The weaponization of Cyber-attacks has impact on cybersecurity governance. Board of directors of companies owning critical infrastructure or having  world-wide subsidiaries are more at risk then ever.

Cyber-attacks became a geopolitical weapon on 2017, and this article explains in simple terms what changed in 2017 and shows the main attacks like WannaCry happened on a different level. It takes us through some of the major breaches of 2017 and shows how ransomware can now be used as a weapon, for example a possible Russian ransomware attack in Ukraine spread to companies with subsidiaries in that country.

http://www.bbc.com/news/technology-42338716

A brief French interview I gave to the Cyberswat group about the role of the board with regard to increasing cyber-risks

https://www.cyberswat.ca/conseil-dadministration-enjeux-cybersecurite/

I wrote this article based on an outstanding read from Deloitte, to highlight how rapidly changing environments lead to the need for new steps in the strategic planning process. I adopted some of the proposed elements in my reflections about the strategies of my different boards, (1) the need to develop a vision with management of what the market and industry will look like in 10 years; (2) and from that vision, identify the emerging edges that the company has that can be developed to position it better in this future reality.

Are you concerned about exponential changes and do you have other perspectives to share on the role of the board in changing environments?

https://www.linkedin.com/pulse/adapting-role-board-age-exponential-change-josee-morin/

While researching the trends in adoption of the NIST cybersecurity framework, I found this article that strongly supports the adoption of the NIST Framework. As a board member, I agree because the framework bridges the gap between security experts and corporate directors. It is simple, Identify, Protect, Detect, Respond and Recover—five elements only. It allows for people who are not cybersecurity specialists to participate in cybersecurity decisions, which is expected from directors to meet oversight duties. Interesting to note is the fact that the average amount of time it takes an organization to find malware on its system, for a non-bank, is about five months, a wake-up call for corporate directors. Have you discussed adopting a cybersecurity framework at the board level, do you know if your company has one? If you want to learn more about the NIST framework, read my article  http://www.joseemorin.ca/en-articles/2017/7/3/cyber-risk-oversight-tips-for-corporate-directors-to-improve-understanding-and-involvement

https://www.bna.com/2017-cybersecurity-prediction-n73014450091/

This article presents an interesting compilation of the board skills matrix disclosed by 307 public American and Canadian companies. Not surprisingly, 99% of boards require financial expertise and 75% of all directors have that skill. Such strong financial skills representation in directors does not match the need for more board diversity. More troubling is the fact that only 36.8% of companies included the need for technology expertise in their board competencies, and that only 14.2% of directors qualified for that skills, the lowest of all ranking. The board has an essential role to play in the digital transformation of many businesses and in cybersecurity. This very low representation of technology skills at the board is a warning that change is required. Is the composition of your board what it should be? http://www.equilar.com/blogs/241-hundreds-of-companies-disclose-board-skills-matrices.html

The rapid pace of cyberattacks and extensive media coverage they receive can create confusion for corporate directors on their role with regards to cybersecurity. This article is a good refresher as to the role of the board. It proposes 5 key aspects of the board role: accept the responsibility, set expectations for management, understand your cyber-risks, assess current cyber-security practices and plan and rehearse. I would add to that, based on recent findings, discuss the adoption of a cybersecurity framework like NIST. To assist in the evaluation of current practices, I refer you to a list of questions on the state of cybersecurity I have published http://www.joseemorin.ca/en-tools/

https://www.spencerstuart.com/research-and-insight/cybersecurity

Interesting to see the real-life consequences of a cyberattack. More than two months after a cyber-attack in Europe, some of FedEx processes still have to be handled manually and the annual earnings could be 4% to 7% lower because of this incident.  Fedex said it didn’t have insurance in place that would cover the cyberattack. They were infected by the Wannacry ransomware, and the virus entered through a tax software used in the Ukraine. This demonstrates that board of directors of smaller companies also should be concerned with Cybersecurity, since their infrastructures can be used to penetrate a large partner.

https://www.bloomberg.com/news/articles/2017-07-17/fedex-says-tnt-systems-may-never-fully-recover-from-cyberattack

I was trying to identify a few sources of relevant information to keep up to date with the rapid pace of evolution of cyber-risks, and found this list of experts. Most of the people proposed take a technical approach to cyber-risks as opposed to a governance approach. But if you take the time to read some of what they publish, you can identify a few that are a source of information adapted to your needs and that can help you stay current on cyber-threats and what is being discussed across industries. Important to support your oversight responsibilities. Do you have other sources to propose, maybe some Canadian ones?

https://www.safervpn.com/blog/top-cyber-security-influencers/

As I was researching information on board expertise level for cyber-security, I found this report dating from 2016, but still so relevant. It shows that 40% of all directors surveyed admit they did not feel responsible for the repercussions of a cyberattack, reflecting a lack of cyber-risks understanding by directors. Moreover, independent director cybersecurity literacy lagged that of other groups of executives, which is not reassuring. Boards in general and independent directors in particular have work to do to meet their cyber-security oversight mandate. How do you feel about the cyber-literacy of your board?

https://corpgov.law.harvard.edu/2016/05/01/grading-global-boards-of-directors-on-cybersecurity/

Published June 2nd 2017 - Even with the increasing exposure cyberthreats are receiving in the media, most boards of directors are not ready to deal with cyber-risks. This HBR article highlights survey results showing that only 38% of directors have a high level of concern with cyber-risks, yet the average cost of a data breach is $4 million. Two reasons discussed for this disconnect are the lack of effective processes for cyber-risk oversight and the lack of expertise. Do you agree?

https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats

I just attended a Cybersecurity talk and wanted to share a few interesting insights for corporate directors.

Beware of the four basic types of people performing cyber-attack as each has different motivations influencing his mode of operation: Criminal looking for money, Spy looking for secrets, Hacktivist looking to make a statement and Internal looking to disrupt.

One way to check if your accounts have been breached in a major hack is to visit regularly the website www.haveibeenpwned.com to enter your email address.

According to CSO on-line, the threats to watch in 2017 are ransomware targeting more devices including mobile, manipulating IoT devices to wreak havoc, malware laden mobile phones, and politically motivated hacking that is on the rise and will now target a wide variety of businesses.

http://www.csoonline.com/article/3156893/data-breach/watch-these-top-4-cybersecurity-trends-in-2017.html

Thank you @BobZukis for sharing this interesting article that leverages interest in Trump tweets to remind boards of the increased security risks if social medias are not managed properly. Boards should make certain companies have and follow a social media process policy that includes quality control. A few relevant advices: Ensure all mission critical directives to employees or third-parties are properly authenticated; Make certain high visibility executives are engaging in cybersecurity conversations with family members ; Avoid file transfer via external devices such as USB drives given to you by third parties, at conferences for example. But most importantly, verify that when using social medias, your executives, including board members, are putting the company reputation first. Also, that they are adhering to policies and procedures, have had situational awareness training and remember it when opening emails or clicking on links when abroad.

http://www.csoonline.com/article/3164840/social-networking/what-company-execs-can-learn-from-trumps-tweets.html

I just attended a refresher training on board minutes and wanted to share a few of the take-away I found most relevant.

1. The minute should have enough details to reflect the level of analysis, discussion and thoughts that lead to a decision. In that spirit, noting the start and end time of meetings can help demonstrate enough time was allocated to make insightful decisions.

2. It is good practice to keep a table of minutes’ follow-up items, including what, who and when. It is however recommended to not include this table in the board minutes. This table is a working tool and having it inside the minutes makes it admissible for litigation purposes.

3. If you circulate a resolution via email for signature in lieu of a meeting, all directors have to sign, as opposed to only the directors present at a meeting. It is acceptable to keep a photo or scan of the signature page as proof of signature.

An important read for directors that want to understand the current legal landscape on board cybersecurity oversight, to evaluate how current their cybersecurity approach is and how exposed they are personally. Boards have to be able to defend that they meet reasonable standards in security. And just being compliant is not enough, cybersecurity policies must meet the industry norm. This is even more important for boards of unregulated industries, for example mobile services and apps, and of small and medium companies that feel wrongly they could not be the target of cyberattacks.

http://www.csoonline.com/article/3147628/leadership-management/why-security-leaders-need-to-embrace-the-concept-of-reasonable-security-now.html

I am honored to announce that I have been nominated to the board of Canada Health Infoway. I will serve as an observer until July 2017. I am very much in agreement with Infoway mandate to accelerate the development, adoption and effective use of digital health solutions across Canada. My career in digital health solution in Canada and the US enables me to understand first hand the importance of digital solution to transform healthcare and keep it affordable for all Canadian. I am glad to be able to actively contribute to the advancement of digital healthcare solutions and to leverage my technology and governance background in this role.