Episode 3: Incidents
In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents.
Incident awareness at the Board level is a top concern in light of high profile incidents that have called oversight practices into question. Directors need to be made aware of brewing incidents early enough to exercise their fiduciary - and now regulatory - obligations around strategic oversight and disclosure requirements. While specific regulations and regional privacy mandates have spelled out overlapping requirements on making agencies, customers, or the public aware of incidents for some time, the recent finalization of an SEC rule on Cybersecurity Incident Disclosure (among other topics) codifies legal requirements on US-listed public companies in disclosing material incidents.
At the same time, Boards cannot afford to review every trivial incident in detail, and the SEC has previously made it clear they desire to "discourage... the disclosure of information that is not material" to ease investor burden. Boards clearly need to strike a balance, and ensuring they are brought to bear on the right incidents at the right times requires clear exercised procedures and standardized language.
Director Question: How do our processes ensure the Board is made aware of potentially material cyber incidents?
Good Answer: The Board is part of our cyber incident escalation processes via the Risk Committee. Per our documented processes, any incident that has the prospect of materiality passes through an escalation waterfall that provides quarterly awareness for lower severity items and immediate awareness for more severe issues.
Establishing such procedures should begin by thinking about what we are trying to accomplish via incident escalation. Starting with the obvious, this area should provide a framework to alert the Board to "the big one" - a serious incident that may trigger a disclosure requirement. But that's a pretty high bar. Even at the most unfortunate company, incidents meeting the materiality threshold are rare, warrant immediate Board engagement (outside a quarterly schedule), and will likely engage a wider audience of Directors than just the risk or audit committee. While it's a good idea to use quarterly committee meetings to memorialize awareness and follow-up activity for major incidents, your quarterly meetings are more likely to discuss the usual cadence of less catastrophic issues.
Director Question: Do the materials presented to our quarterly committee overseeing cyber include a standing incident recap at the right level?
Good Answer: The cyber component of the quarterly risk committee deck has an incident section where, in addition to trailing year trends by severity, specific incidents at one level below materiality are shared for awareness.
A primary goal of that discussion should be to ensure agreement and awareness on the incident scoring rubric. The rubric should be an extract of the cybersecurity incident response plan that defines severity levels. Without that in hand, a Director reviewing a chart of 10 incidents or 1000 incidents has no context of whether the information being communicated is alarming or unremarkable. Likewise, without a written description of thresholds and triggers that make Board reporting, a Director has no idea of what incidents they are missing, and management does not have a clear commitment to escalate certain incidents.
Example Incident Rubric
A good rubric should enable a reader to take a hypothetical incident and determine how it would be rated with strong confidence. An example rubric diagram is visualized below:
While there is no universally-agreed cyber incident rubric in the industry today, the model portrayed above - 5 levels with the lowest number corresponding to the most severe incident - is the most common model I regularly see. In this model, Severity 1 is "the big one" while Severity 5 is the final resting place for false alerts and the staging ground for candidate issues needing review.
While any numbering system can work, the elements woven into a mature system will include the following:
SEC requirements around materiality provide a long-needed differentiator for the highest severity level. Baking this right into the severity matrix ensures the top level of attention and immediacy is employed.
Existing non-cyber incident management processes are likely to tie severity to impact. This long-established doctrine governs how outages and SLA violations are tracked and escalated. The adversarial difference with cyber incidents, however, is intent. Even when an attempt is unsuccessful and there is no impact, the presence of a motivated adversary actively trying to compromise your defenses is a piece of intelligence worth escalating for broad context. In the model above, the "targeted malicious intent" criterion alone can elevate an incident to severity 3, and its presence combined with impact together equate to an immediate Severity 2 report.
- De Minimis versus Immediate Reporting
Your severity matrix should spell out the level at which incidents make the next risk committee agenda versus the level where the risk committee chair is woken at 2am. Establish this criteria early, challenge it regularly, and monitor practice for adherence to it. In the model above, Severity 3 incidents may be communicated in a standing quarterly committee, while Severity 2 items will warrant that immediate phone call.
Imagine distribution lists for regular updates tied to each severity level. A security operations team may be alerted on each Severity 4 and above incident. Severity 3 may add the CISO in addition to key cyber leaders. Moving to Severity 2 is likely to bring in cross-functional leadership, while Severity 1 is likely to alert the CEO and the corporate crisis management team. Directors are unlikely to be included in automated email-based alerting from internal systems. Directors can be briefed by senior leadership. In addition to avoiding potential security concerns about transmitting incident details via external email, this also permits the insertion of management discretion.
Director Question: How do we set incident severities, and at what severity level is the Board notified?
Good Answer: As part of our Director education on cyber and as an appendix in quarterly reports you will see our severity level definitions, example incidents for each, and clear definitions of which severities trigger immediate or quarterly Board notification.
At the low end, phishing attempts are usually within the top 3 sources of potential incident data by volume. After going through repeated awareness training, employees are likely to report unsolicited commercial email, newsletters, and promotions as potential phishing. As the security team confirms such reports are false positives, they will be closed as Severity 5.
If, however, a message is determined to truly be a phishing attempt, it elevates to Severity 4 by nature of being "unauthorized activity". If it is an opportunistic blanket email likely sent to a wide range of email address across the world, and nobody has fallen trap to it, it will be finalized at that Severity. It is worthwhile to distinguish such attempts from Severity 5, however, as team procedures will ensure Severity 4 reports are checked for similar attempts to other recipients and that preventative controls are verified to block whatever malicious links or attachments may have been attempted in the email.
If a phishing email actually has some sort of impact - an employee clicked the link and was infected with malware, for example, it raises to a Severity 3. But that's not the only path to this level. Targeted malicious intent even without impact can also get you here. As an example, imagine a message targeting a privileged engineer employing a pretext based on careful research. Such a message may reference products or technology from the engineer's LinkedIn page or reference a company initiative from a recent press release. This display of concerted effort, investment in research, and targeting warrants awareness and review beyond a simple mass phishing attempt. The security team is likely to collaborate with industry peers to determine the next likely steps from this adversary and prepare defenses in advance. Further, the socialization of such an attempt through internal governance will ensure that cross-functional leadership are on the lookout for signs of related activity and likely to brief their teams on the threat landscape.
Supposing that our concerted adversary was successful, and established any sort of unauthorized access such as remote control of a victim PC, we now have the condition required for a Severity 2 incident. Someone capable and motivated is after you, and they have breached the perimeter. This is exactly the sort of thing that warrants high-level escalation, and hopefully it is infrequent enough to not be overwhelming.
Finally, if our hypothetical incident then leads to business disruption, extortion, data theft, or a similar Threat Objective manifesting, we have the potential for a material impact and Severity 1 escalation.
The SEC definition of materiality puts a good bookend on the continuum of severity likely to be viewed by the cybersecurity team. Privacy, however, can easily be overlooked by incident responders looking for advanced adversaries. The disclosure of customer email addresses, for example, might seem trivial to cyber experts safeguarding payment information, critical infrastructure, or material corporate action data. Similarly, it might feel inappropriate to alert a Board to such a small event. That same data may trigger notification requirements under privacy regulations such as the EU GDPR quite easily, however. As privacy regulations become more nuanced and differ country by country and state by state, corporate counsel need to be engaged any time there is the prospect of unauthorized access to data so they can make an assessment on requirements under varying law. This is a unique aspect that doesn't tie well to a specific severity level, so it makes sense to have a flag for potential data disclosure that even the most junior analyst can engage to ensure a Data Protection Officer or equivalent can be given the opportunity to assess the situation.
Director Question: What are some examples of lower severity incidents involving privacy?
Good Answer: Our team can easily report on examples where the Data Privacy Officer was engaged to make a determination on privacy reporting thresholds despite the incident not otherwise warranting an elevated severity.
Any incident management program should be tied to regular "table top exercises" (TTX) and management should regularly test the escalation protocols and decision making processes in procedural guides. Third-parties can facilitate these exercises with realistic situation manuals, timed release of scenario information, and the injection of plausible new data as an exercise progresses. It is essential to simulate the level of candor that would be present in a real incident, however. If this means your organization needs to conduct an exercise without any outsiders present, be sensitive to that. If the CEO and CFO are not arguing loudly about whether or not you would actually halt your stock during a Severity 1 incident, you have not established the level of realism you need to rehearse. Likewise, if they are not in attendance at all, you might be conducting a tickbox exercise without much practical value. But what about Board Directors? There are competing schools of thought on Director participation in TTX exercises. At a minimum, it makes sense to "train how you fight" and call an unsuspecting Risk Committee Chair at the point in the exercise where an incident rises to Severity 2. "Hi Janet. This is Bob. First off, you should know we are conducting an exercise here, and everything is fine. Apologies if you were alarmed. Now that you have a minute, here is what is going on. We are simulating an cyber event. If this were real, this is the point where Bob or I would phone you up. This is the detail we would provide. What questions would you have? Would you expect any other actions at this point? Noted - you would not see any need to convene the Risk Committee at this point but would send an email to the other 4 members. Got it. Ok great - thanks. I've noted that and may call again if the simulation escalates."
That can be a 15-minute call, and would be a realistic simulation of Director engagement in a Severity 2 incident. If the incident escalates, and the Risk Committee Chair would spin up a conference call with the Committee members, communication with customers, regulators, or the public would need approval, the payment of an extortion payment would have to be considered, or other strategic decisions were needed, it is possible that the full Board would be assembled. While availability could be scheduled in advance of an exercise, these scenarios do not have the Board engaged until the corresponding moments where they might be in a live scenario.
A competing school of thought, however, would have Directors sitting in on an entire multi-hour exercise.
Both approaches have their place. The former approach - with phased-in Director engagement - is a more accurate simulation of a true incident and more likely to tease out lessons learned about communication and escalation protocols. The latter scenario, however, can be useful for broad Board cyber education and awareness. The presence of Directors in an exercise, however, will absolutely change the tenor in the room and not allow you to simulate the candor - or even rancor - of an actual incident war room. You may choose one or both approaches in concert, but be aware of the pros and cons.
Director Question: How can we be involved in exercising how an actual cyber incident would play out?
Good Answer: We just phoned Janet last quarter while running a simulation, in which case that scenario ended with a brief convocation of the Risk Committee. Next year we are planning a higher severity simulation where the broader Board may be involved.
Establishing clarity around severity thresholds that maps to escalation and the fulfillment of disclosure obligations may seem obvious, but can be challenging in a large enterprise environment where stakeholders are driven to chase plausible deniability and vague procedures that leave much up to interpretation. Establish and regularly socialize clear incident definitions and escalation procedures early, exercise them regularly, and gain assurance that your organization will know the steps to take in an actual crisis.
Stay tuned for episode 4, where we will talk about compliance.