Marko Suswanto, profile picture
Uploaded byMarko Suswanto
PDF, PPTX1,841 views

Cybersecurity in the Boardroom

Cybersecurity has escalated to a major board-level concern and corporate governance issue. Boards of directors now play an important oversight role in ensuring organizations have adequate cybersecurity measures, response plans, and roadmaps to address growing threats. Management is responsible for executing specific security steps, while the board provides advisory and monitoring functions. These include assessing security readiness, stress testing response plans, conducting independent reviews, and establishing long-term strategies. With continued board guidance, organizations can better mitigate risks and adapt to changing cyber threats.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Technology Risk E-Book Audit | Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
Cybersecurity in the Boardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
Cybersecurity in the Boardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
Cybersecurity Escalates to the Board Level
Cybersecurity in the Boardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
Cybersecurity in the Boardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
Assessing Responsibilities for Cybersecurity
Cybersecurity in the Boardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
Cybersecurity in the Boardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
The Board of Directors: Achieving Cybersecurity Excellence
Cybersecurity in the Boardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
Cybersecurity in the Boardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
Cybersecurity in the Boardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
Looking Ahead
Cybersecurity in the Boardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
Cybersecurity in the Boardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
www.crowehorwath.com Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.

More Related Content

PDF
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
byCorporater
 
PPTX
Third Party Risk Management
byEC-Council
 
PPTX
SOC for Cybersecurity Overview
byBrian Matteson, CISSP CISA
 
PDF
NIST Cybersecurity Framework (CSF) 2.0 Workshop
byBachir Benyammi
 
PDF
Guide to Risk Management Framework (RMF)
byMetroStar
 
PDF
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
PDF
Security Awareness Training
byDaniel P Wallace
 
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
byCorporater
 
Third Party Risk Management
byEC-Council
 
SOC for Cybersecurity Overview
byBrian Matteson, CISSP CISA
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
byBachir Benyammi
 
Guide to Risk Management Framework (RMF)
byMetroStar
 
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
Security Awareness Training
byDaniel P Wallace
 

What's hot

PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Cyber Security Governance
byPriyanka Aash
 
PDF
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PPTX
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
PDF
Comprehensive plans are in place to improve our institutional cyber security
byJasonTrinhNguyenTruo
 
PPT
Security policy
byDhani Ahmad
 
PPTX
Cyber Threat Intelligence
byPrachi Mishra
 
PPTX
What is zero trust model (ztm)
byAhmed Banafa
 
PDF
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
PPTX
Cybersecurity Metrics: Reporting to BoD
byPranav Shah
 
PDF
IT SECURITY ASSESSMENT PROPOSAL
byCYBER SENSE
 
PDF
Cyber Resilience
byIan-Edward Stafrace
 
PDF
Cyber Security For Organization Proposal PowerPoint Presentation Slides
bySlideTeam
 
PPT
Risk Assessment Process NIST 800-30
bytimmcguinness
 
PDF
Cyber Security Maturity Assessment
byDoreen Loeber
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Cyber Security Governance
byPriyanka Aash
 
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
Comprehensive plans are in place to improve our institutional cyber security
byJasonTrinhNguyenTruo
 
Security policy
byDhani Ahmad
 
Cyber Threat Intelligence
byPrachi Mishra
 
What is zero trust model (ztm)
byAhmed Banafa
 
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
Cybersecurity Metrics: Reporting to BoD
byPranav Shah
 
IT SECURITY ASSESSMENT PROPOSAL
byCYBER SENSE
 
Cyber Resilience
byIan-Edward Stafrace
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
bySlideTeam
 
Risk Assessment Process NIST 800-30
bytimmcguinness
 
Cyber Security Maturity Assessment
byDoreen Loeber
 

Viewers also liked

PDF
Cybersecurity Risk Management for Financial Institutions
bySarah Cirelli
 
PPTX
The Board and Cyber Security
byFireEye, Inc.
 
PPSX
Board and Cyber Security
byLeon Fouche
 
PPTX
Information security governance
byKoen Maris
 
PDF
7 cyber security questions for boards
byPaul McGillicuddy
 
PDF
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
byIBM Security
 
PPTX
Cybersecurity 1. intro to cybersecurity
bysommerville-videos
 
PPTX
Cyber security presentation
byBijay Bhandari
 
PPTX
What every executive needs to know about information technology security
byLegal Services National Technology Assistance Project (LSNTAP)
 
PPTX
Cybersecurity Law and Risk Management
byKeelan Stewart
 
PDF
What CIOs Need To Tell Their Boards About Cyber Security
byKaryl Scott
 
PPTX
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
PDF
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
PPTX
Bob West - Educating the Board of Directors
bycentralohioissa
 
PDF
Cybersecurity and The Board
byPaul Melson
 
PPTX
Sans 20 CSC: Connecting Security to the Business Mission
byTripwire
 
PDF
Cybersecurity
byBen Liu
 
PPT
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
byShawn Tuma
 
PDF
Bridging the Cybersecurity Gap
byFidelis Cybersecurity
 
PDF
CyberSecurity Vision: 2017-2027 & Beyond!
byDr David Probert
 
Cybersecurity Risk Management for Financial Institutions
bySarah Cirelli
 
The Board and Cyber Security
byFireEye, Inc.
 
Board and Cyber Security
byLeon Fouche
 
Information security governance
byKoen Maris
 
7 cyber security questions for boards
byPaul McGillicuddy
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
byIBM Security
 
Cybersecurity 1. intro to cybersecurity
bysommerville-videos
 
Cyber security presentation
byBijay Bhandari
 
What every executive needs to know about information technology security
byLegal Services National Technology Assistance Project (LSNTAP)
 
Cybersecurity Law and Risk Management
byKeelan Stewart
 
What CIOs Need To Tell Their Boards About Cyber Security
byKaryl Scott
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
Bob West - Educating the Board of Directors
bycentralohioissa
 
Cybersecurity and The Board
byPaul Melson
 
Sans 20 CSC: Connecting Security to the Business Mission
byTripwire
 
Cybersecurity
byBen Liu
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
byShawn Tuma
 
Bridging the Cybersecurity Gap
byFidelis Cybersecurity
 
CyberSecurity Vision: 2017-2027 & Beyond!
byDr David Probert
 

Similar to Cybersecurity in the Boardroom

PDF
The case for a Cybersecurity Expert on the Board of an SEC firm
byDavid Sweigert
 
PDF
Top Cybersecurity Concerns from Boards & Directors (Mid-2025)
byCybernetic Global Intelligence
 
PDF
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
PDF
employee-awareness-and-training-the-holy-grail-of-cybersecurity
byPaul Ferrillo
 
PDF
NextLevel Cyber Security Executive Briefing
byJoe Nathans
 
PDF
GAM 2021 - Aligning Audits with Leadership Cybersecurity Questions.pdf
byNathan Anderson
 
PDF
K Royal, JD, PhD for Top Cyber News MAGAZINE May 2025
byDr. Ludmila Morozova-Buss
 
PDF
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
PDF
For Corporate Boards, a Cyber Security Top 10
byDavid X Martin
 
PDF
Booz Allen's 10 Cyber Priorities for Boards of Directors
byBooz Allen Hamilton
 
PDF
Norman Broadbent Cybersecurity Report - How should boards respond
byLydia Shepherd
 
PDF
Securing the Digital Future
byCognizant
 
PDF
BLACKOPS_USCS CyberSecurity Literacy
byCasey Fleming
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
byEMC
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
byEMC
 
PDF
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
byFERMA
 
PDF
Cyber Security 101: What Your Agency Needs to Know
bySandra Fathi
 
PDF
Ask the Experts final
byDaren Dunkel
 
PDF
Primer on cybersecurity for boards of directors
byDavid X Martin
 
PDF
idg_secops-solutions
byJonny Nässlander
 
The case for a Cybersecurity Expert on the Board of an SEC firm
byDavid Sweigert
 
Top Cybersecurity Concerns from Boards & Directors (Mid-2025)
byCybernetic Global Intelligence
 
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
byPaul Ferrillo
 
NextLevel Cyber Security Executive Briefing
byJoe Nathans
 
GAM 2021 - Aligning Audits with Leadership Cybersecurity Questions.pdf
byNathan Anderson
 
K Royal, JD, PhD for Top Cyber News MAGAZINE May 2025
byDr. Ludmila Morozova-Buss
 
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
For Corporate Boards, a Cyber Security Top 10
byDavid X Martin
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
byBooz Allen Hamilton
 
Norman Broadbent Cybersecurity Report - How should boards respond
byLydia Shepherd
 
Securing the Digital Future
byCognizant
 
BLACKOPS_USCS CyberSecurity Literacy
byCasey Fleming
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
byEMC
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
byEMC
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
byFERMA
 
Cyber Security 101: What Your Agency Needs to Know
bySandra Fathi
 
Ask the Experts final
byDaren Dunkel
 
Primer on cybersecurity for boards of directors
byDavid X Martin
 
idg_secops-solutions
byJonny Nässlander
 

Recently uploaded

PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknowtechs
 
PDF
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Information about Trusted Platform Module(TPM)
bynewtoknowtechs
 
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 

Cybersecurity in the Boardroom

  • 1.
    Technology Risk E-Book Audit |Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
  • 2.
    Cybersecurity in theBoardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
  • 3.
    Cybersecurity in theBoardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
  • 4.
  • 5.
    Cybersecurity in theBoardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
  • 6.
    Cybersecurity in theBoardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
  • 7.
  • 8.
    Cybersecurity in theBoardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
  • 9.
    Cybersecurity in theBoardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
  • 10.
    The Board ofDirectors: Achieving Cybersecurity Excellence
  • 11.
    Cybersecurity in theBoardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
  • 12.
    Cybersecurity in theBoardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
  • 13.
    Cybersecurity in theBoardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
  • 14.
  • 15.
    Cybersecurity in theBoardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
  • 16.
    Cybersecurity in theBoardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
  • 17.
    www.crowehorwath.com Crowe Horwath LLP(www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.