Reporting

cybersecurity
to boards
 Reporting cybersecurity to boards
Cyberattacks rank as a top risk to organisations, both in terms of likelihood and overall
impact, in the 2018 Global Risks Report by the World Economic Forum. In the modern world,
virtually all levels of organisational activity have technology implications, and the potential
damage from a cyberattack or data breach can be significant. It is important that boards
receive comprehensive reporting from management about cyber risks and incidents, and
actions taken to address them. However, many New Zealand directors say they are not getting
sufficient information.*

Improving cybersecurity reporting Oversight and monitoring

To help improve cybersecurity, we have set out: of cybersecurity
• guiding principles on reporting to boards Cybersecurity is all about security in the cyber
• questions to ask in developing metrics realm including of information and IT systems.
• sample dashboards. Cyber risk is like any other business risk, and
This resource should be read in conjunction requires board level attention and responsibility.
with the IoD’s Cyber-Risk Practice Guide. Given this, it is critical that boards include time
on the agenda to discuss their approach to
cybersecurity, and constantly assess and reassess
their capacity to address cybersecurity threats.
As part of the board’s oversight and monitoring
role, it is responsible for holding management
to account in establishing a fully integrated
Data breaches and privacy organisational approach to cybersecurity
The growth of the internet and the digital (e.g. having appropriate policies, processes
economy, as well as the emergence of and procedures in place). To provide effective
new technologies, have changed the way oversight, boards need to see high-level, holistic
organisations operate and how personal reporting on cyber risks and the state of their
information is used. organisation’s cybersecurity programme.

Data breaches are on the rise and

increasingly making headlines especially
where private information of customers “Cyber risk is like
any other business
or stakeholders is exposed. Global trends
show that many jurisdictions including

risk, and requires

the United States, the European Union,
Canada, Australia, and New Zealand have
enacted (or are about to) some form of
mandatory privacy breach notification law. board level attention
and responsibility.”

*Only 47% of directors in the IoD’s 2018 Director Sentiment Survey said they received comprehensive cybersecurity reports.
Reporting to the board Key questions to help identify
It is important that reporting is tailored to the and develop cybersecurity metrics
organisation and the needs of the board. There
What metrics do we have that indicate
is no one-size-fits-all approach. Cybersecurity
risk to the organisation?
reporting should start with the greatest business
risk due to cyber risk. Boards need to know that the organisation’s critical
assets are being protected.
Some organisations will have relevant reporting
and others will only just be starting their journey to What cybersecurity investments are
developing comprehensive cybersecurity reports. necessary?
Boards and management need to consider the Organisations need to understand their current
format and frequency of reporting, and consider and future cybersecurity needs before they decide
what information and detail is most valuable in what investments will drive down risk. Useful
maximising the effectiveness of board oversight questions include:
in this area. Organisations may find it useful to
start by reporting on a small number of the most • What initiatives were not funded in this year’s
budget and why?
significant and relevant cybersecurity metrics
• What trade-offs were made?
(often the highest rated cybersecurity risks and
associated controls) and increasing these over • Do we have the right resources, including staff
time. Reporting to the board on cybersecurity and systems, and are they being deployed
has similar principles to reporting on other areas effectively?
of an organisation such as health and safety and
financial reporting. How do we measure the effectiveness
of our organisation’s cybersecurity
programme and how does it compare
to those of other organisations?
Board-level metrics should highlight changes,
Guiding principles trends and patterns over time, show relative
for board reports performance, and indicate impact. External
cybersecurity specialists may be able to provide
Relevant: Relevant to the audience useful comparisons within industry sectors.
(full board; key committee)
Reader-friendly: Use summaries, How many data incidents (e.g. exposed
callouts, graphics, and other visuals, sensitive data) has the organisation
avoid technical jargon experienced in the last reporting period?
Meaningful: Communicate insights, This metric will inform conversations about trends,
not just information. Highlight changes, patterns and root causes.
trends, patterns over time
Concise: Avoid information overload How do we assess the cyber-risk
Discussion: Reports should also enable
position of our suppliers, vendors, JV
dialogue and debate
partners and customers?
Continuous improvement: Review the Supply chain relationships typically pose increased
format and content regularly. risk for organisations given the degree of system
interconnectivity and data-sharing that is now part
of everyday business operations. Useful questions
include:
• How do we conduct ongoing monitoring of third
party risks?
• How many external vendors connect to our
network or receive sensitive data from us?

What metrics do we use to evaluate

cybersecurity awareness across the
organisation?
People are often the biggest cybersecurity
threat for many organisations. Data about
policy compliance, and the implementation and
completion of training programmes will help inform
conversations about insider risks.
The following two examples of cybersecurity dashboards are for fictitious organisations and are not intended
to be used as templates. They include common cybersecurity issues and topics, and are intended to inform and
inspire to improve reporting to boards.

Example 1 – Cybersecurity dashboard

Example 1 is a large New Zealand organisation (over 300 staff) providing professional services.
In order to understand their cybersecurity risks, the organisation undertook a cybersecurity risk
assessment. The following major findings were made:

• The organisation has no security policy. This needs • There is no regular security assessment of the
to be put in place so that the organisation can business assets, meaning that these may be
ensure that staff are clear on expectations around vulnerable to attack. A regular programme needs
data handling and protection, as well as a range of to be put in place.
other security requirements. • The organisation’s main client database has
• There is no security-related training in place for been attacked in the past, and client information
staff. As staff accessing malicious or phishing downloaded. This is a key risk, and needs attention
emails is the main type of attack in New Zealand, to ensure that a breach like this is far less likely to
awareness education must be put in place. happen in the future.

All risks related (these and others) to cybersecurity have been added to the organisation’s risk register, where they
can be reviewed in full. This dashboard pulls out some of the main risks for this organisation.

Current cybersecurity risk status

Risk
Key risk Trend
level

Business Current business continuity planning does not include recovery from
continuity any form of cyberattack (including phishing, ransomware, etc.) M
planning

Access Most organisational data has recently been placed with a cloud-based
management service. Access to this data needs to be further catagorised and L
restricted to prevent the risk of accidental transmission

Policy The current lack of a security policy leaves the business open to a wide
range of attacks as there is no single approach to inform procedures H
and staff training

Information The client database is still at risk until a number of security fixes have
protection been implemented H

IT risk Lack of a regular security review programme will lead to unknown risks
management being exploited M

Physical Physical access via two improperly secured building entrances could
security allow for access to the rest of the head office, exposing the server room L
management to risk

Security Staff need to be adequately trained in security awareness to help

awareness prevent attacks such as phishing H

Third party Three of the existing third party contracts have omissions that expose
security the business to unnecessary risk. These are currently being amended. L
management

Trend increasing No change Trend decreasing

 Emerging risks, threats or vulnerabilities Incidents

The following information is supplied by CERT NZ*, and In the past month, there has only been one significant
notes particular cybersecurity trends in the professional security incident.
services sector. This information, along with information
shared between our organisation and other organisations Type of incident Status
in our sector informs the commentary given below.
Unauthorised information Resolved
disclosure
Incidents reported by type
Description
Scams & fraud 139 A staff member working with information on four clients
Phishing and 126 accidentally sent one of the clients the information for
credential harvesting all four.
Unauthorised access 36
Discovery
Malware 29 The client emailed the staff member to let them know they
Reported vulnerability 15 had received the incorrect information.

Ransomware 15 Resolution
The client has confirmed and provided evidence that the
three files containing other client data have been deleted.
Reporting for specific sectors All affected clients have been informed and apologies
The professional, scientific, technical, administrative and issued. One client has decided to not continue to work with
support services sectors. our organisation.

Time to Time to Quantifiable Unquantifiable

discover resolve Cost Cost
Phishing and
credential harvesting 3 days 5 hours $5,000 Potential brand
damage etc.
Unauthorised access
unknown
Reported vulnerability
Scams & fraud Summary of learning opportunities from our successes
and failures
Malware
Ransomware A review is currently underway to determine how
Other
information is communicated to clients, and to ensure
that the system will alert staff if they are sending out more
than one client file at a time, or a spreadsheet with multiple
sheets of data.

Impacts for our organisation Compliance

The latest CERT NZ quarterly report points to the Over the past year we have decided to become ISO27001
increase in both scams and fraud, as well as phishing compliant to meet international client requirements.
and credential harvesting. In discussions with others in
the sector, there has been a significant increase in fraud, Areas still to be completed for ISO27001 compliance
with several other entities, as well as our own, having to be met
made authorised payments to clients, that have turned • Development of security policy
out to be fraudulent requests. This could ultimately have • Completion of BCP to include cybersecurity incidents
an impact on insurance premiums for the sector, and
• Compliant access management plan
decrease levels of client trust for the execution of these
types of requests. • Annual staff training

Reports continue to focus on unauthorised access

to both internal and client information. Several internal New privacy legislation
incidents have been due to incorrect staff access rights
being applied, and there have been some external, Update on the Privacy Bill. This was tabled in Parliament
malicious attacks attempting to access data. In in Q2 2018 and includes a proposal for mandatory data
conversations with other similar organisations, this risk breach notification to the Privacy Commissioner and
is highlighted and a number of organisations are working affected individuals for certain breaches. We are reviewing
to refine and implement proper access control to files. our processes and procedures to ensure we are compliant.

Summary of key insights

• Information protection and security awareness
weaknesses could have a significant impact on our
organisation’s security, and these issues need to be
resolved as soon as possible.
• Fraudulent activities are a key security threat in our sector.
• An unauthorised information disclosure incident has
*CERT NZ receives cybersecurity reports from government, cost the organisation $5,000.
businesses and individuals. They also provide quarterly
• There are four key tasks left to complete to meet
updates on what they have seen in the threat landscape of
our ISO27001.
New Zealand. To find out more, visit www.cert.govt.nz.
Example 2 – Cybersecurity dashboard
This is a large organisation in the medical sector (about 500 staff). The organisation underwent a
risk assessment two years ago, and has been implementing the recommended changes since then.
The main purpose of this report to the board is to show the maintenance of the current status,
the completion of the remaining projects to get the organisation to their desired level of security,
and preparation for any potential attacks.

Top 5 security risks

Critical risk Low risk

R1. Risk of attack through email (phishing or fraud)
leading to leak of customer data or incorrect
payment of funds.
6

R2. Risk of physical access to sensitive information as

R1
staff computers and physical files are accessible in 5
all branches, linking back to the central customer
database.
LIKELIHOOD
R5 R4
4
R3. A lack of agreed standard operating procedures
for staff (including implementation of the security
policy) means there is an increased risk of staff
operating in an insecure manner. 3

R2
R4. There is a risk that the business is exposed to a
security risk from third party suppliers, as the 2
security requirements of suppliers have not been
adequately covered in a number of contracts. R3
1
R5. As there is no agreed plan in place for dealing with
a security breach or malicious attack, there is a 1 2 3 4 5 6
risk that damage to the business could be more
extensive than necessary. IMPACT

Emerging risks, threats or vulnerabilities

Reporting for specific sectors Impacts for our organisation

Healthcare and social services
There has been increased interest by attackers
on the medical service in New Zealand. Some
Unauthorised access major and sustained attacks on DHBs have been
Phishing and recently reported, and we see a similar pattern
credential harvesting
Malware
in other, smaller medical facilities. Hackers are
known to prize medical data for resale on the
Ransomware
dark web, and this, along with the increased
Reported vulnerability activity, puts most organisations holding medical
Scams & fraud data, at risk. There is a need to review traffic
Other logs, and look for the types of attacks affecting
the organisation, as these may be an indicator if
this organisation is being targeted.
 Key projects

The organisation is addressing the 20 most urgent IT issues from its security assessment. Most of the items are
now in the testing phase and it is anticipated that work will be complete by the end of Q3 2019.

Issues not being

Risk level Number of issues Issues complete Issues WIP
addressed this year

High 2 2 0 0

Medium 8 2 5 1

Low 18 0 11 7

Total 28 4 16 8

Implementation of projects
A number of projects were set up after our initial security assessment two years ago. Annual assessments have
determined which projects have been successfully implemented, which projects still needed to be completed, and
identified new risks that needed to be addressed. These are the top 5 security-related projects currently underway.

Project Completion due On track Notes

Roll out of 2-factor authentication

Q3, 2018 Running to schedule No issues
across the business

Design work underway – to May need additional

Reconfiguration of building access
Q1, 2019 be approved before building permissions from landlord
and layout to ensure physical security
started for some of the changes

Upgrade of staff computer operating New OS selected, costings

Q3, 2019 No issues
system underway

Re-signing of all third-party suppler May need to change

Two re-signed, one
contracts to include security Q3, 2018 supplier
underway
responsibilities if unable to re-sign

Role has been approved and

Appointment of a Security Officer to
Q2, 2019 budgeted for. Advertising No issues
the Risk and Assurance team
underway

Ongoing maintenance activities

Activity Status

People Awareness training % of staff completed training: 78%

Upgrade of organisation wide operating

Technology Date for cutover to Windows 365: 28/10/2018
system

Cyber-insurance

We are reviewing our cyber insurance arrangements including to ensure that we have clarity about what it will
and will not cover (and in what circumstances). Some areas that we are considering include:
• Payment of ransom for ransomware attacks
• Loss and restoration of customer data
• Recovery to restore system, cover legal costs and cover media costs in the event of a breach.
 The Institute of Directors in New Zealand connects, equips and inspires its
more than 9000 members, to add value across New Zealand business and
society, through thought leadership, our extensive network, professional
governance courses, events and resources. www.iod.org.nz

Aura Information Security is a leading provider of information security

consulting services to corporates and governments in Australia and
New Zealand. Our focus is to provide the very best independent security
advice and support to businesses, so that their digital world is more
secure, reliable and resilient. www.aurainfosec.com

Acknowledgement: We want to acknowledge the National Association of Corporate Directors (USA)

and Internet Security Alliance (USA) for their 2017 Cyber-Risk Oversight publication which was invaluable
in preparing this resource.

©Copyright Institute of Directors in New Zealand (Inc)

Disclaimer: This resource should not be used or relied upon as a substitute for proper professional advice.
ISBN: 978-0-473-45846-1