Information Security: What Boards Need to Know for Reputation Management

Dave Fachetti, EVP of Strategy & Board Member, BitSight

Reputational Risk Is a Strategic Business Risk

2

On average, 25 percent of a company’s value is directly tied to its reputation.

87 percent of executives rate reputational risk as more important than other strategic risks.

*Deloitte, Global Survey on Reputation Risk 2015

Reputational risk is influenced by every major strategic business risk.

$$$Legal/Regulatory Fines & Penalties

Financial Performance Perception

Product/ServiceFailure

Ethical Concerns (Scandal)

The Nature of Business Expands Reputation Exposure

Your organization

Tier 1-N Suppliers

Inventory Planning

Shipping

Labs

Licensing

Sales Agents Distributors

Loyalty Partners

Call Center

Warranty Processing

Office Products

Waste Disposal

CleaningRecruiting

Benefits Providers

Payroll ProcessingAdvertising AgencyHardware

Lease

Licensed Vendor Solutions

Disaster Recovery

Hosted Vendor Solutions

Infrastructure & Application Support

Contract Manufacturing

Brokers/Agents

Legal

InsuranceMarketing

Human Resources

Facilities

Contracts

Sourcing

Logistics

R&D

Franchise

Certification Bodies

Joint Ventures

Distribution & Sales

Customer

Customer Support

Media Ad Sales

Technology

Fourth Parties

70% of organizations have “moderate” to “high” dependency on external organizations.1

83% of organizations have experienced a third-party incident in the last three years.2

Companies continue to expand their digital ecosystem.

...Which poses new risks to the business.

1 Results from 2019 Deloitte survey2 Deloitte — EERM 2019 Survey

Breaches Dominate the Headlines

4

Many are the result of third-party exposures.

They Have Real Economic Impacts

5

Governments, Regulators & Industry Groups Are Acting

6

Recommended Guidance Laws/Regulations

NIST SP 800-171 Security Requirements in Response to DFARS Cyber Security Requirements

GDPR Affects all organizations doing

business in the EU

“ [Suppliers should] develop a capability to monitor, assess and communicate product cyber security related incidents and concerns to assess all potential risks to aerospace systems and aircraft operations. These capabilities are key to ensuring that organizations are prepared to effectively respond in the event of a cybersecurity related incident.”

HIPAA

Civil Aviation Cybersecurity Industry Assessment & Recommendations

So What About Cyber Reputation?

7*A commissioned study conducted by Forrester Consulting on behalf of BitSight.

Better Security and Business Outcomes With Security Performance Management

Cyber risk is directly tied to company reputation:

● 82 percent of respondents agreed that the way partners and customers perceive information security is important to critical business decisions.

● 48 percent of C-suite respondents indicated that attracting new clients was more difficult following a cyber security incident.

● 38 percent of organizations polled indicated they had lost business due to a real or perceived lack of security.

Direct relationship between cyber risk perception and business outcomes.

It’s Not Just Your Customers That Care

8

Investors & Shareholders

Strategic Customers/Partners

Insurers

National Government & Regulators

YOUR COMPANY

Metrics to Demonstrate Cyber Reputation

9

Performance Metrics Performance Metrics Used by Organizations

Creating consistent, understandable and measurable performance metrics enables you to show progress to key stakeholders:

● 63 percent of organizations have adopted standardized performance metrics.

How do you measure security performance today?

50% — Percentage of malware incidents blocked.

50% — Percentage of intrusions blocked by firewall/network security.

45% — Percentage of cybersecurity risk ratings.

45% — Percentage of phishing/malicious emails filtered.

50% — Percentage of data loss prevention (DLP) incidents generated

Metrics Drive Better Outcomes

10

Companies With Formalized Security Metrics Reap Benefits

Companies with formal security performance metrics are more likely to have seen a budget increase of 10 percent or more over last year.Resources

Companies with formalized metrics are more likely to take action to address gaps, including implementing new technologies, updating policies and procedures, and increased security training.

Behaviors

Business leaders believe that increasing security performance drives benefits:

● 74 percent of the C-suite say increased security performance would improve company financial performance.

● 81 percent indicated it would improve the company’s overall reputation.● 82 percent noted it would strengthen business continuity.

Business Outcomes

11

Sources: A2018 BDO Cyber Governance Survey; Nasdaq: The Accountability Gap: Cybersecurity and Building a Culture of Responsibility

Boards are being increasingly exposed to cyber security information.

But many board members don’t know how to interpret and act on information provided by management.72% of board members say

they have been more involved in cyber security over the past 12 months.* 91% of board members

cannot interpret their organizations’ cyber security reports.*

Translating Metrics to Board-Level Context

Why Is There a Disconnect With the Board?

12

Focus on Operational Performance

Lack of Cyber Security Expertise

Lack of Comparability

“Management still reports on cybersecurity with… highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.”

“Management can and should deliver reports that are benchmarked, so directors can see metrics in context to peer companies or the industry.”

“Most boards have only one director serving as a tech or cyber expert.” article

blog

blog

- James Lam and Jack Jones

- James Lam and Jack Jones

- Catherine Allen, Board Member Synovus Financial and El Paso Electric

Critical Supply Chain/VendorsMy Organization

Operational ExcellenceIncidentsDiligence

System compromises and data exposure.

Configuration, patching and hardening.

Program MaturityIdentifyProtectDetectRespond Mitigate technical and

brand damage.

Automated and manual analysis of data.

Defensive controls and procedures.

Situational awareness: assets, policies.

710790

2.92.7

Executive Summary• Prior to June 2018, at top of industry range.• Eighty-point drop due to configuration of external systems.• Can recover all points quickly.

Executive Summary• Vendors range from 480 to 760.• One public compromise, Acme PII exposed.• Reassess three vendors (partial/contextual).

Example Board Reporting

14

Other Impactful Metrics

Performance Benchmarking

How are we doing in comparison to others in our industry?

Selection Onboarding Assessment Monitoring

Incident Response

Remediation

Board Reporting

Collaboration

Vendor Management Workflow — Key Questions

● Are we evaluating new and existing suppliers for cyber risk exposure?

● Do we have continuous monitoring of critical vendors across key business risks?

● What compliance standards have downstream effects on my suppliers? Is this a part of our assessment process?

Key Questions

Are We Evaluating Important Cyber Risk Exposures?

● Active Infections/Incident Response

● Email Security

● Vulnerability Management and Asset Management

● Encryption

● Employee Behavior

● Breaches and Incidents

● External Exposures

BOSTON, MAHEADQUARTERS

450+EMPLOYEES

$150 MILLION+CAPITAL RAISED FROM BLUE CHIP INVESTORS

EXPERIENCED LEADERSHIP TEAM WITH RECORD OF GROWING SUCCESSFUL COMPANIES

GLOBALOFFICES IN SINGAPORE, LISBON AND RALEIGH

2011FOUNDED

THE LARGEST, MOST ENGAGED ECOSYSTEM

1,800+ 25,000+ 20,000+ 350,000+ 105,000+ 15M+Customers Worldwide

Users Ecosystem Comments & Tags

Rated Organizations

Pieces of User-Generated Content

Domains

BitSight Security Ratings

• Data-driven rating of security performance.

• Non-intrusive SaaS platform.

• Continuous monitoring.

• Objective, quantitative measurement.

CONFIDENTIAL

Security Ratings — Actionable Metric for Board Reporting

18BITSIGHT CONFIDENTIAL

BitSight aims to bring market efficiency to cyber risk interactions through a standard metric.

IT/Security

Insurance

Investor/M&A

TPRMGovernment/Regulatory

Supply ChainStandard

Metric

A common metric creates greater market efficiency, fostering broader and more substantive participation in the ratings system.

A Standard Metric

of the top five investment banks use BitSight for vendor risk

management.

4 of Fortune 500 companies use

BitSight.

25%government agencies,

including U.S. and global financial

regulators, use BitSight.

40+of the world’s cyber insurance premiums are underwritten by BitSight customers.

50%of the big four

accounting firms use BitSight.

4

G L O B A L B L U E C H I P C U S T O M E R B A S E

CONFIDENTIAL

Broad Market Adoption

Oversight

Accountability

Education

● Use new technologies to get an independent, comparable view of cyber security performance to track reputational risk.

● Understand the performance metrics that can help drive decision-making and effective allocation to achieve goals.

● Ensure that cyber security roles and responsibilities are clear across the board and management.

● Don’t delegate cyber reputation to a subcommittee — make it a frequent board topic.

● Invest in learning about the cyber risk landscape, the regulatory environment and how this dynamic risk can impact your business.

Board Members

Key Takeaways

Questions?

*A commissioned study conducted by Forrester Consulting on behalf of BitSight.

Better Security and Business Outcomes With Security Performance Management

Strong, Validated Correlation to Data Breach

If 50 percent of computers run outdated operating system versions.**3x

If the Botnet Grade is B or lower***or the File Sharing grade is B or loweror the Open Ports grade is F.

BitSight provides a measurable range of risk and is the only ratings solution with a third-party verified correlation to breaches.

2x

<400

400-500

500-600

600-700

>700

x5

x4

x3

x2

22

Likelihood of Suffering a Data Breach

If the security rating drops below 400 as compared to an organization with a rating of 700 or higher.*

5x

*AIR Worldwide reviewed and approved our data and analyses. ** A Growing Risk Ignored: Critical Updates. *** Beware the Botnets: Botnets correlated to a higher likelihood of a significant breach.

Goal: Monitor the information security disposition of critical third-party service providers.

Monitor thousands of third parties.

Evaluate risk rating for each provider.

Determine risk areas for action.

Actions by BitSight

6X

Third-party expansion coverage with same FT employees.

Results

24

Third-Party Monitoring Produces Measurable Results at Scale for

Monitor thousands of third parties.

Evaluate risk rating for each provider.

Determine risk areas for action.

Impactful Results From Vendor Collaboration

Average points increased across

this group.

50

Onboarded 496 suppliers and engaged with BitSight Security Ratings as part of this process.

56% saw a rating

increase.

276

*Suppliers onboarded between May 1 and October 31. Ratings compared between May 1 and December 4. 25

© Assent Compliance 2019

HALF PHOTO LAYOUT: CLICK LAYOUT IN THE ABOVE TOOLBAR FOR MORE OPTIONS

26

Q&AQUESTIONS?

| #Insight19

© Assent Compliance 2019

SECTION DIVIDER: CLICK LAYOUT IN THE ABOVE TOOLBAR FOR MORE OPTIONS

THANK YOU!