The Billion Dollar NIST Assessment
The billion-dollar Yahoo hack vividly illustrates why cyber risk mitigation must start from the top down and why board members should insist on getting the actionable information they need.
When Yahoo recently announced the largest hack into a single company’s network, i.e. that in 2014, 500 million customer email accounts had been compromised, the obvious question was, “Why did it take so long to find out and disclose it?” The answer came several days later in a New York Times article highlighting the lax attitude toward security prevalent at the company for years. It contrasted Yahoo management’s reaction 6 years ago to a Chinese hack with management at Google, another company that was hit at the same time.
“The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, ‘Never again,’ to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.”
In contrast, Yahoo management adopted a far less aggressive stance, opting to let other high priority issues take precedence over protecting its customers. One higher priority issue was divesting a large portion of the company. Negotiating the deal with Verizon yielded a $4.8 billion price tag, but recent revelations threaten that valuation.
“The ‘Paranoids,’ the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
– “Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say,” Sept. 28, 2016
Verizon wants to reduce the valuation by $1 billion to offset the potential liability resulting from disclosure of the breach. If that drop in valuation occurs and I were a Yahoo shareholder, I would be hopping mad, demanding to know why my investment value is dropping 21% due to apparent management and board negligence. It doesn’t take a genius to predict a billion-dollar shareholder class action suit if the valuation drops, or an even larger suit if cyber risk concerns cause Verizon to withdraw their offer.
What could have prevented the breach? By all accounts, Yahoo failed to implement some elementary measures that would have dramatically mitigated cyber risk (e.g., forcing strong passwords, two-factor authentication). Various cyber experts over the past few years have issued statements about how adopting a handful of measures can keep most breaches from happening, and apparently Yahoo hadn’t put those in place.
Who will ultimately be found at fault? Will it be the head of security? Will it be the CEO and the C suite? Or, is the board liable too?
Most public company boards of directors task the Audit Committee with overseeing risk management, while some establish a separate Risk Committee. Regardless, board members are required to exercise “duty of care” and “reasonable business judgment” in carrying out their risk oversight role. Given that cybersecurity is identified in survey after survey as the #1 or #2 concern of most boards, responsible directors are compelled to find an effective way to oversee cyber risk.
“81% of IT and security executives report they employ manually compiled spreadsheets to report data to the board… Less than half of the IT and security executives surveyed in 2015 indicated that the information they provide the board is actionable, only one-third believe the board comprehends the information, and less than half believe they are getting the help they need from the board to address cyber security threats.”
– “How Boards of Directors Really Feel About Cyber Security Reports,” Osterman Research Survey, Sept. 2016
A straightforward way to get a handle on the cyber risk status of an organization is to compare internal measures taken with the controls prescribed by the NIST Cybersecurity Framework (CSF). Most bodies concerned about cyber risk point to CSF as the de facto gold standard. Basing risk reporting on it illuminates the current status and enables ongoing oversight by the board. [Full disclosure: my company offers an automated CSF software platform.]
It seems highly improbable that the Yahoo hack would have occurred had ongoing NIST monitoring been in place. CSF assigns maturity levels 1 (lowest) through 4 (highest) to each control that needs to be monitored, with guidance that lower maturity controls be put in place before more sophisticated ones are addressed. Yahoo apparently hadn’t implemented all of the maturity level 1 controls. Had their board insisted on following the NIST standard a couple of years ago, it’s likely the company’s lack of resilience would have been uncovered and addressed before the Verizon deal arose.
And even had the hack occurred after implementation of a NIST monitoring program, the board would have been able to demonstrate responsible oversight. Ongoing monitoring reporting using NIST CSF would have documented the board’s engagement with the cyber risk issue, and that proof would diminish the legal jeopardy they now face.
Isn’t a billion-dollar loss enough to spur every board in the country to take action?