trip wires’ that can alert you to unusual activity that may indicate an advanced
actor is interested in you.

Weaponization and delivery. As we move to the next stage of the cyberattack lifecycle, tech-
nology becomes even more critical to preventing advanced threats. The hacker must choose
his method for gaining access onto your network. This access can be digital, or even physical,
but is primarily intended to gain a foothold from which to plan the assault and achieve the
attacker’s objectives.
Spear phishing

� With the information gained from their reconnaissance, the attackers have to determine
which methods they must use to penetrate your network. They often choose to embed
intruder code within seemingly innocuous fi les like a PDF document or email message.
They may also seek to use highly targeted attacks to catch specifi c interests of an


■ 196


Advice along the cyberattack lifecycle—cont’d
� Spear phishing is by far the most commonly used tactic because it’s simple and
effective. An attacker will use information gathered during the reconnaissance phase
to craft an email with a malicious attachment for a specifi c user he believes has access
to sensitive credentials or information.

� Many organizations have begun training their employees to spot these attacks by
sending test emails that can track who opens them. Over time they can see which
departments continually fall for these attacks and target training there.

� However, we are all conditioned to read emails and open attachments if they seem
relevant to our positions. Even with the best training, a well-crafted spear phishing
email that appears to come from a family member, friend, or boss can trick the
most seasoned security veteran. It’s vital to ensure that you have technical security
measures as well to mitigate any malicious malware that might ride email into your

Watering hole
� Another approach to gaining access is known as watering hole attacks. In this
method the attacker will set up a fake website that downloads malicious code to
any visitor, then direct their victims to it. When a user visits the website, a software
exploitation kit installs malware on the victim’s computer, which then reports
back to the attacker so he knows who he’s infected and can access their system to
steal data.

� Watering hole attacks are harder to pull off because they require compromising a
separate web server, but they can be very effective if a company is watching for
malicious fi les in email. Traditional security products do not always prevent their
users from visiting malicious websites. However, advanced approaches will fi lter
known malicious addresses to keep users from becoming a victims of a ‘drive-by

Exploitation. Once attackers gain access ‘inside’ an organization, they can activate attack
code on the victim’s computer (also known as a ‘host’) and ultimately take full control.

� To gain full control over a victim, specialized programs exploit vulnerabilities in
existing software to install themselves as legitimate users. Vulnerabilities are usually
old bugs that were not caught during the original writing of the code. Sometimes they
are known bugs that have not been repaired, or ‘patched’; sometimes they are as of
yet unknown to anyone except the attacker. These unknown vulnerabilities are called
zero-days because they are not found by the victim until the fi rst day he realizes he has
been penetrated by an attacker.

� As noted earlier, zero-days are the most nefarious of threats. Luckily, true zero-
days are also the most rare. When they are used, however, it generally means that
no one else is protected from them. Because no one is patched for it, if an attacker
moves quickly, he can take advantage of the same vulnerability on many, many

� If you can’t catch an unknown threat, you can at least prevent an attacker from
using that vulnerability to cause damage. Because attackers have similar goals, such
as stealing or damaging important fi les, there are only so many techniques they
can use after they have penetrated a system to achieve their end goals. Advanced
security software will hunt for malware that uses zero-days by searching for and
stopping common techniques attackers use after they have gained access to your

197 ■


Advice along the cyberattack lifecycle—cont’d
� Common vulnerabilities are being found and fi xed every day. Your organization
should also have a process in place to regularly update and patch all your software
and hardware. However, sometimes these new versions and updates can cause
existing systems to malfunction. This will often leave IT teams hesitant to update
systems until a new patch can be tested and can cause delays that leave you with
vulnerabilities known to the entire world. While you should always lean toward
patching and updating as soon as possible, the balance of security and operability
must be viewed through your own business risk management practices.

Installation. As a fi rst order of business, advanced attackers will seek to establish themselves
as securely and quietly as possible across your network.

� They do this by taking advantage of the trust of the digital systems they are working
in. Often an attacker will make himself an administrator on a computer and then try
to infect other users in order to steal their digital identities. He will play this game
of laterally escalating access privileges to gain a higher and higher level of control of
your systems. Along the way the attacker will also open backdoors that allow him to
connect back into your network even if he is eventually caught and shut out. This is
why it can be especially diffi cult to fully remove an advanced actor from a network.

� It seems strange, but many of the tools attackers use can be found freely online or for sale
on the Internet. Tools are viewed just like a hammer and nails, where on the one hand
security professionals use them to test systems and build stronger security, but on the
other hand they can be used as weapons. These ‘off-the-shelf’ security tools, while highly
capable, can often be found by traditional security methods such as antivirus software.

� However, more advanced actors will build their own custom tools, such as remote
access tools (RATs), that are undetectable by antivirus software. In fact, some tools
commonly shut off antivirus software as one of the fi rst steps of installation. These
tools require a larger investment from the attacker and will primarily be designed to
gain a foothold as a seemingly legitimate user on the network. From there the attacker
can act like a normal employee and use authorized applications such as fi le-sharing
software or internal email to cause mischief.

Command and control. Gaining a foothold in a network is of no use to attackers if they can’t
control their attack.

� An advanced actor knows that he is likely to be discovered at some point and must be
ready to improvise by hiding and running from security teams or software. To do this,
an attacker establishes a command-and-control channel back through the Internet to a
specifi c server so he can communicate and pass data back and forth between infected
devices and his server.

� The most commonly used channel for attackers to communicate to their tools is
through regular Internet traffi c (using hypertext transfer protocol, or HTTP). Usually
their communications will pass through defenses of traditional security tools as they
blend in with the large volume of traffi c from legitimate users.

� The attacker’s tools will periodically phone home, typically referred to as beaconing,
to obtain the next set of commands. Beacons can also contain reconnaissance
information from the compromised target, such as the operating system confi guration,
software versions, and the identity of users who are logged on to the network. In
very complicated networks, this information can allow an attacker to quietly burrow
deeper and deeper. Clever malware also moves beyond simple requests for command
and control and tries to emulate human behavior by using email or social networking
applications to receive its attacker commands.


■ 198


Advice along the cyberattack lifecycle—cont’d
� If you treat your network with zero trust, as though it might already be breached, you
can start to lock down unnecessary pathways for attackers to communicate and move
around. Segmenting networks and building internal controls on applications can act
like a fi rebreak, keeping an attacker from spreading to other parts of your network.

Actions on the objective. Attackers may have many different motivations for breaching your
network, and it’s not always for profi t. Their reasons could be data exfi ltration, defacement
of web property, or even destruction of critical infrastructure.

� The most common goals of attackers often involve fi nding and exfi ltrating your data
without getting caught. During this late stage, the work is usually done by an active
person issuing commands to his tools on your network. He has a goal and a script that
is followed in a complex process that may last days, weeks, or months, but ends with
all your sensitive data slipping through a backdoor in your network.

� This is one of the most diffi cult steps to stop, as an active person can improvise and
adapt to your security response efforts. While it may seem counterintuitive, it’s
important to respond with patience when trying to stop an active intruder. A common
tactic of advanced attackers when they are caught is to ‘smash and grab’; this means
they will forget about remaining quiet and do whatever they can to achieve their
objectives, potentially damaging your systems in the process. They can also choose
to slip deeper into your systems, burrowing in and waiting to reuse one of their
backdoors to gain entry after you believe you have patched all your vulnerabilities.
For these reasons, it is critical to have a response plan in place ahead of time so that
the adversary doesn’t detect signs of panic and get tipped off. If you can discover
the attacker before he realizes he is caught, you can work to clean up his tools, while
closing doors and windows he may have used to get in.

� A strong response plan will also help you prepare in advance for any mitigation efforts
needed, including the vital step of external relations if it becomes public that you have
had an incident. Depending on the data that was accessed or stolen, you may have
regulatory or legal reporting requirements that you will need to be prepared to deal
with. Even if the attacker is not successful at actually taking data, these requirements
may still be in place as in many cases you may not be able to determine if data was
stolen, exposed, or remained untouched.

Trying to stop an advanced adversary at
only one point in this lifecycle is an exercise
in futility. Just like a network has vulnerabil-
ities and weaknesses, so too does the attacker.
He will reuse tactics, techniques, and proce-
dures on multiple victims, establishing pat-
terns that can be recognized, studied, and
exploited. But to gain this leverage, a new
approach to security is needed.

■ Why legacy approaches fail
Most security architectures today resemble a
set of siloed organizations, processes, and
technical infrastructure. They have largely

been assembled like a manufacturing pro-
duction line, where a series of security events
roll down a conveyor belt of individual
point products, while different staff mem-
bers perform their individual duties. This
has been the traditional approach to security,
and historically we’ve been able to use it to
fend off low-level threats. However, these
architectures are beginning to show their
weaknesses as attackers have learned to slip
between silos. Today we see how costly leg-
acy systems can be both in their inability to
prevent targeted attacks and in their unnec-
essary expense to the organization.

199 ■


This essentially allows adversaries to distrib-
ute malware and steal intellectual property
through basic applications into which they
have little or no visibility. We must break
away from the traditional approach to secu-
rity that has proven ineffective at stopping
advanced attacks time and time again.

Over the last several years in particular,
there has been a dramatic evolution in both
the attackers and the techniques they use. By
many estimates cybercrime is now a nearly
half-trillion-dollar industry, and like any
industry, opportunity fuels more investment
and innovation. The best way to get an
industry to collapse in on itself is to take
away that potential for profi t. Therefore, we
must make it so unbelievably hard for cyber
criminals to achieve their objectives that
their only option is to invest more and more
resources to stage a successful attack, to the
point that it becomes unprofi table.

One of the primary strategic failures of
traditional security architectures is their
reactive approach. Following the assembly-
line model, security teams work to read data
logs about events that happened to their
network in the past. Since most of these
teams operate in a siloed manner, these log
fi les are routinely examined in isolation from
other critical teams and thus lack important
context that can be used to quickly detect
and prevent an attack. Relying on a human
in the middle of a network’s defenses is too
slow to be effective against advanced, auto-
mated hacking tools and creative attackers.

A secondary strategic failure is a lack of
attention toward ‘proactive prevention.’
Organizations often don’t do enough to
reduce their attack surface, allowing certain
classes of applications that are unnecessary
for their business and leaving doors open on
their network by using port-based policies.

Tenets of a traditional security architecture
Limited visibility. You can’t secure what you can’t see. Traditional sensors only seek out what
they know to be bad, rather than inspect all traffi c to only allow what is good. Your security
architecture must eliminate blind spots by having the ability to see all applications, users,
and content across all ports and protocols (the doors and windows of your network) even
if they are encrypted. It must also have the ability to see and prevent new, targeted attacks
that are utilizing threats that have never been seen before, such as malware and zero-day
vulnerability exploits.
Lacking correlation. If attacks are multidimensional, your defense must be as well. Today’s
attackers shift techniques while they are working their way into a network in order to step
over traps laid by them for traditional defenses. In order to fi nd the clues they leave behind,
your architecture must act like a system of systems where individual technologies work in
concert to identify and then automatically prevent attacks. Correlating sensors and protec-
tion makes each element within the system smarter. For example, if a thief has hit multiple
houses using the same techniques, you will need to adjust your burglar alarm for those
techniques. In cyberspace, however, this process can be automated to increase the speed of
detection and prevention.
Manual response. With attacks evolving at a rapid pace, it’s critical that we wean ourselves
from relying on the ‘man in the middle.’ Systems focused on detection often throw up
mountains of alerts and warnings for low-threat items, overwhelming your IT security team.
An advanced security architecture must employ a system of automation that’s constantly
learning and applying new defenses without a requirement for any manual intervention. It
must weed out the congestion automatically, handling 99 percent of low-level threats so you
can focus your team’s attention on the 1 percent of the highest priority incidents.

■ 200


enabler. By preventing damage to networks
and theft of sensitive information, vital IT
resources, people, and time are freed up to
tackle core business functions. In order to
shift from a ‘detect and remediate’ stature
to preventing attacks, business leaders need
to consider three cybersecurity imperatives:

1. Process: organize to reduce your attack

� Modern networks can be a rat’s nest
of systems and users cobbled together
from mergers, legacy architectures,
and prior acquisitions. This confusion
leaves many points of entry for
attackers to slip in unnoticed and
reside on your network for months
or even years. A critical step to
preventing advanced cyberattacks is
to know your network better than the
attacker does. To do this you must
work at simplifying your architecture
down to manageable pieces that can
be controlled, watched, and defended.

� A key step in reducing your attack
surface is to only allow network
traffi c and communications that are
required to operate your business by
utilizing technology that understands
the applications, users, and content
transiting your network. This seems to
be common sense that any unknown
traffi c could also be hiding malicious
activity, but often when organizations
take a deep look at their traffi c, they
fi nd high-risk applications that they
had no idea were running on their
network. Legacy approaches often only
search to block what is bad, rather
than allowing only what is good. This
approach is also known as ‘white
listing’ and will immediately reduce
the scope of your security challenge by
eliminating opportunities for malware
to get into your network.

� Another step to reducing your attack
surface is to segment important
components of your networks, such
as data centers. As described earlier,
advanced actors often seek to break

Stopping today’s advanced threats lies in
turning the economics of our reality on its
head by preventing threats in multiple places
at each step of the cyberattack lifecycle. This
requires creating an architecture that can
detect attacks at every point around and
within a network, closing any gaps and pre-
venting them from successfully launching in
the fi rst place.

■ Prevention architecture
No organization today is immune to cyber-
attacks. Cyber criminals are ramping up
activity across the globe and utilizing new
methods to evade traditional security meas-
ures. An effective security architecture must
not only prevent threats from entering and
damaging the network but also take full
advantage of knowledge about threats in
other security communities. Traditional
solutions typically focus on a single threat
vector across a specifi c section of the organi-
zation. This lack of visibility is leaving
multiple areas vulnerable to attack. In addi-
tion, these legacy solutions are made up of a
‘patchwork’ of point products that make it
very diffi cult to coordinate and share intel-
ligence among the various devices.

As a result, security teams are forced to
invest more and more time and money in
detection and remediation efforts, under the
assumption that prevention is a lost battle.
These efforts require a time-consuming
process of piecing together evidence from
different devices, combing through them to
discover unknown threats, and then manu-
ally creating and deploying protections. By
the time this happens—often days or weeks
later—it’s too late because minutes or hours
are all an attacker needs to accomplish his or
her end goal. This Band-Aid approach
doesn’t fi x the fundamental problem of
accounting for the new threat landscape.

While nothing will stop every attack,
designing a security architecture with a pre-
vention mindset (and following some of the
risk management best practices outlined in
our chapter, “The CEO’s guide to driving
better security by asking the right ques-
tions”) can make cybersecurity a business

201 ■


risk. However, by using an integrated
cybersecurity platform that protects
across your entire enterprise, your
defenses can work together to identify
and close gaps that would be exploited
by an attacker. Communication is key
to any strong defense. If your products
can’t share information on what they
are seeing, there is no chance to pick
up clues that might aid in preventing
an advanced attack.

� The next step is automating prevention
measures. Humans have proven time
and again that we are the weakest link
in security. Advanced actors are faster,
more persistent, and stealthier than
manual response efforts. It just takes
one overlooked log fi le or one missed
security alert to bring down an entire
organization. However, if you have an
integrated platform that communicates
visibility across your defenses, it can
also automatically act on new threats,
preventing what is malicious and
Indeterminate what is unknown.

� Integration should also enable your
organization’s agility and innovation.
Business doesn’t stop at the elevator,
as employees take laptops to work
from home or use their personal mobile
devices to access your corporate cloud
on the road. As your data moves to
enable your workforce, security should
go with it. Choose a platform compatible
with newer technologies such as mobile,
cloud, and network virtualization.

3. People: participate in a community that
shares cyberthreat information.

� End users cannot be relied upon to
identify every malicious URL or phishing
attack. Organizations must educate their
constituents about what they can do on
their part to stop cyberattacks. However,
beyond education, to protect against
today’s truly advanced cyberthreats,
we must utilize the global community
to combine threat intelligence from a
variety of sources to help ‘connect the
dots.’ Real-time, global intelligence feeds
help security teams keep pace with

into a less secure part of the network
and then move laterally into more
sensitive areas. By segmenting the
most vital parts of a network from
email or customer-facing systems, you
will be building in fi rebreaks that can
prevent the spread of a breach.

� You also can’t neglect to secure the
endpoint or individual user. This is
the fi nal battlefi eld. Originally, anti-
virus software contained signatures for
malicious software and could, thus, catch
most major infections from common
threats because it knew what to look for.
However, as we learned earlier, today’s
attacks can include unknown malware
or exploits that are essentially invisible
to antivirus software. This has led to a
massive decline in the effectiveness of
traditional antivirus products and a rise
in a new way of thinking about endpoint
protection. Rather than looking for
something that can’t be seen, you can
reduce the endpoint attack surface by
preventing the type of actions taken by
exploits and malware. Stopping the type
of malicious activity associated with
an attack is much more effective than
hunting for an attack that, by nature, is
stealthy and hidden.

� Finally, it seems simplistic, but as you
make investments to re-architect your
network and reduce your attack surface,
you have to use all those investments to
their fullest. Purchasing next-generation
technology is useless if you don’t
turn it on and confi gure it properly.
Establishing a process for staying up to
date on your security investments is one
of the most critical habits to form.

2. Technology: integrate and automate
controls to disrupt the cyberattack lifecycle.

� Don’t use yesterday’s technology
to address today’s and tomorrow’s
security challenges. As noted earlier,
legacy security approaches offer
individual products to be bolted on
for single-feature solutions. This leaves
gaps that can be broken by new methods
of attack, leaving your organization at

■ 202


regulatory requirements or mandatory certifi –
cations. IT security personnel are often drafted
from projects that support core business opera-
tions to work in the ‘dark corners’ of network
security with a gloomy future of scanning
thousands of false alarms, updating old soft-
ware, and, of course, getting blamed for the
inevitable cyber incidents that are usually
caused by larger organizational problems. This
sad tale is a reality for a shocking number of
organizations; it not only guarantees failure, it
ensures lost opportunity for innovation that
comes from having a strong security posture.

Adopting a prevention philosophy helps
create strategies for better security and
maximizes the value of an organization’s
actions and resources. Viewing cybersecu-
rity as a business enabler helps drive appro-
priate resource allocation by returning
value to the business based on new oppor-
tunities that would not have been available
without the level of trust afforded by a
prevention architecture.

Take the case of the IT security team.
When an organization decides to take their
security more seriously, usually after a cyber
incident, one of the fi rst things they do is
dump more people into IT security positions.
While trained security experts are a boon for
any organization, the architecture they are
working in can have them needlessly chasing
cycles of work, wasting budget by hunting
for cyber needles in digital haystacks of
alarms, and manually remediating countless
vulnerabilities. Employing a prevention
architecture that automates protection capa-
bilities and shares threat intelligence using an
integrated platform means that security
teams can operate much more effi ciently and
effectively. Their time is an organization’s
money, and it’s imperative to ensure that
personnel working on core IT functions that
keep business operations running are not
being wasted on outdated security practices.

Strong cybersecurity can also open new
opportunities by making organizations
more fl exible and resilient. Today’s work-
force is constantly connected to the Internet
at home, on the road, and at their desk.
Users move between applications and

threat actors and easily identify new
security events.

� As attackers move from target to target,
they leave digital fi ngerprints in the
form of their tactics, techniques, and
procedures. By analyzing this evidence
and then sharing it, threat intelligence
from other organizations can quickly
inoculate you from new attacks as
bad guys seek to move between
organizations and even industries.
Combined with an integrated platform
that can act automatically on this
intelligence, you can rapidly distribute
warnings and make it impossible for
attackers to strike twice. The network
effect from vendors with large
customer bases is extremely powerful
as it builds a security ecosystem, which
can organically respond to new threats.

� Many organizations are even coming
together to share threats as an entire
sector. Recent policy from the U.S.
Government has made it easier to
collaborate and share cyberthreat
information between companies and
work together to identify and stop
advanced cyber actors.

The most signifi cant way to fi ll in all the
gaps and truly protect an organization from
advanced and targeted threats is to imple-
ment an integrated and extensible security
platform that can prevent even the most
challenging unknown threats across the
entire attack lifecycle. An IT architecture
must remain secure while also providing
business fl exibility and enabling applica-
tions needed to run day-to-day operations.
Stopping even the most advanced attacks is
possible, but we have to begin with a pre-
vention mindset.

■ Conclusion: Cybersecurity as a business

Traditionally, IT security has been seen by
most organizations as a cost center, requiring
continued expenses but not bringing in any
revenue. The attention and resources devoted
to it are often the bare minimum to meet

203 ■


If organizations continue to view investments
in cybersecurity simply as cost centers to be
solved by bolting on legacy technology, we
will all continue to suffer the consequences.
Our most valuable data and the keys to vital
pieces of infrastructure will walk out the door
in the hands of cyber criminals, while the
trust we have built between our customers
and our systems continues to degrade. This
will happen time and time again until we are
forced to change and narrow the way we use
digital systems in our everyday lives. This
must not become the reality for the entire
community that receives such unimaginable
benefi ts from the Internet. By adopting a pre-
vention mindset it is possible to change the
status quo and take back the control and trust
in systems that enable critical business opera-
tions. Planning for disaster is always a smart
move, but preparing for failure will accom-
plish just that.

devices seamlessly and expect that their
actions will translate between these differ-
ent environments. However, this tradition-
ally has not been the case. Threats from
third-party applications, unsecured cloud
environments, and infected personal mobile
devices have become so prevalent that many
traditional security products will either
block them completely or just assume that
they cannot be protected. This old way of
doing business doesn’t match the reality of
today’s workers, who are expected to be
more agile and mobile than ever before.
Architecting a network to wrap these devic-
es and third-party services into an existing
security platform ensures that data will
remain secure as workers go out to meet
with customers in the fi eld and expand busi-
ness beyond its offi ce walls.

The security fi eld is stuck today with few
answers to increasingly challenging problems.

Cybersecurity glossary
Advanced persistent threat (APT): An adversary that possesses sophisticated levels of expertise and

signifi cant resources that allow it to create opportunities to achieve its objectives by using mul-
tiple attack vectors (e.g., cyber, physical, and deception).

Attack surface: An information system’s characteristics that permit an adversary to probe,
attack, or maintain presence in the information system.

Antivirus software: A program that monitors a computer or network to detect or identify
major types of malicious code and to prevent or contain malware incidents, sometimes
by removing or neutralizing the malicious code.

Command-and-control channel: Data link for an attacker to communicate with his malicious
software installed on a victim’s system.

Data exfi ltration: After an attacker has found sensitive data that he is targeting, he will attempt
to package this data and remove it silently from a victim’s system.

Endpoint: Specifi c parts of an IT infrastructure that users interact with directly, such as work-
stations or mobile devices.

Exploit: A technique to breach the security of a network or information system in violation
of security policy.

Hypertext transfer protocol (HTTP): Technical rules for transferring data over the Internet. Web
browsers use HTTP, and the encrypted variant HTTPS, to allow users to interact directly
with websites in a secure manner.

Malware: Software that compromises the operation of a system by performing an unauthorized
function or process.

Network: Joined pieces of an IT infrastructure that transfer and route data to and from endpoints
and other networks.

Polymorphic malware: Malicious software that is designed to continuously change its appear-
ance, allowing it to evade legacy security detection technology such as antivirus software.



■ 204

Cybersecurity glossary—cont’d
Port-based security: Stateful inspection fi rewalls block any Internet traffi c coming into or out

of a network on a specifi c line of communication, called a port. However, modern applica-
tions use different ports, and malicious software can change the port it uses.

Remote access tools (RATs): Malicious software that allows an attacker to control a system
where he is not physically present. These functions in IT systems also exist for legitimate
uses, such as support functions.

Zero-day: A software vulnerability that is unknown to the public but is used by an attacker to
gain access and control of a network or system.

Cybersecurity beyond
your network

Electronic version of this guide and additional content available at:

207 ■

Booz Allen Hamilton – Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior
Associate; and Laura Eise, Lead Associate

Supply chain as an attack chain

The supply chain ecosystem reaches farther and wider than
ever before. The growing range of suppliers provides sig-
nifi cant competitive advantages for companies that strate-
gically and securely source from this global network. Yet
this complex footprint comes with an equally complex
range of cyberthreats, and the majority of organizations do
not realize the breadth and depth of these challenges.
However, hackers are well aware of existing supply chain
vulnerabilities and are moving aggressively to take advan-
tage of these exposures.

Threat actors typically target organizations’ supply
chains through two vectors: the fi rst type of attack is
known as “adversarial supply chain operations to,” or
“ASCO To,” and the second is known “adversarial sup-
ply chain operations through,” or “ASCO Through”
(Figure 1). In an ASCO To attack, your organization is
the direct target. In the latter, the adversary uses your
supply chain as a means to target one of your customers.
Although the intent is different, both have the potential
for devastating impact to your revenue, reputation, and
end consumer.

To compound this issue, today’s attackers are often
well funded and extremely organized. These attackers
have the resources, skills, and patience to conduct
sophisticated attacks on your supply chain. For exam-
ple, a supply chain cyber adversary may clandestinely
intercept delivery of your products and switch cyber
sensitive components with a malware-infused copycat.
These attacks are often so sophisticated that the end
users may not realize that they did not receive the origi-
nal version.

Nation-states, hacktivists, organized criminal groups,
and lone wolves are constantly scanning supply chains

■ 208


Supply chain traditionally has been seen
as part of internal operations; it is some-
thing that happens behind the scenes for
your customers. In the past, customers did
not care where you made your products or
how you sourced them as long as you deliv-
ered them on time, at the appropriate cost,
and in good condition. However, this is all
changing. Companies and governments
around the world are realizing that the sup-
ply chain is an ideal way for attackers to
quietly infi ltrate their networks and infect a
system well before customers place an order.
Companies, large and small, have to begin
looking at supply chain security as part of
their overall supply chain risk management

By prioritizing supply chain cybersecurity,
you are well on your way to tackling this
complex issue. You have an opportunity to
mitigate cyber risk and transform your sup-
ply chain risk management capability into
a competitive advantage to inform your
broader business.

■ Increasing expectations
The U.S. government has been a force for driv-
ing higher-level visibility and controls across
the supply chain. As the future progresses,

for weak points, and the impact of this atten-
tion has the potential to reverberate well
beyond your supply chain. You inherit the
risks of your suppliers. If one of your suppli-
ers lacks security controls, you may absorb
their vulnerabilities. This is particularly true
if you do not comprehensively test their
components during your acceptance pro-
cess; once you accept their product, you
accept the risks of being attacked or passing
along an attack to your customers. In the
event that a cyberattack occurs, you own the
impacts as well. This includes brand dam-
age, operational stoppage, legal exposure,
canceled sales, and government sanctions.

■ Dangerous combination of hidden risks and
higher expectations

Tackling cybersecurity risk in supply chain
may feel like you are trapped between a vir-
tual rock and a hard place. As companies
drive to increase supply chain fl exibility at
the lowest overall cost, sourcing decisions
expose them to the vulnerabilities of suppli-
ers and all of their successive networks of
suppliers. This ever-evolving cybersecurity
threat in the multi-layered supply chain pre-
sents a number of challenges when manag-
ing cybersecurity. See Figure 2.


• Nation–State
• Competitors (esp.
• Criminals
• Hacktivists



ASCO Through

Customer Operations

Example Methods:
• Interdiction/Compromise
• Theft/Re-route
• Break/Fix subversion

Example Methods:
• Malware shotgun infection
• Malicious component insertion
• Repair part compromise
• Trojan insertion/Design to fail
• Fraud

Potential Effects:
• Halt or slow prodution
• Prevent sustainment operations
• Loss of intellectual property

Potential Effects:
• National security risk
• Customer compromise
• Impaired customer operations
• Brand/Legal/Market impact
• Loss of customer intellectual property

Lifecycle Process

Source Build


DisposalFulfillment Distribution


Attack methods on the supply chain

209 ■


and your customers that you have a strong
supply chain cyber cybersecurity capability.

It is not just the U.S. federal government
that is raising the stakes. Many clients also
are demanding to know more about the
supply chain. Private sector clients are real-
izing that securing high assurance services
on an untrusted hardware platform is the
same as building a fort on a foundation of
shifting sand. They want to know the depth
of visibility into the components and ser-
vices of products, and they want to be reas-
sured that there are controls in place to
manage a robust supply chain cybersecurity
program. As with the government, many of
these requests and requirements are at an

insurance companies will be an even larger
driver for increasing supply chain standards.
Business continuity policies are in place to
address threats that disrupt the supply chain.
Companies with weak supply chain cyber
security policies and procedures could fi nd
their insurers raising their premiums or
excluding claims in case of a breach. The next
wave of standards could take shape with
requiring you to maintain a list of all cyber
sensitive supply chain components as well as
develop comprehensive risk frameworks to
classify, prioritize, and proactively manage
the sourcing of each of those components.
You need to proactively get ahead of these
standards. Prove to the government, insurers,

Lack of Visibility

External Dependencies

Dynamic Threat

Companies cannot ensure part integrity on their own—they will need participation
from suppliers and other business partners.

Cross-Functional Challenge

Requires change and collaboration from various internal business functions
to collectively manage cyber risk throughout the supply chain

Decision Making

Increased information requires new strategic and tactical decision-
making processes.

The evolving capabilities of well-resourced and determined adversaries means
that “point in time” solutions are insufficient.

Limited visibility across the supply chain regarding exposure and controls


Cybersecurity challenges in the supply chain

■ 210


could necessitate that your approach be dif-

ferent than that of a competitor. Using a

maturity model also allows you to answer

the questions that are not yet asked by com-

pliance while aligning your supply chain to

your business strategy. It allows you to focus

on increasing your overall security and to

stay ahead of the curve.

■ Where do I start?
Developing a robust supply chain cyberse-
curity program is complex, but that doesn’t
mean your approach has to be. It requires a
risk-based prioritization approach to changes
in policy, supplier contracts, resource alloca-
tion, and investment. Most companies do not
have the appetite or the budget for wholesale,
drastic changes. If you are like most organiza-
tions, you face the dilemma of not knowing
where to begin.

So the best place to start is to get your
arms around what has to be done.

1. Conduct a maturity assessment and build
a roadmap.
Your organization needs a plan for the path
forward in securing your supply chain. Before
you transition to developing a roadmap, you
must begin with a maturity assessment.
Supply chain cybersecurity program maturity
assessments are simply gap analyses between
how well your program operates today com-
pared with how it should operate in a target
state. To evaluate this, you must identify the
key controls that apply to supply chain risk
management—either controls you already use
as part of your corporate cybersecurity pro-
gram or controls that may be more unique to
supply chain. Even if you use existing con-
trols, you should modify them to apply to your
supply chain operations.

all-time high and will become more sophis-
ticated and comprehensive only during the
next several years. If you are their supplier,
they know that you are only as trustworthy
as your supply chain.

■ How to create both a secure and compliant

Complying with standards and guidelines is
not enough for securing all of the factors you
need to comprehensively increase your secu-
rity posture. Although standards strive to
create consistency among cybersecurity pro-
grams, the fundamental truth is that there is
no formula for security. Standards and
frameworks can help identify the landscape
of potential areas to address and may let you
set a minimum level of performance, but
that’s it. You must move beyond merely
striving to be compliant rather than noncom-
pliant. Supply chain cybersecurity is more
than an IT problem. If not used in the appro-
priate context, standards can be a generic
solution to a highly individualized problem
set. Supply chain risk is tied intimately to
your business strategy and operations, and it
must be tailored to your organization.

Rather than focusing on a standard, look at
your program with a maturity lens. Understand
the various degrees of risk you face. Then,

within a well-established structure, decide

where you need to invest and develop. It is

up to you to prioritize the control areas to

address. Focus on your current maturity in

those areas and what you must do to increase

your maturity. Focusing on your maturity

provides you with an opportunity to identify

where your program stands today, where it

must be in the future, and how to get there. A

maturity approach is not “one size fi ts all.”

Special considerations for your organization

Maturity Assessment Tip
The set of controls you select for your maturity assessment should incorporate the compli-
ance standards that customers might use as part of their Request for Proposal requirements
(e.g., NIST SP 800-161). You likely will cover more controls than these standards, but map-
ping them will allow you to kill two birds with one stone.

211 ■


3. Decompose your key product lines.
To assess the visibility, control, and risks in your
supply chain, select a few key product lines and
decompose them into their cyber sensitive com-
ponents. Then see how much information you
can collect on their manufacturing sources,
acceptance testing, suppliers, and intended cus-
tomers. You will likely fi nd that your internal
systems and policies are prohibiting you from
this level of visibility; however, it is this level of
visibility that customers will be demanding in

physical deliveries of products, place malware in
cyber sensitive components, and allow the ship-
ments to continue to end customers. As you
identify risks for each phase, you have to assess
the likelihood and impact of each risk. This prior-
itized list becomes your risk agenda and helps
determine what to address fi rst to enhance your
supply chain cybersecurity program.

Next, identify key objectives for each control
you plan to evaluate. Threat intelligence, for
example, may have data collection, analysis,
and distribution as key control objectives. For
each objective, defi ne a scale as well as the key
characteristics for each step in that scale. Taking
the threat intelligence example, a low maturity
rating for data collection could be the ad hoc
collection of threat data via unstructured sources,
such as email. A higher maturity implementa-
tion of data collection would be a comprehensive
ingestion of multiple formal data feeds that can
be analyzed automatically and effi ciently.

Next, conduct a baseline assessment of your
current state—an honest assessment, backed by
examples. This will help you surface risks asso-
ciated with each control. After the baseline,
defi ne the target state for each control. The tar-
get state should be a balance between high
effectiveness and practical costs, keeping in
mind that not all controls need the highest level
of maturity. Comparing the target state with the
baseline provides you the gap you need to

The outcome of your maturity assessment will
be a robust roadmap designed to transform your
supply chain cybersecurity program. This
equates to quick wins and key priorities for your
organization. It should also help address the key
requirements your customers demand.

2. Identify key risks throughout your supply
chain lifecycle.
Breaking down your supply chain lifecycle into
discrete phases can help you identify key risks for
each phase. Each phase presents its own vulner-
abilities and risks. For example, during the dis-
tribution phase, threat actors can intercept

Five Common Early Wins
Below are fi ve common ways you can gain early traction with your supply chain cybersecurity program:

� Integrate/enhance component tracking
� Include cyber in your supply chain risk management framework
� Enhance acceptance testing
� Conduct supply chain vulnerability penetration testing
� Enhance monitoring of supplier network access points

Supply chain







Sustain & Operate


■ 212

advantage in the market. Understanding how
to identify risk and then effectively manage
those risks will allow you to be in greater
control of your supply chain. A robust supply
chain cyber risk management program will
allow you to close vulnerabilities, making
you less of a target for attackers while helping
you meet and even shape your customer
expectations. The trust in your brand and the
quality of your product depend on the
strength of your supply chain cybersecurity.

Creating the right balance of security
and resilience in your supply chain will
allow you to build a foundationally strong-
er supply chain cybersecurity program.
This not only will differentiate you from
your competitors but also will allow you to
better understand the opportunities and
advantages that are key to your success.

the future, if not already. Once you can obtain
this kind of visibility, you can then assess the
processes, controls, and risks associated with
those cyber sensitive components.

■ Supply chain cybersecurity as a differentiator
The risks and expectations of your supply
chain cybersecurity are increasing as threats
become more sophisticated and customers’
expectations rise. As you inherit the vulner-
abilities from your suppliers and the risks of
your customers, you have to be more aware
of how your supply chain can become an
attack chain. Compliance is not enough; you
must develop a robust maturity model to
help identify your vulnerabilities and devel-
op a roadmap to reduce your risks.

Companies that are able to effectively
manage their supply chain risks will have the

213 ■

Covington & Burling LLP – David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate

Managing risk associated
with third-party outsourcing

■ Third-party outsourcing and cybersecurity risk
Businesses increasingly work with third parties in ways
that can render otherwise well-guarded data vulnerable
to attack or accidental disclosure. These third parties can
include technology service providers; other major busi-
ness function vendors, such as payroll, insurance, and
benefi ts companies; and accounting and fi nance, advertis-
ing, delivery and lettershop, legal, and other consulting

Many of these commercial relationships require sensi-
tive information—whether the business’ own confi dential
business information or the personal information of its
employees or customers—to be shared with, or stored by,
the third parties. Such relationships also may entail third-
party access to a company’s networks. There is, in turn, an
inherent risk in the third-party services: they can create
new avenues of attack against a company’s data or its
systems and networks—and those avenues require appro-
priate mitigation.

Perhaps no data security breach highlighted this risk
more than the incident incurred by Target. That incident
began not with a direct attack on the Target network but
with a phishing attack on a Pennsylvania HVAC contrac-
tor that had access to Target’s external billing and project
management portals. The HVAC contractor depended on
a free version of consumer anti-malware software that
allegedly failed to provide real-time protection. Once the
phishing campaign succeeded in installing key-logging
malware, the hackers obtained the HVAC contractor’s
credentials to Target’s external billing and project man-
agement systems and from there infi ltrated Target’s inter-
nal network, eventually reaching Target’s customer data-
bases and point-of-sale systems.

■ 214


contractual provisions to manage third-
party risk, and, in some cases, to monitor
service providers on an ongoing basis
(e.g., 12 C.F.R. Pt. 225, App. F at III.D.

� the HIPAA Privacy Rule, requiring
specifi c contractual provisions in dealing
with business associates who handle
protected health information, 45 C.F.R.
§164.502(e) (2014)

� state regulations, such as the
Massachusetts Standards for the
Protection of Personal Information,
requiring reasonable steps in selecting
third parties and the use of contractual
provisions to require their compliance
with Massachusetts law, 201 Mass Code
Regs. 17.03(2)(f).

In addition, the Federal Trade Commission
has applied its authority under Section 5 of
the FTC Act, 15 U.S.C. §45 (governing unfair
acts and deceptive trade practices) to apply
to cybersecurity and data security, and has
taken action against companies that fail to
take “reasonable steps to select and retain
service providers capable of appropriately
safeguarding personal information” a de
facto regulatory requirement. See, for exam-
ple, GMR Transcription Servs., Inc., F.T.C.
Docket No. C–4482, File No. 122–3095, 2014
WL 4252393 (Aug. 14, 2014).

■ Sources of third-party cybersecurity risk
The cybersecurity and privacy risks gener-
ated by third-party engagements include the

� breaches of personal data—whether the
personal data of customers or employees—
and the attendant regulatory obligations
(e.g., notifi cation requirements), as well as
legal liability, as in the Target breach

� breaches of a business’s proprietary data,
including the following:

� competitively sensitive data, privileged
information, attorney work product,
and trade secrets

� business partner data resulting in
obligations to notify business partners

The results of the Target breach are well
known: the personal information of up to
70 million customers was compromised, and
about 40 million customers had their credit
or debit card information stolen. By the end
of 2014, the costs to Target from the breach
had exceeded $150 million. These costs
include the litigation and settlement expens-
es resulting from lawsuits brought by con-
sumers and credit card issuers. Further, in the
quarter in which the data breach occurred,
Target’s year-over-year earnings plummeted
46 percent. Ultimately, in the aftermath of the
breach, Target’s CEO resigned.

The Target breach was not an isolated
incident. In 2014, a Ponemon Institute sur-
vey found that in 20 percent of data breach-
es, a failure to properly vet a third party
contributed to the breach. Even more trou-
bling, 40 percent of the respondents to
another Ponemon survey named third-party
access to or management of sensitive data as
one of the top two barriers to improving
cybersecurity. Further, the Ponemon
Institute’s 2015 U.S. Cost of Data Breach
Study reports that third-party involvement
in a data breach increased the per capita cost
of data breaches more than any other factor.
However, despite the cybersecurity risks
posed by third-party service providers,
many companies fail to systematically
address such risks. Only 52 percent of com-
panies surveyed in a 2014 Ponemon Institute
report have a program in place to systemati-
cally manage third-party cybersecurity risk.

■ Legal risks
Although there are many commercial and
other reasons to adopt strong third-party risk
management processes, a variety of legal
frameworks require the management of third-
party risk. Examples of such statutory or regu-
latory requirements include the following:

� the Interagency Guidelines Establishing
Information Security Standards that
implement Section 501 of the Gramm-
Leach-Bliley Act and require fi nancial
institutions to engage in due diligence in
the selection of service providers, to use

215 ■


the sophistication of the vendor and the
nature of the IT systems and data at issue.
Nonetheless, three elements are common to
all third-party risk management:

1. due diligence prior to entering an

2. contractual commitments and legal risk

3. ongoing monitoring and oversight.

■ Pre-engagement due diligence
A critical element of managing third-party
risk is the assessment of the third party’s
own security practices and posture before
any contract is signed. Such diligence is cru-
cial for the identifi cation and evaluation of
risks, and, in turn, can ensure that such risks
are mitigated before the engagement,
including through the use of contractual
provisions. The actual evaluation may be
more ad hoc (i.e., conversations with key
business or technology stakeholders) or for-
mal (i.e., through a questionnaire or even
on-site assessment), and the extent of an
evaluation may depend on various factors
in the prospective relationship, including,
for example, whether the service provider
will have access to the company’s IT sys-
tems, the nature of the information that it
may access, and whether it will store such

Depending on the extent of the relation-
ship and information that may be accessed
by the vendor, the following areas of inquiry
may be necessary to inform a cybersecurity
diligence assessment:

� whether and how often the vendor
h a s e x p e r i e n c e d c y b e r s e c u r i t y
incidents in the past, the severity of
those incidents, and the quality of the
vendor ’s response

� whether the vendor maintains
cybersecurity policies, such as whether
the vendor has a written security policy
or plan

� organizational considerations, such as
whether the vendor maintains suffi cient
and appropriately trained personnel to

as well as potential contractual liability
to them

� data that result in fi nancial harm to
the company, such as bank account

� other confi dential, market moving
insider information in the hands
of third parties such as investment
bankers, consultants, and lawyers, such
as information regarding nonpublic
M&A activity, clinical trial results, or
regulatory approvals

� the introduction into internal networks
of viruses or other malicious code, as
in the Dairy Queen attack, in which
vendor credentials were used to
gain access to internal networks and
eventually install malware targeting
point-of-sale systems

� the introduction of other vulnerabilities
to IT systems, for instance, by the use
of vulnerable third-party applications
or code, as occurred in the Heartbleed
OpenSSL exploit that potentially
exposed the data transmitted to and
from secure web servers

� misuse and secondary use of company
data such as for direct marketing or data
mining for the benefi t of the vendor

� “fourth-party” risk, that is, the third-
party cybersecurity risks introduced
by a vendor ’s relationships with its
own third-party service providers and

� potential director or management liability
for breach of fi duciary duty in the exercise
of cybersecurity oversight.

To help manage this array of risks effectively,
companies may consider whether they have
appropriate procedures in place to evaluate
and monitor individual vendors, as well as a
program to manage and monitor third-party

■ Engagement-level management of third-party
cybersecurity risk

The appropriate measures needed to scruti-
nize and monitor third-party service pro-
viders will depend to a large extent upon

■ 216


■ Contractual risk and negotiation
In addition to evaluating third parties on the
basis of their cybersecurity practices, anoth-
er important risk mitigation tool is the actual
contractual language. As with other areas,
contractual requirements can be an effective
way to allocate risk and responsibility for
potential breaches of cybersecurity, includ-
ing the investigation and remediation of
such incidents. Commonly negotiated terms
include the following:

� a requirement that the vendor have a
written information security program
that complies with applicable law or
other regulatory or industry standards

� limits and conditions on the use of
subcontractors and other third-party
service providers

� restrictions on secondary use of data,
including making clear that the customer
remains the owner of any data transmitted
to the vendor and any derivatives of that

� mandatory and timely notifi cation in case
of a security incident

� rights to audit or otherwise monitor the
vendor’s compliance with the terms of
the contract

� in case of a breach, a requirement that the
vendor take on reasonable measures to
correct its security processes and take any
necessary remediation steps

� provisions ensuring an orderly transition
to in-house systems or another third
party in case of the termination of the

In addition to such terms, indemnifi cation
clauses can be used to shift the risk of data
breach onto the third party and to incentiv-
ize healthy security practices. To accompany
an indemnifi cation clause, it sometimes can
be desirable to draft clauses that defi ne
when the entity is or is not liable, on which
party the burden of proof falls, and how
root-cause analysis should be conducted. To
ensure capacity to take on the fi nancial costs

protect the data and/or service at issue
and respond to incidents

� human resources practices, particularly
background screening of employees,
cybersecurity training, and the handling
of terminations

� access controls, particularly whether
controls are in place that restrict access
to information and uniquely identify
users such that access attempts can be
monitored and reviewed

� encryption practices, including whether
information is encrypted at rest, whether
information transmitted to or from
the vendor is properly encrypted, and
whether cryptographic keys are properly

� evaluation of in what country any data
will be stored

� the vendor ’s policies regarding the
secondary use of customer data, and
whether IT systems are created in
such a way as to respect limitations on
secondary use

� physical security, including resilience
and disaster recovery functions and
the use of personnel and technology to
prevent unauthorized physical access to

� back-up and recovery practices
� change control management, including

protocols on the installation of and
execution of software

� system acquisition, development, and
maintenance to manage risk from software
development or the deployment of new
software or hardware

� risk management of the vendor’s own
third-party vendors

� incident response plans, including
whether evidence of an incident
is collected and retained so as to be
presentable to a court and whether the
vendor periodically tests its response

� whether the vendor conducts regular,
independent audits of its privacy and
information security practices

217 ■


Although relatively uncommon outside
of certain regulated industries, such as the
fi nancial and health-care industries, provi-
sions in vendor contracts for regular secu-
rity audits by an independent third party
provide a robust but intrusive form of
periodic monitoring. However, it is not
always possible to obtain audit rights from
a vendor. Alternatively, the vendor could
be required to provide up-to-date certifi ca-
tions of compliance with industry stand-
ards or regular, third-party audit reports.
In addition, to manage fourth-party risk,
vendors could be required to perform ini-
tial and periodic assessments of their own
service providers and vendors if they will
be handling sensitive information. If, in
the course of an audit, vulnerabilities are
identifi ed or practices are found that are
not in compliance with industry practices
or regulatory requirements, the vendor
may be required to notify the customer
and correct any outstanding issues in a
timely fashion.

As part of ongoing monitoring of vendor
cybersecurity, it is useful if the contract with
a third-party service provider also includes
notifi cation and remediation provisions if
the vendor becomes aware of defi ciencies in
its cybersecurity posture. In addition, as part
of the remedies, the outsourcing party may
seek the right to terminate the agreement
immediately and to receive a pro rata refund
of any fees paid or payable. In addition to
contractual provisions dealing with the ter-
mination, contingency plans to facilitate an
orderly end to the third-party relationship
and a smooth transition to an in-house solu-
tion or another a third-party provider may
prove useful.

■ Conclusion
The measures described above—diligence,
contractual terms, and continued monitor-
ing and oversight—are critical elements of a
comprehensive cybersecurity program that
includes managing third-party relationships.
To effectuate these elements, in turn, it often

of a breach, third parties are frequently
required to obtain a cybersecurity insurance

From the business’s perspective a third-
party vendor should be fully responsible for
any liability for data breaches that occur
while the data are under the vendor’s con-
trol. However, vendors often push for caps
on their cybersecurity liability. To guide
negotiations as to appropriate caps on liabil-
ity, consider the type of data processed or
accessed by the third party (e.g., how sensi-
tive is it, does it relate to employees, con-
sumers, or is it not personally identifying
information), the volume of records to be
handled by the third party, the ability for the
customer to implement security controls
such as encryption, the nature and extent of
the third-party promises on cybersecurity,
and the brand and reputation of the third
party with respect to data security. Based on
those inputs, a company can then consider
the potential losses and sources of third-
party liability to evaluate what constitutes
an acceptable level of risk in terms of exclu-
sions for indemnifi cations and caps on liabil-
ity. A business also may consider offsetting
any contractual concessions with corre-
sponding increases in their own cybersecu-
rity insurance coverage.

■ Ongoing monitoring and oversight
Ongoing monitoring and oversight of third-
party service providers is essential given the
rapidly changing landscape of cybersecurity
threats. Whereas due diligence provides a
snapshot of a third party’s cybersecurity
stance at a specifi c point in time, continual
monitoring and the right to such monitoring
are necessary to help ensure that the third
party responds and adapts to secure its sys-
tems against new threats. Over the life of the
relationship, periodic checks, including on-
site reviews of vendor, can be important
oversight mechanisms. Other monitoring
requirements include access to timely and
accurate records and reports of the third-
party provider’s cybersecurity posture.


■ 218

that scales due diligence, contractual obliga-
tions, and oversight processes according to
the nature and extent of the cybersecurity
risks presented by the vendor relationship.
In all events, it is important that organiza-
tions periodically review their processes for
evaluating and overseeing third-party rela-
tionships to ensure that such processes are
periodically updated and appropriately tai-
lored to ad