Advice

Cyber resilience and governance with Chris Hetner

François M. Tremblay

10.5.2024

•

minutes to read

We had the privilege of discussing cyber resilience and governance with Chris Hetner a few days ago. BrainStorm CyberRisk is making this conversation available to you:

‍

Chris Hetner is a senior executive, board member, and cybersecurity leader recognized for elevating cyber risk to the board level to protect industries, infrastructure, and economies. He creates operational resilience by aligning robust cybersecurity strategies with corporate objectives. Mr. Hetner's professional judgment, combined with a public company perspective and experience in SEC regulation and investor oversight, has allowed him to successfully serve in corporate and government roles. He currently serves on the board of directors of the private equity fund TCIG, is a senior advisor to The Chertoff Group, a special advisor for cyber risk to the NACD, the chair of cybersecurity and privacy for the NASDAQ Center for Board Excellence, and a national board member of the Society of Hispanic Professional Engineers.

He served as the Senior Cybersecurity Advisor to the Chairman of the U.S. Securities and Exchange Commission (SEC) and as the Cybersecurity Officer in the SEC's Office of Compliance Inspections and Examination. He also represented the SEC Chairman as a Senior Member of the U.S. Department of the Treasury's Committee on Financial and Banking Information Infrastructure. His key contributions included the vision and implementation of the first agency-wide cybersecurity governance structure, threat intelligence program, and incident response capabilities. The cybersecurity framework he established enhanced the National Examination Program's ability to monitor and respond to cyber risks and threats across the U.S. securities market.

Tania Tanic has accumulated twenty-five years of industry experience as a senior executive in cybersecurity, business, and technology, specializing in professional services, banking, insurance, financial services, technology, telecommunications, and other sectors. Tania's signature approach is establishing a comprehensive vision and strategy with boards of directors and management teams to mitigate cyber risks and enhance security awareness while addressing business challenges through governance, risk mitigation, compliance, innovation, transformation, and changes in methodology and operating model to enable growth, efficiency, agility, and improved competitive positioning in the market.

Tania holds an Executive MBA and a Master's degree in Business Administration, as well as a BSc in Computer Science and the Harvard Cybersecurity Certificate. She is a CPA, ASC-C.DIR, PMP, ITIL, and Lean Master. She is a strong advocate for women in information technology and a passionate supporter of EDI in the various organizations she has worked with. She served on the board of directors of the Quebec Institute of Internal Auditors (IAIQ) for two years.

‍

Tania Tanic (TT)

Welcome to the BrainStorm Cyber Risks discussion channel. Today we have a special guest, Christopher Hetner. We'll be discussing cyber resilience and governance for boards and executives. Hi Chris, how are you?

Christopher Hetner (CH)

I'm doing wonderfully. Thank you for giving me this opportunity to be here with you today.

You are most welcome, Chris. Could you please introduce yourself to the audience?

Yes, of course. Chris Hetner, I've worked in the cybersecurity industry for almost 30 years. Mostly in the beginning, I supported and built security centers, data centers, and operations centers for financial services organizations here in New York. I had the opportunity to work as Global Chief Information Security Officer for GE Capital. We had a very large financial institution, with approximately $500 billion in assets in 100 countries. I then spent a few years in management consulting, leading Ernst & Young's cybersecurity practice for financial asset management. During that time, I had the unique opportunity to become Senior Cybersecurity Advisor to the Securities and Exchange Commission, in the Office of the Presidents. So I served and was appointed under the leadership of Mary Jo White and Jay Clayton. Most of my policy and rulemaking work now takes place in the financial markets and involves information the SEC reports to publicly traded companies. In my current role, I am the Senior Cybersecurity Advisor to the National Association of Corporate Directors, which has approximately 23,000 board members, and I focus on developing effective reporting on cyber risk governance and, with the new SEC rules, providing a level of transparency for disclosure purposes. We look forward to working with your ecosystem. Thank you for having me today.

Wow, an incredible background. Thank you, Chris. Chris, I'd like to move on to our topic. As we know, board members play a vital role in cyber resilience and governance by providing oversight, guidance, and strategic direction to ensure the organization effectively manages cybersecurity, risk, and cyber resilience. First, how do we define cyber resilience?

That's an excellent question. The way we define resilience within our community is understanding the level of risk you're willing to accept, mitigate, and, in some cases, transfer using an effective insurance platform. So, when we talk about resilience in the cybersecurity context, we're talking about risk appetite. We've discussed the level of risk appetite you're willing to take. Let me give you an example. Imagine a potential ransomware attack that causes a complete shutdown of your business. You're completely shut down. We discuss with our board members what their risk appetite is. Is it 12 hours, 24 hours, 48 hours? A week? As a board member, I discuss this with the CISO or CIO, and you tell me what's acceptable from a risk appetite perspective. And if they tell me we can't exceed 12 hours, we have to ensure we're operational and that we restore our operations within 12 hours. These are the parameters that allow me to build this security architecture to ensure we maintain this level of resilience. So when we talk about resilience, it's about the ability to recover within a set of parameters we've defined. It's about the ability to recover within certain parameters based on business, operational, and financial risks.

Thank you, Chris, for that definition; it's a good introduction to the following questions. In your opinion, Chris, how do Canadian and American companies approach cyber risk management differently?

In the United States, my experience is mostly focused on financial services, Wall Street, very large banking institutions, and consequently, a significant number of regulations emanating from Washington, D.C., whether it's the Federal Reserve Bank, the OCC, the U.S. Treasury, the SEC, and so on. It's what we call regulatory "alphabet soup," isn't it? It's a very broad spectrum of regulators. In the Canadian markets, in my experience, I haven't seen nearly as much increased regulation. Furthermore, the number of regulatory bodies or agencies seems to be smaller compared to what we have here in the United States, so I expect that will be the case. But look, if you're a Canadian company, you're likely doing business in the United States, or if you're an American company, you're likely doing business in Canada. I therefore believe it should be possible to create synergies from a regulatory landscape instead of creating unique cyber risk resilience and governance profiles for each country, and simply create a unified construct that satisfies both.

Thanks Chris for this overview. My next question is: what are the responsibilities of boards of directors and senior management regarding cyber resilience and governance? Can you offer them three or four pieces of advice?

When I think about the board's responsibility, I think of you as an advisor to management. To help provide guidance, you know, bring in outside expertise. Engage companies like yours, Brainstorm Cyber Risk, to get an independent perspective on the effectiveness of their program. Transparency and outside perspectives are therefore essential. It's also important to ask the right questions of management about how they're deploying their program: capital resources, technology, personnel processes. With respect to cyber risk management, I would also examine it as a board member and as a member of the executive committee. How frequently and appropriately are the cyber risk reports being provided? What we're seeing is that across the 23,000 NACD board members, the reports that have the most impact on the board are those that are contextualized to the company's operational and financial risk. Rather than diving deep into the technology—we can have those conversations separately through a dedicated risk committee—I believe the most effective underlying approach is to align cyber threats with your business profile. Based on how they could cause physical damage to the business, operations, and finances, and then discussing the level of risk you're willing to accept, you can ask what level of risk you can transfer using a risk management system. How much risk can you transfer through a potential insurance policy? Then you reach a balance. So you have this residual risk. How will you deploy your limited resources?

Thank you for these three recommendations Chris, to move on to the next question on how the board and management should engage with external stakeholders such as regulators, shareholders and customers on cyber-risk issues.

You've listed the external stakeholders, you know: customers, regulators, investors, and shareholders. I think the time has come to be completely transparent about how you address and manage cyber risks, and therefore to explain to the public that you have the right processes in place and the right governance capabilities. You need to explain to the public that you have the right processes and governance capabilities. Talk about your risk management practices without going into too much detail, right? Then, if an event or incident occurs and materially impacts your business, you have an obligation to inform the regulatory authorities. You have an obligation to inform regulators, investors, and shareholders that, hey, we had an incident, we contained it, it's not serious. We had an incident, it's ongoing. We are investigating again, but we believe it could be a potential physical event, so I think the watchword is transparency.

Thank you very much, Chris. Every day we hear about cyberattacks in different countries and sectors. What lessons can be learned from the recent major cyberattacks in Canada and the United States, and how can they inform cyber resilience and governance practices?

So, if we think about it, some of the major cyberattacks are due to a trend toward ransomware. It causes business interruptions, making it impossible to operate your systems. Some casinos and gaming platforms here in the United States have been victims of ransomware attacks that rendered their systems unusable. Some of these companies are also manufacturers that have suffered significant financial losses, in the hundreds of millions of euros. In Canada, I believe it was in the Toronto area that a hospital system, the healthcare system, was the victim of a ransomware attack, which resulted in data loss, but also business interruption, and which led to a class-action lawsuit. There was a loss of data, but also a loss of operations, and there was a class-action lawsuit of around $500 million against the company, which is very costly, isn't it? Considering the regulatory fines and the class actions. But it's also costly if you're unable to operate. So, these cost factors need to be factored into the board discussion to ensure that capital is allocated correctly. I believe these are lessons learned that we need to apply.

Thank you so much, Chris, for this valuable information. How can boards of directors and executives stay informed about new cyber threats and trends in order to make informed decisions regarding cyber risk management?

Yes, excellent question. So the board is largely composed of managers or accountants, perhaps even lawyers, right? One approach we've seen work very effectively is bringing in ideas. They aren't necessarily cybersecurity experts. Regarding the fight against cyber threats, we use peer analysis—that is, analysis from similar companies that have faced threats of some kind. What kinds of events did they experience? And how well did they recover and respond effectively? Learning from other activities and events can be very instructive for a leadership community. I always encourage boards to bring in external experts who are independent of management. In fact, some US judicial systems, particularly the courts in Delaware, where many companies are incorporated, recommend that boards of directors engage external experts on cybersecurity, ESG, and compliance matters. This is therefore an area of particular attention from the Regulatory Commission here. It is thus an area that is encouraged and strongly recommended.

Chris, when you talk about independent external expertise from management, is this to compensate for the lack of expertise in cyber-risk and cybersecurity around the board table?

That's right. That's absolutely correct, and you know, in some cases, some boards of directors may decide to bring a cybersecurity expert onto the board. I've seen this work very effectively, but with very limited results, because what happens is you have a very technical person talking with your senior management team, and it becomes a very myopic, one-on-one conversation, and the entire board, in a way, withdraws and doesn't bring much business context to the table. So I encourage organizations to hire these external experts and bring them onto the board and have them work quarterly to bring fresh ideas and perspectives.

Chris, thank you so much for this great discussion, and it's always a pleasure talking with you. We've wrapped up for today, and we thank you for participating in the discussion on the Cyber Risk Brainstorm channel. See you soon, and have a great day.

Looking forward to our next discussion - Chris, when you talk about independent external expertise from management, is that to compensate for the lack of cyber-risk and cybersecurity expertise around the board table?

Looking forward to our next discussion.

Transform your cybersecurity strategy