Cyber Guardians

BART R. McDONOUGH, the CEO and Founder of Agio, uses his extensive 20-plus years of IT and cybersecurity expertise to decode complex cybersecurity subjects, establishing him as a reliable resource for clients. His acclaimed book Cyber Smart provides a user-friendly guide to navigating the intricate landscape of cybersecurity for professionals and families alike. In addition to his role as a strategic cybersecurity advisor to boards, McDonough has also contributed valuable insights and perspectives as a member of several boards. Throughout his notable career, he has offered expert cybersecurity counsel to some of the world’s premier money managers. Bart received his undergraduate degree from the University of Connecticut and his Master’s degree from Yale University.

Preface: What to Expect from This Book xv

Chapter 1 Introduction 1

Summary of a Board’s Incident Response 5

Checklist for a Board’s Incident Response 8

Chapter 2 Cybersecurity Basics 11

CIA Framework 13

Key Cybersecurity Concepts and Terminology for Board Members 19

Threats and Risks 19

Vulnerabilities and Exploits 20

Malware 21

Social Engineering 22

Encryption and Data Protection 23

Authentication and Access Control 24

Common Cyber Threats and Risks Faced by Companies 26

Phishing 26

Malware 27

Ransomware 28

Business Email Compromise 29

Insider Threats 30

Third-Party Risk 31

Mistakes/Errors 32

Emerging Threats 33

Advanced Persistent Threats 34

Supply Chain Attacks 35

Data Destruction 36

Zero-Day Exploits 37

Internet of Things Attacks 38

Cloud Security 39

Mobile Device Security 40

Key Technologies and Defense Strategies 42

Firewall Technology 42

Intrusion Detection/Prevention Systems 43

Encryption 44

Multifactor Authentication 45

Virtual Private Network 46

Antivirus and Anti-malware Software 47

Endpoint Detection and Response 48

Patch Management 49

Cloud Technology 49

Identity and Access Management 50

Mobile Device Management 51

Data Backup and Recovery 52

Zero-Trust Architecture 54

Micro-segmentation 55

Secure Access Service Edge 56

Containerization 56

Artificial Intelligence and Machine Learning 57

Blockchain 59

Quantum Computing 61

Threat Intelligence 64

What Is Threat Intelligence? 65

How Can Threat Intelligence Help Organizations? 65

What Should Board Members Know About Threat Intelligence? 66

Threat Actors 67

External Threat Actors 68

State-Sponsored Attackers 68

Hacktivists 70

Cybercriminals 70

Competitors 72

Terrorists 72

Internal Actors 73

Employees 73

Contractors 75

Third-Party Vendors 76

Motivations of Threat Actors 77

Financial Gain 77

Political and Strategic Objectives 78

Ideological Beliefs 79

Personal Motivations 80

Tactics, Techniques, and Procedures 81

Examples of TTPs Used by Different Threat Actors 81

MITRE ATT&CK Framework 83

Chapter 2 Summary 85

Chapter 3 Legal and Regulatory Landscape 87

Overview of Relevant Cybersecurity Regulations and Laws 90

Federal Regulations in the United States 90

The Federal Trade Commission Act 90

The Gramm-Leach-Bliley Act 92

The Health Insurance Portability and Accountability Act 94

State Regulations in the United States 97

Data Breach Notification Laws 97

California Consumer Privacy Act 99

European Union Regulations 101

General Data Protection Regulation 101

Network and Information Security Directive 102

ePrivacy Directive 104

Industry Standards 105

Payment Card Industry Data Security Standard 105

National Institute of Standards and Technology 107

Securities Exchange Commission 108

2011 Cybersecurity Disclosure Guidance 108

2018 Cybersecurity Disclosure Guidance 108

2023 Proposal for New Cybersecurity Requirements 109

Discussion of Compliance Requirements and Industry Standards 112

Compliance Requirements 112

Sarbanes-Oxley Act 112

New York State Department of Financial Services Cybersecurity Regulation 114

Industry Standards 117

Center for Internet Security Controls 117

International Organization for Standardization 27001 118

Individual Director Liability 120

Chapter 3 Summary 124

Chapter 4 Board Oversight of Cybersecurity 127

The Board’s Role in Overseeing Cybersecurity Strategy 129

Legal Responsibilities 130

Developing an Effective Cybersecurity Governance Framework 131

Best Practices for Board Engagement and Reporting 133

Regular Reporting 133

Use of Metrics 134

Executive Briefings 136

Cybersecurity Drills 137

Independent Assessments 138

Overcoming Objections to Effective Cybersecurity Oversight 139

Promoting a Cybersecurity Culture 141

Chapter 4 Summary 143

Chapter 5 Board Oversight of Cybersecurity: Ensuring Effective Governance 145

The Role of the Board in Overseeing Cybersecurity 147

Developing an Effective Cybersecurity Governance Framework 150

Conduct a Cybersecurity Risk Assessment 150

Implement a Threat Intelligence Program 150

Develop a Risk Management Framework 150

Prioritize High-Impact Risks 151

Regularly Review and Update Risk Management Strategies 151

Strategies for Identifying, Assessing, and Prioritizing Cyber Risks 152

Conducting Cybersecurity Risk Assessments 154

How to Develop and Promote a Culture of Cybersecurity 156

Chapter 5 Summary 158

Chapter 6 Incident Response and Business Continuity Planning 161

Implementing Cybersecurity Policies and Procedures 164

Incident Response and Business Continuity Planning 165

Incident Response Plan 166

Business Continuity Planning 166

Incident Response Planning 167

Defining the Types of Assessments 170

Penetration Testing 170

Vulnerability Scanning 171

Security Risk Assessments 173

Threat Modeling 174

Social Engineering Assessments 175

Compliance Assessments 176

Red Team/Blue Team Exercise 177

Chapter 6 Summary 178

Chapter 7 Vendor Management and Third-Party Risk 181

The Importance of Third-Party Risk Management for Board Members 183

Best Practices for Managing Third-Party Cyber Risk 184

Legal and Regulatory Considerations in Third-Party Risk Management 185

Sample Questions to ask Third-Party Vendors 187

Chapter 7 Summary 189

Chapter 8 Cybersecurity Training and Awareness 191

Importance of Cybersecurity Awareness for All Employees 193

Strategies for Providing Effective Training and Awareness Programs 195

More Detail on Effective Training Strategies 198

Chapter 8 Summary 200

Chapter 9 Cyber Insurance 201

Understanding Cyber Insurance 202

What Is Cyber Insurance? 202

Why Is Cyber Insurance Important? 203

Evolution of Cyber Insurance 204

The Role of the Board in Cyber Insurance 204

Key Components of Cyber Insurance 205

Types of Coverage 205

Policy Limits and Deductibles 206

Exclusions 207

Retroactive Dates 207

Policy Periods 208

Cyber Risk Assessments 208

Evaluating and Purchasing Cyber Insurance 209

Assessing the Organization’s Risk Profile 209

Determining the Appropriate Level of Coverage 210

Selecting an Insurer 211

Negotiating Terms and Conditions 211

Implementing the Policy 212

Managing and Reviewing the Cyber Insurance Policy 213

Filing a Claim 213

Managing a Claim Dispute 214

Reviewing and Renewing the Policy 214

Chapter 9 Summary 215

Chapter 10 Conclusion: Moving Forward with Cybersecurity Governance 219

The Board’s Role in Cybersecurity Governance 222

Key Takeaways and Action Items for Board Members 225

Chapter 10 Summary 226

Appendix A Checklist of Key Considerations for Board Members 229

Appendix B Sample Questions 231

Appendix C Sample Board Meeting Agenda 233

Appendix D List of Key Vendors 235

Appendix E Cybersecurity Resources 237

Appendix F Cybersecurity Books 239

Appendix G Cybersecurity Podcasts 241

Appendix H Cybersecurity Websites and Blogs 243

Appendix I Tabletop Exercise: Cybersecurity Incident Response 245

Appendix J Articles 249

About the Author 253

Acknowledgments 255

Index 257