Advice

Cyber resilience and governance with Chris Hetner

François M. Tremblay

10.5.2024

•

minutes to read

We had the privilege of discussing cyber resilience and governance with Chris Hetner a few days ago. BrainStorm CyberRisk makes this conversation available to you:

‍

Chris Hetner is a senior executive, board member, and cybersecurity leader recognized for elevating cyber risk to the board level to protect industries, infrastructure, and economies. He creates operational resilience by aligning robust cybersecurity strategies with corporate objectives. Mr. Hetner's professional judgment, combined with a public company perspective and experience in SEC regulation and investor oversight, has allowed him to successfully serve in corporate and government roles. He currently serves on the board of directors of the private equity fund TCIG, is a senior advisor to The Chertoff Group, a special advisor for cyber risk to the NACD, the chair of cybersecurity and privacy for the NASDAQ Center for Board Excellence, and a national board member of the Society of Hispanic Professional Engineers.

He served as the Senior Cybersecurity Advisor to the Chairman of the U.S. Securities and Exchange Commission (SEC) and as the Cybersecurity Officer in the SEC's Office of Compliance Inspections and Examination. He also represented the SEC Chairman as a Senior Member of the U.S. Department of the Treasury's Committee on Financial and Banking Information Infrastructure. His key contributions included the vision and implementation of the first agency-wide cybersecurity governance structure, threat intelligence program, and incident response capabilities. The cybersecurity framework he established enhanced the National Examination Program's ability to monitor and respond to cyber risks and threats across the U.S. securities market.

Tania Tanic has twenty-five years of industry experience as a senior executive in cybersecurity, business, and technology, specializing in professional services, banking, insurance, financial services, technology, telecommunications, and other sectors. Tania's signature is establishing a comprehensive vision and strategy with boards and management teams to mitigate cyber risks and improve security awareness while solving business challenges through governance, risk mitigation, compliance, innovation, transformation, and changes in methodology and operating model to enable growth, efficiency, agility, and better competitive positioning in the marketplace.

Tania holds an Executive MBA and a Master's degree in Business Administration, as well as a BSc in Computer Science and the Harvard Cybersecurity Certificate. She holds CPA, ASC-C.DIR, PMP, ITIL, and Lean Master certifications. She advocates for women in information technology and is a strong supporter of EDI in the various organizations she has worked with. She served on the board of directors of the Institute of Internal Auditors of Quebec (IAIQ) for two years.

‍

Tania Tanic (TT)

Welcome to the BrainStorm Cyber Risks discussion channel. Today we have a special guest Christopher Hetner. We will discuss the topic of cyber resilience and governance for boards and executives. Hello Chris, how are you?

Christopher Hetner (CH)

I'm doing great. Thank you for giving me this opportunity to be here with you today.

You're welcome, Chris. Can you introduce yourself to the audience?

Yeah, sure. Chris Hetner, I've been in the cybersecurity industry for almost 30 years. Most of that early on, I was supporting and building security centers, data centers, and operations centers for financial services organizations here in New York. I had the opportunity to work as the global chief information security officer for GE Capital. I had the opportunity to serve as the global chief information security officer for GE Capital. We had a very large financial institution, about $500 billion in assets in 100 countries. I then spent a few years in the management consulting industry, leading Ernst and Young's cybersecurity practice for financial asset management. At that time, I had the unique opportunity to become a senior cybersecurity advisor to the Securities and Exchange Commission in the Office of the Presidents. So I served and was appointed under Mary Jo White and Jay Clayton. Most of my policy and rulemaking work now takes place in the financial markets and relates to the disclosures that the SEC makes to publicly traded companies. In my current role, I am a senior cybersecurity advisor to the National Association of Corporate Directors, which has approximately 23,000 board members, and I focus on developing effective reporting on cyber risk governance and, with the new SEC rules, providing a level of transparency for disclosure purposes. We look forward to working with your ecosystem. Thank you for inviting me today.

Wow, that's an incredible background. Thanks, Chris. Chris, I want to jump right into our topic. As we know, board members play a critical role in cyber resilience and governance by providing oversight, guidance, and strategic direction to ensure the organization is effectively managing cybersecurity, risk, and cyber resilience. First, how do you define cyber resilience?

That's a great question. The way we define resilience in our community is understanding the level of risk that you're willing to accept, mitigate, and in some cases transfer using an effective insurance platform. So when we talk about resilience in cyber, we're talking about the level of risk appetite. We've talked about the level of risk appetite that you're going to take. I'll give you an example. Let's take the example of a potential ransomware attack that causes an outage in your business. You're completely shut down. We talk to our board members to find out what their risk appetite is. Is it 12 hours, 24 hours, 48 hours? A week? As a board member, I talk to the CISO or the CIO, and you tell me what's acceptable from a risk appetite perspective. And if they tell me we can't go beyond 12 hours, we need to make sure that we're up and running and that we're back up and running within 12 hours. Now those are my parameters that allow me to build that security architecture to make sure that we maintain that point of resilience. So when we talk about resilience, it's the ability to recover within a certain number of parameters that we've defined. It's the ability to recover within certain parameters that are based on business, operational and financial risks.

Thank you, Chris, for that definition, and it's a good introduction to the following questions. In your opinion, Chris, how do Canadian and American companies approach cyber risk management differently?

In the United States, my experience is more in financial services, Wall Street, very large banking institutions and therefore a significant amount of regulation coming out of Washington, DC, whether it's the Federal Reserve Bank, the OCC, the U.S. Treasury, the SEC, et cetera. That's what we call the regulatory alphabet soup, right? It's a very broad range of regulators. In Canadian markets, in my experience. I haven't seen as much regulation. Also, the number of regulatory bodies or agencies seems to be reduced compared to what we have here in the United States, so I think there will be that. But listen, if you're a Canadian company. Chances are you're doing business in the United States or, if you're a U.S. company, you're doing business in Canada. So I think it should be possible to create synergies from a regulatory landscape instead of creating unique cyber risk resilience and governance profiles for each country, and just create a unified construct that satisfies both.

Thanks Chris for that overview. My next question is, what are the responsibilities of boards and senior executives when it comes to cyber resilience and governance? Can you give them three or four pieces of advice?

When I think about the responsibility of the board, I think you're there as an advisor to management. To help provide advice, you know, bring in outside expertise. Engage companies like yours, Brainstorm cyber risk, to get an independent perspective on the effectiveness of their program. So transparency and outside perspectives are key. It's also important to ask the right questions of management about how they're implementing their program. Capital resources, technology, people processes. When it comes to cyber risk management, I would also look at that as a board member and as a member of the executive committee. How frequent and how relevant are the cyber risk reports that are being provided? What we find is that across the 23,000 NACD board members, the reports that have the most impact on the board are the ones that are contextualized to the operational and financial risk of the company. Rather than diving deep into technology – we can have those separate conversations through a dedicated risk committee – I think the most effective underlying approach is to align cyber threats with your business profile. Based on how they could cause physical damage to the business, operations and finances, and then discussing how much risk you are willing to accept, you can ask yourself how much risk can you transfer using a risk management system? How much risk can we transfer through an insurance policy? Then you have the balance. So you have this residual risk. How do we deploy our limited resources?

Thanks for those three recommendations Chris, moving on to the next question about how the board and management should engage with external stakeholders such as regulators, shareholders and customers on cyber risk issues.

External stakeholders, you listed them, you know, customers, regulators, investors and shareholders. I think now is the time to be completely transparent about how you approach and manage cyber risk, and therefore explain to the public that you have the right processes in place, that you have the right governance capabilities. So you have to explain to the public that you have the right processes and governance capabilities in place. Talk about your risk management practices without giving too much detail, right? Then, if an event or an incident occurs that has a material impact on your business, you have an obligation to inform the regulators. You have an obligation to inform the regulators or the investors and shareholders that, hey, we had an incident, we got it under control, it's not a big deal. We had an incident, it's ongoing. We're investigating again, but we think it could be a potential material event, so I think the watchword is transparency.

Thank you very much, Chris. Every day we hear about cyberattacks in different countries and industries. What lessons can be learned from the recent major cyberattacks in Canada and the United States and how can they inform cyber resilience and governance practices?

So if we think about it. Some of the major cyberattacks, it's because we're seeing a trend toward ransomware. They cause business interruptions. The inability to operate your systems. Some of the casinos, some of the gaming platforms, here in the United States, have had a ransomware attack that has caused their systems to be unable to operate. Some of these companies are also manufacturers that have suffered significant financial writedowns in the hundreds of millions of euros. In Canada, I think it was in the Toronto area that a hospital system, the health system, had a ransomware attack, which resulted in data loss, but also business interruption, and that was the subject of a class action lawsuit. There was a loss of data, but there was also a loss of operations and there was a $500 million class action lawsuit against this company, which is very costly, right? If you think about regulatory fines and class actions. But it's also costly if you're not able to operate. So those cost factors need to be brought into the boardroom discussion to make sure that capital is allocated appropriately. I think those are lessons learned that we need to build on.

Thank you very much Chris for this valuable information. How can boards and executives stay informed about new cyber threats and trends in order to make informed decisions regarding cyber risk management?

Yeah, great question. So the board is largely made up of executives or accountants, maybe even lawyers, right? One approach that we've seen work very effectively is to bring in ideas. They're not necessarily cyber experts. In terms of combating the cyber threat. We use peer reviews, which are similar companies that have faced threats of some kind. What kinds of events have occurred? And how well have they recovered and responded? So learning from other activities, other events can be very informative to a management community. I always encourage boards to bring in outside experts, independent of management. In fact, some court systems in the United States, particularly the courts in Delaware, where many companies are incorporated, recommend that the board of directors engage outside experts on cyber, ESG, or compliance issues. So that's an area that's getting a lot of attention from the Regulatory Commission here. So that's an area that's encouraged and highly recommended.

Chris, when you talk about external expertise independent of management, is that to address the lack of cyber risk and cyber security expertise around the board table?

That's right. That's absolutely right and you know, in some cases, some boards may decide to hire a cyber expert on the board. I've seen that work very effectively and very limited because what happens is you have a very technical person talking to your executive team, and it becomes a very myopic one-on-one conversation, and the whole board kind of pulls back and doesn't bring a lot of business context to the table. So I encourage organizations to hire those outside experts and bring them on the board and have them work on a quarterly basis to bring new ideas and new perspectives.

Chris, thank you so much for this great discussion and it's always a pleasure to talk with you. We're done for today and thank you for joining us on the Cyber Risk Brainstorm channel. See you soon and have a great day.

Looking forward to our next discussion- Chris, when you talk about external expertise independent of management, is that to address the lack of cyber risk and cyber security expertise around the board table?

Looking forward to our next discussion.

Transform your cybersecurity strategy