×
Blogs

Staying Secure in the Energy Sector: 5 Cyber Risks You Must Prioritize

1521295373-blog-banner
3 min read

Introduction

Top Five Cyber Risks Faced by the Energy Industry Today

According to the X-Force Threat Intelligence Index 2023, the energy industry is the fourth-highest industry sector to be targeted by cyber attacks. The Colonial Pipeline incident—despite it being two years since the ransomware attack occurred—still remains a poignant example of the serious repercussions that a cyber attack can exert on critical infrastructure. This event underscored the impact of a cyber event on the energy supply chain: fuel shortages for countless citizens, substantial expenses for mitigation and recovery, and long-term damage to the reputation of the affected company. 

With nearly every business decision in our world relying on the thousands of companies producing electricity, coal, oil, natural gas, nuclear power, and renewable fuels such as geothermal, hydropower, solar, and wind, cyber risk management is a top priority. 

However, effectively managing and mitigating cyber risk and building cyber resilience can be challenging. Apart from dealing with a multi-threat environment with geographically dispersed targets, energy companies face several other cyber risk challenges unique to the industry. 

Top Five Cyber Risks Faced by the Energy Industry Today

  • Diverse and Expansive Threat Landscape:

    The energy industry continues to be a prime target for cyber threats, ranging from nation-state actors seeking to cause economic dislocation to cybercriminals aiming for financial gain. These threats are further intensified by the industry's expansive attack surface, resulting from the geographic and organizational complexity and the increasing use of interconnected systems. Vulnerabilities exist across the entire value chain, from generation to transmission to distribution, and pose significant risks to operational technology (OT) infrastructure and third-party entities within the supply chain.  

  • Interdependencies Between Physical and Cyber Infrastructure:

    The energy industry's reliance on Internet of Things (IoT) technologies for operational efficiency creates unique interdependencies between physical and cyber infrastructure. Malicious actors can exploit these connections, leading to disruptive events with severe economic and physical consequences. For instance, cyberattacks on wireless smart meters, smart thermostats, or OT systems controlling critical assets can have devastating impacts on operations and supply.  

  • Internal Concerns and Cyber Hygiene:

    Maintaining good internal cyber hygiene presents challenges for the energy industry. With multiple interconnected systems, tracking and managing all cyber risks becomes difficult. Additionally, a decentralized approach to cybersecurity leadership and third-party cyber risk sharing across various departments can lead to vulnerabilities. The industry also faces a shortage of qualified cybersecurity professionals, making it challenging to build a robust defense against cyber threats.  

  • Regulatory Compliance Across Global Operating Environments:

    Energy companies often operate across diverse global industrial environments, each subject to different regulatory requirements and standards. Ensuring compliance while managing cyber risks demands dedicated resources and expertise to protect critical infrastructure effectively. Failure to comply with regulations can lead to severe legal and financial repercussions.  

  • Rapid Cloud Adoption and Data Security:

    The energy industry's adoption of cloud services for flexibility and scalability has introduced new cyber risks. Cloud-based data breaches can result in the loss of consumer trust and reputational damage. Energy companies must ensure robust data security measures and stringent access controls to safeguard sensitive information stored in the cloud.

Manage Cyber Risk and Build Resilience with MetricStream CyberGRC

Safeguarding this crucial sector and the communities it serves necessitates proactive and comprehensive measures to address cyber risk effectively. A robust cyber risk program should leverage technologies such as AI and automation, which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because of the ability to work all the time and identify and flag anomalies. 

With CyberGRC, your organization is empowered with:

To explore more about the challenges faced by the energy industry and how your organization can transition from a conventional approach to a connected cyber risk strategy, check out our eBook, which provides valuable insights and practical steps to fortify your organization against cyber threats in the energy landscape. 

Download
Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Get Ready for SEC’s Cybersecurity Risk Management Rules for Public Companies

MicrosoftTeams-image (50)
5 min read

Introduction

As a cybersecurity or IT risk professional, it would have been impossible to miss all the buzz around the cybersecurity rules for public companies. On July 26, the U.S. Securities and Exchange Commission (SEC) adopted the new rules, which will require companies to transform their cyber risk management and incident reporting processes. 

The new rules do not come as a surprise, given the escalating number of cybersecurity incidents and the elevated levels of cyber risks that organizations face today. In addition, it could be said that voluntary disclosures from companies have been below expectations, which impacted the visibility of customers and investors into the cyber risk postures of these companies. The “inadequate & inappropriate responses” in data and cyber breach incidents in recent years highlighted the lack of stringent regulatory mandates. 

With the new rules, the SEC is standardizing the process of making disclosures about cybersecurity risk management procedures and practices by public companies, which will improve transparency and visibility for all stakeholders. 

Gary Gensler, the current SEC Chair, explains, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” 

What are the New Cybersecurity Rules?

In short, the rules will require public companies to:

  • Report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident, subject to an additional extension of the timeline at the Attorney General’s discretion 
  • Describe processes for assessing, identifying, and managing material cybersecurity risks, including third-party risks, and whether any cyber risks have had a material effect or are likely to do so 
  • Describe the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, and how the board/subcommittee is informed about cyber risks 
  • Disclose whether they are engaging with third-party assessors, consultants, or auditors in connection with any cybersecurity processes 
  • Describe whether and how their described cybersecurity processes have been integrated into the overall risk management system or processes 
  • Tag disclosure under incident reporting and risk management, strategy, and governance using Inline XBRL

For risk management, strategy, and governance disclosure requirements, companies will be required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, while compliance with incident disclosure requirements will commence from the later of either 90 days after the date of publication of the final rules in the Federal Register or December 18, 2023. The rules also apply to smaller reporting companies and foreign private issuers (FPIs) but with extended compliance timelines.

How Can You Ensure Compliance?

The rules will require a robust and proven cyber risk management program, significant changes in board and management involvement, revised governance structures, effective management of third-party risks, and more. 

A key takeaway is that while the rules do not directly apply to private companies, by virtue of being part of the third-party ecosystem of public companies, the rules may in effect extend to them. Implementing a cyber governance, risk, and compliance program without factoring in the extended enterprise cannot be deemed effective or complete in today’s interconnected business environment. 

Here are a few measures for you to start preparing:

  • Review and update incident response plans and playbook to factor in the disclosure requirements and timelines (specifically the 4-day deadline for material incidents) and how they affect the internal operations 
  • Review and update cybersecurity and risk management programs, policies, and processes, including:

    • Monitoring and testing of internal controls 
    • Managing and addressing threats and vulnerabilities 
    • Identifying and remediating issues 
    • Identifying and managing third-party risks

    and whether it is integrated into the overall risk management system

  • Establish a well-defined process for assessing the “materiality” of cybersecurity incidents 
  • Identify gaps and vulnerabilities in the organization’s approach to mitigate cybersecurity risks before they materialize into an actual cybersecurity event and implement appropriate processes to ensure this is an ongoing activity 
  • Evaluate the organization’s current cybersecurity reporting structure, including how cybersecurity incident information is relayed to management and the board 
  • Document the cybersecurity expertise of the members of the management team or committee/subcommittee members involved in the process, including third-party consultants, assessors, and others

Organizations can implement advanced and robust cyber GRC solutions, with capabilities for effective risk identification, assessment, and management, continuous control testing and monitoring, compliance management, incident reporting and response, graphical reports, and dashboards, to streamline their processes and achieve compliance with the new requirements. 

A Greater Push Towards Cyber Resilience

There is a heightened regulatory focus on all things cyber today. The SEC rules are not the only cybersecurity and risk-related legislation that has been passed this year. Here are a few more:

Going forward, we expect to see more cyber resilience-focused regulatory initiatives not just in the U.S. but worldwide – and not just applicable to public companies but to organizations across all sectors and industries. Organizations, however, must not look at compliance as a checkbox exercise but as an enabler of business value and growth. Done right, organizations stand to benefit from the enhanced cybersecurity and compliance posture, streamlined processes, and improved efficiencies. 

Request a personalized product demo to explore how MetricStream CyberGRC can streamline your cyber risk management program and revolutionize your compliance efforts. 

Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series.  

Stay Prepared: Know 2023’s Top Cyber Risks

What are IT and Cyber Controls and How to Achieve Control Harmonization?

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

CyberGRC Prime: Simplifying IT & Cyber Risk Management with an All-in-One Solution

blog-banner-2258704759
6 min read

Introduction

In the foreseeable future, the unavoidable trend is that IT and cyber risks will continue to rise in volume while simultaneously improving in sophistication and complexity. There is no doubt about this, with the digital world advancing at an unprecedented pace. Today cyber risk is a top 10 risk according to the World Economic Forum, while the cost of a data breach is at a global high of $4.4M, according to thinktank, Ponemon Institute. Additionally, the interconnectedness of global systems and the increasing interdependence of economies will result in cyber risks getting amplified. 

The solution lies in staying one step ahead by gaining a holistic view of your organization’s cyber risk posture, continuously adapting security strategies, and building cyber resilience—only possible with the right cyber risk product. Scroll down as we explore the key areas of cyber risk management, the criticality of a centralized platform, and how MetricStream’s CyberGRC Prime package can help.

Key Areas of IT and Cyber Risk Management

The generally considered key areas of IT & Cyber risk management are:

  • Threats and Vulnerabilities

    This includes potential threats and vulnerabilities that can impact the confidentiality, integrity, and availability of an organization's information technology systems. These risks can arise from internal factors such as inadequate IT infrastructure or lack of employee awareness or external factors like cyberattacks. Organizations must identify and manage these risks effectively to ensure the continuity of their operations and protect sensitive information. 

  • IT Compliance

    A key area that ensures compliance with relevant IT regulations and standards. Compliance refers to adherence to legal, industry-specific, or internal requirements related to IT security and data privacy. Non-compliance can result in severe consequences, including financial penalties, reputational damage, and loss of customer trust. Therefore, organizations must establish robust IT compliance programs that include regular audits, risk assessments, and the implementation of controls to mitigate identified risks. 

  • IT Policy Management

    A vital area that plays an integral role in ensuring risk mitigation by implementing rules, guidelines, and processes for threat detection, vulnerability assessments, compliance with regulatory and framework requirements, ensuring operational efficiency for internal activities such as user roles, social media engagement, onboarding/offboarding employees, vendors and partners, incident response and resolution. Policies and, more importantly, adherence to them go a long way in ensuring the organization stays on top of its risk posture. 

  • Third-Party Risks

    Third and fourth-party risks have become an unavoidable and indispensable part of any organization’s IT ecosystem. From day-to-day applications to cloud storage, software development, or network management, these relationships introduce additional risks as the organization is dependent on the security practices and controls implemented by the third party. Failure to adequately assess and manage third-party risks can lead to data breaches, service disruptions, or non-compliance with regulatory requirements. Therefore, organizations must conduct thorough due diligence before engaging with third parties and establish proper oversight mechanisms to monitor their performance.

Complex and Interconnected Risks Require a Single, Centralized Platform

In today's world, all the above key areas of IT and cyber risk management are becoming increasingly complex and interconnected, and thus they need to be viewed together. It is, therefore, crucial for organizations to have a centralized platform to manage these risks effectively. By consolidating IT risks, IT compliance, and third-party risk on a single platform, businesses can streamline their risk management processes and reap numerous benefits such as:

  • 360-Degree Panoramic View of the Cyber Risk Landscape

    Managing IT risks, IT compliance, and third-party risks on a single platform allows organizations to have a holistic view of their risk landscape. This comprehensive perspective enables businesses to identify potential vulnerabilities and threats within their IT infrastructure, ensuring that all areas of risk are adequately addressed. By having a centralized platform, companies can align their risk management efforts, improving overall efficiency and effectiveness. 

  • Reduce the Risk of Non-Compliance

    Consolidating these different aspects of risk management helps organizations in achieving IT compliance. Compliance with various regulations and standards is essential to protect sensitive data and maintain customer trust. By having a single platform that incorporates all compliance requirements, businesses can easily monitor and track their adherence to industry regulations. This not only saves time and resources but also reduces the risk of non-compliance penalties and reputational damage. 

  • Protect from Third-Party and IT Vendor Risk

    With the increasing reliance on outsourcing and partnerships, organizations often share sensitive information with external parties. However, these third-party relationships can introduce significant cybersecurity risks. By centralizing third-party risk management on the same platform as IT risks and compliance, businesses can ensure that all potential vulnerabilities are identified and addressed. This proactive approach minimizes the chances of a cyber breach or data compromise through third-party channels. 

  • Break Down Organizational Siloes

    Consolidating these risk management processes on a single platform enhances collaboration and communication within the organization. Different departments can easily access and share information related to IT risks, compliance requirements, and third-party risks. This improved visibility enables cross-functional teams to collaborate effectively and make informed decisions that align with the organization's overall risk management strategy.

While the numerous benefits are inherently apparent, the current challenge faced by organizations is the unavailability of integrated and consolidated platforms that can proactively manage all the key areas in IT and cyber risk. The market currently offers only single-solution products. High-quality and reliable products that can cater to the comprehensive needs of cyber risk leaders are still in a nascent stage. 

MetricStream CyberGRC Prime: A Pre-Packaged, Integrated SaaS Solution

This is where MetricStream's CyberGRC Prime Package comes in. CyberGRC Prime Package is a pre-packaged, integrated SaaS solution designed to streamline and enhance your IT and cyber risk and compliance program. You gain:

  • Comprehensive and Integrated Solution

    One of the most significant advantages of the CyberGRC Prime package is its comprehensive and integrated approach to cyber risk management and compliance. With four built-in modules covering Risk Management, Compliance Management, Policy Management, and Third-Party Risk Management, the package provides a holistic view of an organization's risk landscape. Some specific benefits include:

    • Pre-configured workflows for conducting bespoke risk assessments at pre-defined intervals 
    • Built-in compliance frameworks that enable simplified and quick set-up to create a bespoke compliance repository 
    • Automated compliance management, which reduces manual effort, minimizes errors, and speeds up compliance activities 
    • Enhanced ability to define, attest, distribute, communicate, assess, and manage policies and procedures related to IT and cyber risk management 
    • Effective due diligence, tiering, continuous monitoring, and risk mitigation of third-party risks


    In turn, this integration allows companies to break down silos and create a unified risk and compliance framework. Teams can collaborate seamlessly across functions, sharing information and insights that lead to better risk mitigation strategies and streamlined compliance efforts.

  • Rapid Deployment and Hassle-Free Implementation

    When it comes to adopting new software solutions, time is of the essence. CyberGRC Prime package's pre-packaged nature ensures a rapid deployment process in a matter of weeks and not months, thus allowing your organization to get your risk and compliance programs up and running quickly and realize quick time-to-value. In practical terms, this translates into immediate risk visibility and actionable insights. Your organizations can now identify vulnerabilities and potential threats promptly, enabling you to respond faster to emerging risks and incidents. This agility is crucial in today's fast-paced cyber threat landscape. 

  • Fixed and Visible Cost

    It is important to determine the total cost of ownership of any solution. The CyberGRC Prime package makes this possible with fixed costs for the duration of the term with no hidden costs or surprise price escalations, which provides management with clear and unambiguous visibility into investment requirements and returns on such investments.

By leveraging the CyberGRC Prime package, your organization is empowered to confidently navigate the complex landscape of cyber risks and regulatory requirements, safeguarding your operations and reputation in an increasingly digital world.

So why wait any further?

Learn more: Download our CyberGRC Prime package product overview.

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

The 3 A's to Advancing Your Organization's Cyber and GRC Maturity

Cyber GRC Blog
5 min read

Introduction

Today, everything is digitally connected and moving fast – and so are risks. Organizations today are exposed to multi-dimensional, high-velocity, high-impact, and interconnected risks – from cyber to compliance to environmental.

At the same time, regulations, security, and compliance requirements are rapidly escalating and becoming increasingly complex. You need speed, agility, and accuracy to not just navigate but succeed in today’s hyper-digitized business environment. But how?

Automation, Autonomy, Analytics – these are the three A’s that will shape future companies and business models, and help them advance on the governance, risk, and compliance (GRC) maturity curve, as well as prevent escalating cyber security risks. Let’s take a closer look.  

Automation

One might say that automated workflows and processes are a given today. But you would be surprised by the number of organizations that are still highly dependent on manual efforts, spreadsheets, and siloed operations – from managing risks and compliance requirements to cash management, to project management, to recovery planning, and more. Automation is on every company’s strategic agenda, but it’s a long road ahead.

Adopting technology solutions and software tools can significantly accelerate various processes and minimize human effort. For GRC professionals, chief risk officers, and CISOs, automation can enable focus on analysis of risk and compliance data, risk prevention, and robust GRC strategic plans than focusing on mundane, repetitive tasks, such as conducting risk and control assessments, capturing regulatory alerts, and sending alerts/notifications to relevant users.

That said, automation alone is not enough.

Organizations need to move away from siloed and disjointed processes to integrated, connected approaches. Integration and connection help to eliminate redundancies, get the right information to the right person at the right time, and reduce cost, effort, and workload. Only then can an organization truly realize the benefits of automation.

Finally: pivoting towards automation is not easy. Success depends on a number of factors – backing from the C-suite and top management, budget and financial resources, and, above all, enterprise-wide culture change and acceptance.  

Autonomous

It wouldn’t be an exaggeration to say that autonomous business processes are the future. While automation means using tools and technology to reduce human effort, it still depends on some human involvement for monitoring and supervising the processes.

Autonomous processes are those that can function without any human intervention – they are always on and running continuously in the background. Automation could be regarded as the first step toward becoming autonomous.

Autonomous processes and business models will be critical to keeping up with the ever-evolving risk and regulatory landscape going forward. It is next to impossible for any organization to continuously identify threats and vulnerabilities, test and monitor controls, etc. with a manual approach.

Usually, one establishes a cadence for performing such activities – quarterly, half-yearly, annually – mainly due to the cost and the effort involved. However, this periodic approach fails to provide real-time insights and results in a reactive approach to GRC and cyber risk management.

By ensuring continuous and complete testing and monitoring, autonomous processes help eliminate blind spots. They’re working even when you aren’t, flagging your team to risks so you can remediate them before they become full-blown issues. Timely insights improve agility in decision-making required to stay ahead of the game.

Continuous control monitoring (CCM) is part of the MetricStream strategy to use machines vs humans to perform tasks and provide autonomous capabilities to organizations. CCM allows you to detect more deviations more often compared to the manual testing method that fails to spot risks and potential compliance failures, letting them slip through the cracks. With CCM, you can proactively identify risks, improve cybersecurity and compliance posture, reduce audit costs, and support rapid remediation while increasing efficiency, visibility, accuracy and scalability.

Read More: Improve Your Cyber Risk Posture and Compliance with Continuous Control Monitoring from MetricStream

Analytics

Harnessing the power of data is critical to bring accuracy to decision-making. Data powers modern business. However, data alone cannot add business value. By leveraging analytics, AI, and statistical tools, organizations can transform raw data into actionable insights to make better-informed decisions.

First, though, organizations need to ensure data integrity and structure. In our conversations with companies across industries, we often hear that a lack of a single view of risks is a key challenge. Different business units use their own risk languages and definitions. This results in unstructured data that is difficult to consolidate and analyze. Establishing a common taxonomy is crucial for analytics and next-gen technologies, such as AI, to turn data into insight.

Automation, autonomy, and analytics are central to MetricStream’s product vision with many capabilities in today’s products and many more to come. Artificial intelligence (AI), Natural Language Processing (NLP), a simulation engine, and API technology are all core capabilities of the MetricStream Platform:      
 

  • Autonomous Evidence Collection and Continuous Control Monitoring work continuously to test control effectiveness and enable easier remediation
  • With risk quantification, a built-in Monte Carlo simulation engine is used to run scenario analysis and predict annualized losses
  • NLP is used to understand the intent of searching and provide better search results for documents than traditional keyword-based searching
  • AI-powered Issue Management analyzes large volumes of issues and, more importantly, recommends best practices remediation for more effective and efficient remediation
  • APIs enable the incorporation of your internal risk data and other applications for a single view of risk across your enterprise


Read More: A Comprehensive Guide to Cyber Risk Quantification 

What does the future hold? It’s never sure, but’s clear that you’ll continue to see more autonomy with automated risk rankings with no humans required, automatic connections of risks to controls and standards/regulations, and much more. Stay tuned!

How can MetricStream help you today? Let us show you how we can help you manage your GRC and cyber risk needs – automatically, autonomously, and with powerful analytics. Reach out today for a demo.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

How to Present Cyber Risk to Your Board: 4 Essential Steps

blog-banner-2021639270
5 min read

Introduction

Today’s boards don’t need to be convinced that cyber risk management is important. 88% of boards of directors view cybersecurity as a business risk, according to the 2021 Gartner Board of Directors Survey. Over half (51%) of board members surveyed by PwC cite cyber-attacks as a serious risk (and another 35% as a moderate risk) – more than any other category. Also, 68% of directors told MIT Sloan researchers that their board discusses cybersecurity regularly or constantly. 

Despite this, only 33% of directors say they think their board understands the company’s cybersecurity vulnerabilities very well. What’s more, boards are often out of sync with their CISOs. Sixty-five percent of board members surveyed by Proofpoint and MIT Sloan believe that their organization is at risk of a material cyber-attack in the next 12 months, compared to 48% of CISOs. 

Clearly, there is room for improvement in aligning board members with your cyber risk strategy. Here are four tips that you, as a cyber risk or security leader, can use to communicate cyber risks to your board in a way that gets them in sync with your vision, helps them understand what’s at stake, and drives them to bolster your organization’s cyber defenses.

  • Focus on Business Impact

While today’s boards are much more cyber-savvy, it’s still important to convey risks in a language that everyone understands. Keep your presentation simple, minimizing technical speak. Focus instead on the business metrics and impacts that matter most to the board.

For example, instead of presenting a list of vulnerabilities and threats, you might want to talk about how these issues will impact the organization’s revenue, reputation, and strategy.

Map out the attack surface, so the board can clearly visualize which threats are most critical, which pathways they can take through the organization, and which assets are most at risk. Support your case with real-world breach stories and the losses faced by peers in your industry.

Also, remind your board that cyber risk management is about more than securing data. With increasing digitization, more processes are going online, more operations are being managed remotely, and more systems are being connected. So, a threat anywhere along this chain can have a devastating snowball effect. The more clearly boards understand this, the faster they can act.

  • Quantify the Cyber Risks

Words don’t always make a compelling cyber case – but numbers do, especially financial numbers. If you want your board to invest more in cyber risk management, find a way to quantify the monetary impact of risks. Saying that a ransomware attack could be “fairly severe and fairly likely to occur” is far less impactful than saying that a ransomware attack could cost the organization $1 million with a 60% chance of that loss occurring.

Cyber risk quantification makes it easier to answer the board’s questions on how much to invest in cybersecurity, what the return on investment will be, and which risks to focus on first. It also helps companies measure how much of risk reduction has been achieved over time.

There are plenty of tools and frameworks to assist with cyber risk quantification. The Factor Analysis of Information Risk (FAIR™) model can help you quantify security risk exposure in terms of the dollar value at risk. A Monte Carlo analysis simulates various cyber risk event scenarios so that you can predict potential financial losses from each one.

And of course – a picture is always worth a thousand words. Express your numbers in visuals and graphs for maximum understanding and impact.

  • Expand the Conversation Beyond Technology

Boardroom conversations around cyber risk management often revolve around technology-based defenses and controls – be it firewalls, encryption software, packet sniffers, or vulnerability scanners. While these tools are essential, they’re just one part of the cybersecurity program. CISOs also need to be talking to boards about:

The idea is to create multiple layers of protection, each supporting the other, and together providing a solid defense against cyber threats.

  • Don’t Overlook Third Parties and IT Vendor Risks

The sheer number of IT vendors that we as organizations depend on for cloud services, data back-up, remote IT support, and more makes it essential to have a robust third party and IT vendor risk management program. Ensure that your board understands why. Showcase the impact of IT vendor risks in relation to enterprise risks.

Consider creating a centralized map of IT vendors, the business units they serve, where they operate, associated regulations, controls, etc. – so that the board has a clearer picture of the IT vendor risk universe and where to allocate resources for optimal impact.

Also, be prepared to answer targeted questions from the board, such as: How do you monitor fourth-party cyber risks? Do you conduct due diligence only at the beginning of the vendor relationship or at regular intervals? And how do you offboard IT vendors to ensure that they no longer have access to sensitive data? 
 

5 other questions that the board seeks answers to:

  • Which critical assets are most vulnerable to cyber risks, and how are we protecting them? 
  • How are we dealing with cyber risks that are not directly within our control? 
  • How do we stay up-to-date on the latest cyber threats and vulnerabilities? 
  • How does our cyber risk management program stack up against industry standards such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework? 
  • If a cyberattack were to occur, do we have a plan? And what should our (the board’s) role be?

How MetricStream Can Help

MetricStream CyberGRC gives you and your board comprehensive visibility into IT and cyber risks, assets, processes, and controls. Using our cyber risk quantification capabilities, you can swiftly measure the dollar impact of cyber risks to help your board prioritize their cyber investments more efficiently.

You also get powerful capabilities to assess cyber risks and controls, monitor the threat landscape, manage cyber compliance and policies, and keep IT vendor risks in check – all of which goes a long way towards strengthening the board’s confidence in your cyber risk management program.

Check out more resources on managing cyber risk:

eBook: CyberGRC Buyer’s Guide

Infographic: 7 Urgent Cyber GRC Challenges to Prepare for Now

Case Study: U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks

Request a demo now!

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

3 Cyber Infographics That You Absolutely Can't Afford to Miss as a Cyber Risk Leader

cyber-risk-series-blog-banner
3 min read

Introduction

As a cyber risk leader, effectively managing and mitigating cyber risk is a critical priority due to the potential impact it can have on your organization's operations, reputation, and financial health. With the increasing sophistication of cyber threats and attacks, the cost and frequency of data breaches are on the rise. The World Economic Forum’s Global Risks Report 2023 highlighted ‘widespread cybercrime and cyber insecurity’ as a top global risk.

We understand the many challenges you face in developing and implementing an effective cybersecurity strategy for your organization. They say that a picture is worth a thousand words… so in the spirit of that age-old wisdom, we present three infographics to help you better understand and manage cyber risk. 

Scroll down to discover valuable insights and actionable recommendations to help you stay ahead of the cyber risk curve!

  • 7 Urgent Cyber GRC Challenges to Prepare for Now

In today’s interconnected digital landscape, thanks to increasing global connectivity, new hybrid work models, the adoption of cloud services, the evolution of technology, and a myriad of other factors, cybersecurity risk is more relevant than ever before. But among the many cyber challenges, what are the most important and urgent ones that need to be on your radar? Check out the 7 most urgent cyber GRC challenges and what steps you can take to stay prepared.   
 

CyberGRC Challenges

  • 8 Essential Frameworks to Build Cyber Resilience

Cybersecurity standards and frameworks are the essential starting point in managing cyber risks and building cyber resilience. They provide a systematic approach to identifying and prioritizing risks. This helps organizations to focus their resources on the most critical areas of risk and develop a mitigation strategy. It also helps demonstrate compliance with regulatory requirements and industry standards and provides a common language to communicate cyber risk effectively with stakeholders, including executive management, customers, partners, and regulators. Take a look below at the essential cyber frameworks:   
 

Build Cyber Resilience

  • Improve Cloud Security with Continuous Control Monitoring

The elastic nature of cloud infrastructure, while bringing advantages like speed and efficiency and accelerating innovation, increases the complexity of your IT footprint, which in turn complicates the effective management of cyber risk. This is where continuous control monitoring (CCM) comes into play. By enabling an organization to continuously monitor its cloud systems for cyber threats or non-compliance issues in an automated manner, CCM identifies potential problems and threats in real time so that they can be addressed as soon as possible. Discover more in the infographic. Cyber Risk CCM

Bonus Infographic:

 

2023’s Top Cyber Risk Trends

To build cyber resiliency and plan an effective cyber risk management strategy, it's important to stay informed about the latest cyber risk trends. Our infographic on the top Cyber Risk Trends for 2023 helps you do just that. Check it out!

Cyber Risk Trends 2023   
 

Enjoyed exploring the infographics? Check out more recent cyber risk and compliance resources to help you stay ahead of the cyber risk curve. Need help with your cyber risk programs? Request a demo now!

eBook: Towards a Secure Cloud:Top 6 Strategic Priorities for Cyber Risk Leaders

Analyst Report: Ten Cyber and IT Risk Fundamentals You Must Get Right By Gartner Analyst(s): Claude Mandy and Jie Zhang

Case Study: U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Key Takeaways from Our New York Event: Connect, Collaborate, and Secure the Cloud

blog-banner-525047959
6 min read

Introduction

I woke up the day before our recent New York City Roundtable event for CISOs, cyber risk professionals and enterprise risk leaders to some exciting headlines: “First Major Snowstorm of the Season Hits the City Tomorrow!”

Of course! It wouldn’t be a cyber and risk event without some last-minute drama!

Luckily, the snow turned out to be a ferocious 1 inch and more than 30 risk leaders braved the cold to make it to the Marriott Marquis, a classic New York city landmark hotel in the center of Times Square. As the cold air blew, the just-right size group settled in for a 3-hour meeting with their peers on how to modernize, optimize and connect their risk strategies in today’s volatile world.

We heard speakers from AWS, Capco, Sumitomo Mitsui Bank, Thomson Reuters, of course MetricStream, and many more, in discussions ranging from best practices for integrating GRC programs to automating compliance in the cloud to how business continuity and resilience must come together. The day ended with networking and hors d’oeuvres and it was terrific to see how many people stayed to chat and interact.

I had the privilege of moderating and being able to chat with most attendees. What an honor! Here are just a few things I learned during the day (besides that “big snow” also means “bring an umbrella” 

“It’s Not the New Normal, It’s Business Unusual.”

One of the most active panels was on cyber and enterprise resilience. Two panelists were from Jefferies Group, an investment bank, one a CISO and one on the business side of IT. They had a terrific back and forth on why it’s so important for the business and IT to stay interlocked on resilience and recovery, including many quotable thoughts like:

  • Without data, there is no business.
  • Without the business, there is no business.
  • We’re both on the same side, keeping each other running.
  • Resilience is a mindset.

We also discussed the criticality of resilience in today’s post-modern economy – hyper digital, always on, always unexpected.

“I don’t like the term ‘new normal,’” one of the panelists said. “It’s not the new normal. Business unusual is now the usual.”

I was struck by that sentiment. Today, the unusual really has become standard. At this meeting, Silicon Valley Bank hadn’t yet failed, Credit Suisse hadn’t been taken over, and who knows what will have happened by the time this is published. But in any case, the nugget of wisdom was the same: Anything can happen at any time. We must all collaborate and be prepared.

Static business continuity plans were yesterday’s normal. Of course, business continuity plans are still the foundation for business unusual, but agility and resilience – business and tech working closely together – connected risk: Those are today’s watchwords. Simple but brilliant!

“It’s Not If, It’s When”

Another key theme that came up was the idea of inevitability of cyber attacks and incidents.

More than 422 million individuals were affected by data breaches in 2022, according to Statista. The average data breach costs $4.4M, the highest in 17 years, according to the Ponemon Institute. ChatGPT, Chick-Fil-A, Google, and T-Mobile are among the high-profile brands who’ve experienced breaches so far in 2023, and that’s not even looking at items like ransomware.

“It’s not if, it’s when it happens,” said a panelist, and I saw lots of nodding heads. The mindset of cyber risk management has moved from complete prevention (although of course that remains the goal) to anticipatory preparation and resilience, especially when it comes to emerging risks.

One example is generative AI. While innovations like ChatGPT have captured the collective imagination with their uncanny ability to seemingly “know” almost everything, they also pose great cyber risks.

ChatGPT can create credible phishing emails to accelerate spoofing, already a top cause of cyber crime. So-called “deep fakes,” images created by AI, could create convincing news stories (although AI reportedly still can’t duplicate hands and fingers well – it’s been focused on faces.) Policies and contracts can be spoofed. The list goes on…

The obvious point is that whatever technologies are developed to protect from risk are also available to, and are being used by hackers and threat actors.

“It’s not if, it’s when” does not mean bowing to the inevitable. It’s being prepared and resilient, and always a step ahead to recover and bounce back.

In fact, the theme of resilience was a clear overlay to the day – and attendees and panelists were not talking about operational resilience products. They were discussing resilience as a mindset. As the Japanese proverb says, “fall down seven times, get up eight.” In today’s times, resilience is our only option.

“Compliance Today Must be Continuous Compliance”

In addition to resilience and cyber risk, modern compliance – and particularly, automation -- was a major topic of discussion.

Our expert from AWS talked about compliance in the cloud and what it requires to be secure –implementing processes that are automated, continuous, and aligned to across the business and IT. (Sounds familiar to the themes above!) Testing samples for compliance or manually testing at sporadic intervals can’t protect you when risk changes so fast.

In particular, the idea of continuous monitoring is essential when we face more than 200 regulatory changes a day, according to our outstanding speaker from Thomson Reuters, Todd Ehret.

One regulatory change that’s of special interest in cyber risk are the proposed updates to the SEC cyber security rules. They will amplify the need for strong, solid cyber risk management, including the disclosure of cybersecurity governance capabilities, the periodical review and updating of cyber risk management programs, and the evaluation of the organization’s current cybersecurity reporting structure.

The Cloud Doesn’t Guarantee Security or Resilience

Speaking of the cloud, several audience members had excellent observations – namely, that just because most of us are moving to the cloud doesn’t mean the cloud guarantees security or resilience. Of course, it’s better than tons of outdated legacy systems.

But the cloud is still a server at heart and its digital nature opens up new attack surfaces. Even with the rigorous security standards offered by commercial cloud providers, there’s no resting. Constant monitoring, control testing, and vigilance are more essential than ever.

We dive deeper into this topic in our new eBook on securing the cloud.

Collaborate, Connect, Communicate

Finally, in addition to the key advice to be vigilant, monitor and stay resilient – all perhaps obvious but so critically important – another theme rose above the rest: We must stay connected across the business and even the industry to defend against cyber risk. Topics like new technologies, exotic breaches, and future trends capture the imagination, but the basic block and tackle of connect, collaborate, and communicate somehow manage to surface in every discussion of tackling risk and staying resilient.

To throw in another saying, this time an African proverb: “Alone we go fast. Together we go far”--managing cyber risk obviously takes speed and agility, but resilience is a long game.

Thank you for bearing with my sayings and cliches, and most of all thank you to all the terrific speakers and attendees. We look forward to our next roundtable, and as always, if we can help you manage your cyber risk or any governance, risk, and compliance needs, please reach out to us at info@metricstream.com. You could also request a personalized demo.

Register for our upcoming webinar: Cyber Regulations Review: Managing Cyber Risk with the Proposed Cyber SEC Rules and Biden Executive Cyber Orders

For over a decade the MetricStream’s GRC Summit has brought together thousands of GRC professionals from various industries, providing opportunities to learn, connect, and succeed. Registrations are open for the 2023 GRC Summit to be held on June 14 and 15 at the Hyatt Regency in Miami, US. Register now!

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blogs

Cyber Risk Now a Top Priority with SEC Proposed Rules on Cybersecurity Risk Management

blog-banner-59702414
5 min read

Introduction

As a cyber security or IT risk professional, it would have been impossible to miss all the buzz around the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” draft rules (Rules) issued by the Securities and Exchange Commission of USA (SEC), early last year. Since then, there has been continuous commentary, analysis and even checklists of the proposed rules and more recently, the SEC has announced further amendments to the rules.

The Rules, which will be applicable to all public/listed companies, are likely to be brought in force in April 2023. It appears that the SEC is no longer satisfied with voluntary disclosures or unsatisfactory adherence to its earlier guidelines on the topic and is now serious about having public companies disclose their approach to cybersecurity risk, strategy and governance. This should not come as a surprise in light of the growing number of attacks on some of the largest companies in the world (listed in USA and under SEC regulations) and the “inadequate & inappropriate responses” provided by some such as Uber and Equifax – both of which adversely affected customers and investors.

However, the main concern, is best expressed by Gary Gensler, the current SEC Chair: “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting”.

Paraphrased, the SEC intends to provide investors with more visibility into the cyber risk posture of companies to enable them to make more informed decisions about their investments.   

What are the Main Changes Proposed by the SEC?

In short, the Rules propose two fundamental changes in the way public companies should manage cyber security and IT risks:

  • Direct oversight by the Board into cybersecurity governance capabilities of the company, including the review, assessment, and implementation of cybersecurity policies, procedures and its business strategy, risk management, and financial oversight; and 
  • Enhanced and stricter guidelines regarding disclosures of, and updates to, “material” cybersecurity incidents”.

The specific requirements of the Rules, to be complied with by public companies, are as follows:

  • Disclose the cybersecurity expertise of the board (if any)
  • Disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk
  • Disclose whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight
  • Report “material cybersecurity incidents” to the SEC within 4 days; ("material" meaning anything that could impact an individual's decision to buy, hold, or sell a company's stock)
  • Report non-material incidents that, when combined with other incidents, become material “in the aggregate”
  • Provide updates on prior incidents in periodic SEC disclosures
  • Provide a description of the company’s cybersecurity risk management system
  • Report “material cybersecurity incidents” to the SEC within 4 days; ("material" meaning anything that could impact an individual's decision to buy, hold, or sell a company's stock)
  • Report non-material incidents that, when combined with other incidents, become material “in the aggregate”
  • Provide updates on prior incidents in periodic SEC disclosures
  • Provide a description of the company’s cybersecurity risk management system   
     

Key Inferences from the Draft SEC Cyber Rules

It may be inferred from reading the Rules and the above requirements, that the SEC may be pushing its regulated companies towards achieving cyber resilience, rather than simply enhancing their cyber security and risk posture. Currently however, some of the requirements are open to different forms of interpretation (such as determining threshold for material cybersecurity incidents, the 4-day time limit for disclosures, whether the board committee on cyber risk and governance is sufficient) and these will either be clarified further in the final rules or through court orders.

Another takeaway from the Rules is that while they don’t extend to private companies, but by virtue of being part of the third-party eco-system of public companies, the Rules may in effect, vicariously extend to these private companies. Today it is impossible to implement a comprehensive cyber security, risk, governance program, without including the extended third-party eco-system.

What is undeniable though, is that the Rules will require significant changes in board and management involvement, additional cybersecurity expertise on boards, revised governance structures and upgrades to processes in place. While the final rules are likely to be released in April 2023, here are a few ways companies can start preparing:

  • Review and update cybersecurity and risk management programs, policies, processes
  • Identify gaps and vulnerabilities in the organization’s cybersecurity approach to mitigate risks before they materialize into an actual cybersecurity event and implement appropriate processes to ensure this is an ongoing activity
  • Evaluate the organization’s current cybersecurity reporting structure, including how cybersecurity incident information is relayed to management and the board
  • Enhance board member expertise in cyber security and IT risk with plans to appoint domain experts on the Board
  • Determine whether the full board or a board committee, will be responsible for oversight of these Rules
  • Review and update of incident response plans to factor in for the disclosure requirements and timelines (specifically the 4-day deadline for material incidents) and how they affect the internal operations;
  • Add an executive leader to the security team focused on incident response   

A Greater Push Towards Cyber Resilience

Also, important to note is that the SEC Rules are not the only cyber security and risk related legislation to be passed this year. Here are a few more:

With the increasing number of cyber regulations and the likelihood that the legislation will be applicable to all, not just public companies, organizations are quickly realizing that they must amp up their resources and budgets to effectively manage the influx of regulations and build cyber resilience. This will include expanding budgets to include investing in technologies to gain visibility into the organization’s cyber risk posture, hiring additional staff, and implementing stronger security measures such as automated monitoring of controls to protect against cyber threats.

Need help getting your programs in shape? Please contact MetricStream for help at info@metricstream.com

Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series. 

Stay Prepared: Know 2023’s Top Cyber Risks

AWS Security Lake and OCSF: A Cyber Risk Perspective

What are IT and Cyber Controls and How to Achieve Control Harmonization?

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 

Related Resources