The Importance of C-Suite and Boards Engaging in Third-Party Cyber Risk Management
Given how much businesses rely on data, cloud providers and other aspects of the digital world, cybersecurity should be a topic on every boardroom agenda today. The reality, however, is that most boards of directors and c-suites are comprised of individuals who have a lot of expertise when it comes to things such as finances, metrics and policy, but often very little when it comes to cybersecurity.
While some forward-thinking companies have created c-suite positions for IT and security personnel, such as chief technology officers (CTOs) and chief information security officers (CISOs), these executives don’t always get an actual seat on the board, and unfortunately their voices sometimes carry less weight. But with the increasing incidence of cyber breaches (most notably, third-party cyber breaches) and cyber regulations, this reality is going to put boards and c-suites in hot water.
In a recent BDO Governance survey, only 32% of board respondents said that they are briefed on cybersecurity quarterly, while 54% of respondents said that they are briefed at least annually and 9% said not at all. Surprisingly, 73% said that their organizations require third parties to meet some level of cyber risk requirements. Our recent study of security and IT professionals found that only 36% of respondents believe their organizations effectively assess third-party cyber risk. This disparity illustrates the need for boards and c-suites to be more engaged with their security teams, and particularly with third-party cyber risk management.
Global consulting firm Protiviti recently identified a high correlation between board involvement and highly mature vendor risk management (VRM) systems. In the Protiviti study, 57% of companies that reported having engaged boards also enjoyed the benefits of a mature VRM framework. Couple that with the fact that the average cost of a breach is around $4 million and third-party breaches tend to be the most expensive, at $7.5 million, according to a recent Ponemon study. And once you’ve factored in the impact on brand reputation, lost business and other incidental costs, that number gets even higher. The impact of a breach is a perfect example of how an organization’s financial and technological risks blend together and why the board should be involved in creating a third-party cyber risk management (TPCRM) strategy.
So, how can the board get involved? The first step is having a board that understands what a TPCRM strategy is and the benefits of such a program. A good strategy is one that includes a comprehensive program for identifying the vendor landscape, prioritizing it, assessing risk and, of course, mediating any risk that is deemed unacceptable. Data should be collected through a dynamic and validated assessment that continuously monitors the internal security controls or gaps of vendors, not just using an outside-in scanning tool with publicly available data or a once-a-year static assessment.
The board should also ask the right questions of the IT teams. For example, does the board know who the riskiest vendors are, or which vendors handle or have access to, your company’s most sensitive or classified information? And once these factors are known, what specific steps are being taken to mitigate the problem? The board should also know that the most valuable TPCRM programs don’t just look at vendors that their company spends most of its money on--it looks at the entire vendor pool and takes all levels of risk into consideration.
At the end of the day, your organization’s finances, metrics and value are all intrinsically linked to your cybersecurity, so it’s time to start paying attention.
Chief Executive Officer
As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX. Prior to joining the company, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Fred was an Associate Principal at McKinsey & Co., where he led the company’s Corporate Finance practice. Fred has also worked as an investor with two later-stage private equity investment firms. Fred holds a B.S.E from Princeton University and an M.B.A. from Columbia Business School.