When it comes to cybersecurity, SEC veteran Christopher Hetner, Special Advisor to the National Association of Corporate Directors for cyber risk, says incidents are inevitable. That's why directors, in fulfilling their oversight role, must focus on preparedness and integration.
CCBJ: You recently joined Marsh’s cyber-risk consulting practice in New York after a long stint at the SEC. Tell us about your career.
Christopher Hetner: I've been in the cybersecurity arena for just over 25 years. I recall taking a computer security course as an undergraduate in which the professor stressed that the “bad guys” are going to shift their efforts from robbing banks using guns to executing code across the bank’s computer networks. This inspired me to focus on protecting complex and interconnected networks early in my career.
I recently joined Marsh as a Managing Director for the Cyber Risk Consulting business after serving as the Senior Cybersecurity Advisor to the United States Securities and Exchange Commission (SEC) Chairman Clayton. While with the SEC, I was also a leading member of the U.S. Treasury Financial Banking Information Infrastructure Committee (FBIIC) where I provided leadership across a range of cybersecurity programs impacting the financial services sector. Not long after I joined Marsh, I was also named the Special Advisor of Cyber Risk for NACD.
I’ve held several leadership positions throughout my career, including EY’s Wealth and Asset Management Cybersecurity practice leader, Global Chief Information Security Officer (CISO) at GE Capital, and Senior Vice President of Information Security at Citigroup.
What was on the top of the SEC’s cyber agenda during your time there?
I served as Senior Cybersecurity Advisor for Chairman Clayton, Chair Mary Jo White, and former Acting Chairman Michael Piwowar. I helped to establish the position and shape the SEC’s cybersecurity agenda. In 2016, we focused on enhancing coordination of cybersecurity policy efforts across federal financial regulators, enhancing the SEC's ability to assess cyber-related market risks, and improving the SEC's cybersecurity posture. These efforts were driven across SEC divisions and offices to manage cybersecurity priorities, strengthen cyber incident response planning and enhance threat intelligence capabilities.
I also served as SEC senior staff representative to the U.S. Treasury's FBIIC. In this capacity, I provided leadership on enhancing coordination and cooperation among federal financial regulators through, among other things, expanding efforts to harmonize cybersecurity regulations, respond to cyberattacks and enhance market-wide cyber threat assessments.
A recent NACD survey of public company directors had some interesting findings about their attitudes towards cybersecurity that suggest a better understanding of cyber risk and a more upbeat attitude about their ability to provide effective oversight. Does this align with your perceptions, or is it possible higher quality reporting from management is lulling directors into a false sense of security?
Cyber threats evolve at an extreme pace. I describe an average public company director’s understanding of cybersecurity as “headline cyber risk.” It’s based on the information that you can gather from the front page of The Wall Street Journal or Financial Times. Directors appear to be aware of notable breaches, but do not fully understand the cyber risk implications of integrated technology into critical business processes. This requires directors and senior management to understand how these threats will manifest across their enterprise and ensure appropriate levels of protection are applied with a regular cadence.
The effectiveness of the board’s cyber-risk oversight is coming under increasing scrutiny. Board members can no longer just write a check for cybersecurity without fully examining what measures are being taken. To do so, boards must adopt a quantitative approach to derive a comprehensive understanding of their company's cyber-risk profile.
Cyber-risk profiles will vary by industry and geographies. A regional retailer will have a different cyber-risk profile compared to a global manufacturer operating across 30 countries. Therefore, individual boards should factor the intersection of technology and risks with their business when making determinations around their investment and oversight of cybersecurity. It is the board’s responsibility to effectively and independently diagnose a company’s cyber-risk profile. If they are not comfortable with managements’ reporting of cyber risk, then they need to hire an outside advisor to supplement the expertise.
Many boards, skittish about the technical aspects of cyber, have in-sourced the cyber-risk function to their IT people. With NACD, you’ll be getting in the boardroom and doing hands-on training. What does that do to improve directors’ effectiveness?
There will be a degree of Cybersecurity 101 training that demystifies cyber and eliminates some of the uncertainties and ambiguity. As a former CISO, I will walk them through the construct and inner workings of a cybersecurity program.
The NACD will shape the training around the SEC’s 2018 Interpretative Guidance on Cybersecurity focused on five main areas:
- Pre-incident disclosure, calling for transparency around the identification, quantification and management of cyber risk.
- Board oversight and the clear expectation that the board is expected to understand, quantify and oversee cyber risk beyond a one- or two-hour session with the CISO.
- Incident disclosure and determining what material is, what's not and how that’s disclosed.
- The controls and procedures around your enterprise risk management process.
- The insider trading element.
It’s important to sensitize directors to the SEC’s heightened expectations, prepare them for disclosure and work through cyber preparedness and crisis management.
Inevitably, there’s going to be an event. How do we prepare? How do you develop those cyber muscles? What procedures are you going to deploy when the inevitable occurs?
The Global Risk Report from the World Economic Forum discusses how dynamic and difficult cyber risk is to manage. It's constantly morphing, changing targets, and challenging expectations and assumptions. What’s your take on the evolution of cyber risk, not just where we are today, but what boards can expect tomorrow?
The prevalence of advanced and integrated technology, without mandated security safeguards, will result in an exponential expansion of a company’s attack surface. Whether it's an industrial manufacturing machine with an IP address or an automobile connected to the internet, if you're sitting on a board and overseeing your company’s cyber-risk profile, you have to factor the deployment of these insecure technologies into your core business strategy.
I've sharpened my focus on business disruption and recovery tactics because the increased introductions of these technologies make a cyberattack an inevitable reality.
Cyber-risk calculus is directly correlated to the company’s unique business profile. For example, Company A and Company B are both pharmaceutical companies, but have different risk profiles. The pharmaceutical industry maintains a wide range of costs, including intellectual property related to drug formulation. Company A has five drugs in the pipeline and expects to expand its market share by 40 percent if one of its drugs successfully enters the market. Company B is focused on a single drug that will grow its market share by 30 percent. Company B, which only has one drug in its pipeline, represents a higher cyber-risk profile if a cyberbreach exposes its drug formulation.
My calculus as a member of Company A’s board would be very different than a member of Company B’s board. You have to step back, understand the projected impact and prepare for the worst case scenario.
There's call for more regulation of cyber today. As governments try to hold businesses accountable, especially tech companies, directors may find themselves in a difficult position. Part of their task as directors is to be strategic business advisors and help companies grow their businesses. But they also have to deal with a rising risk profile in the process. That's a tricky balance. How can directors best manage that?
Effectively managing cyber risk as a board member is a matter of applying continuous risk management practices that are in place for other organizational risks to the organization’s cyber-risk profile. You have to understand the exposure, measure the exposure and manage to that exposure.
Regulation is not going to slow down. If I'm a board member, I'd want to understand the regulatory landscape and how it applies to my industry and lines of business. I’d ask management how we can streamline our regulatory regime to ensure that we have a unified cybersecurity program while meeting local requirements.
If you were a corporate director, what one step would you take tomorrow to meaningfully improve your board's oversight of cyber risk?
I would conduct a comprehensive review across the cybersecurity program, look at the governance structure and where cyber sits organizationally, and examine the cyber-risk management practices and their integration into the business. I’d ask questions such as:
- Are you mapping the program to the NIST Cybersecurity Framework?
- Is there a quantitative review to truly understand your cyber exposure?
- What and where are the most sensitive assets susceptible to a cyberattack?
- To what extent do you have insurance?
- Is there inherent or residual risk that's not being addressed?
- How is the cybersecurity budget being spent?
- Are the appropriate controls applied?
- Is there ongoing review and engagement with the cybersecurity organization, the CIO and other players?
- Do we have a crisis management plan? Is cyber integrated?
I would also ensure that I understood how cyber permeates the fabric of the company by having a collective discussion with the CISO and other senior executives. We want to ensure there are integrated security processes within the lines of business. Lastly, I'd ensure we have a relentless cyber planning and exercise strategy that is supported by continuous threat monitoring.
When you hear about new technologies, such as advanced artificial intelligence, do you think of it differently? Most of us think about how it can help our organizations. We don't necessarily think about the cyber-risk downside.
Technology's great. It's evolving and advancing society, but there are safeguards that must be applied as advanced technologies permeate the fabric of society and industry. This is why security must be applied as an integrated approach.
Published May 16, 2019.
