Advice

Cyber resilience and governance with Chris Hetner

Tania Tanic

2024-05-10 · 13 min read

We had the privilege of discussing cyber resilience and governance with Chris Hetner a few days ago. BrainStorm CyberRisque makes this conversation available to you:

‍

Chris Hetner is a senior executive, a board member, and a cybersecurity leader recognized for elevating cyber risk to the board level in order to protect industries, infrastructures, and economies. He creates operational resilience by aligning robust cybersecurity strategies with business objectives. Mr. Hetner's professional judgment, combined with a public company perspective and experience with SEC regulation and investor oversight, has enabled him to successfully serve in roles within companies and governments. He currently sits on the board of the private equity fund TCIG, is a senior advisor at the Chertoff Group, special advisor for cyber risk to the NACD, chair of cybersecurity and privacy at the NASDAQ Center for Board Excellence, and a member of the national board of the Society of Hispanic Professional Engineers.

He served as senior cybersecurity advisor to the Chairman of the United States Securities and Exchange Commission (SEC) and was responsible for cybersecurity within the SEC's Office of Compliance Inspections and Examinations. He also represented the SEC Chairman as a senior member of the committee on the financial and banking information infrastructure at the U.S. Department of the Treasury. Among his main contributions were the vision and implementation of the agency's first enterprise-wide cybersecurity governance framework, the threat intelligence program, and incident response capabilities. The cybersecurity framework he established improved the national examination program's ability to monitor and respond to cyber risks and cyber threats across the entire U.S. securities market.

Tania Tanic has accumulated twenty-five years of industry experience as a senior executive in cybersecurity, business, and technology, specializing in professional services, banking, insurance, financial services, technology, telecommunications, and other sectors. Tania's hallmark is establishing an overall vision and strategy with boards and executive teams to mitigate cyber risks and raise security awareness while solving business challenges through governance, risk mitigation, compliance, innovation, transformation, and changes in methodology and operating model to enable growth, efficiency, agility, and better competitive positioning in the market.

Tania holds an Executive MBA and a master's degree in business management, as well as a BSc in Computer Science and the Harvard Cybersecurity Certificate. She holds the CPA, ASC-C.DIR, PMP, ITIL, and Lean Master certifications. She advocates for women in information technology and is a strong supporter of DEI in the various organizations with which she has worked. She served on the board of the Institute of Internal Auditors of Quebec (IAIQ) for two years.

Tania Tanic (TT)

Welcome to the BrainStorm CyberRisks discussion channel. Today we are hosting a distinguished guest, Christopher Hetner. We will address the topic of cyber resilience and governance for boards of directors and executives. Hello Chris, how are you?

Christopher Hetner (CH)

I'm doing great. Thank you for giving me the opportunity to be here with you today.

You're welcome, Chris. Could you introduce yourself to the audience?

Yes, of course. Chris Hetner, I've worked in the cybersecurity sector for nearly 30 years. Most of the time, early on, I supported and built security centers, data centers, and operations centers for financial services organizations here in New York. I had the opportunity to work as global head of information security for GE Capital. I had the opportunity to hold the position of global head of information security for GE Capital. We had a very large financial institution, with about $500 billion in assets across 100 countries. I then spent a few years in management consulting, leading Ernst & Young's cybersecurity service for asset management. At that time, I had the unique opportunity to become senior cybersecurity advisor to the Securities and Exchange Commission, within the Chairman's office. So I served and was appointed under the leadership of Mary Jo White and Jay Clayton. Most of my policy and rulemaking activities now take place on the financial markets and concern the information communicated by the SEC to publicly traded companies. In my current roles, I am senior cybersecurity advisor to the National Association of Corporate Directors, which has about 23,000 board members, and I focus on developing effective reporting on cyber risk governance and, with the new SEC rules, on providing a level of transparency for disclosure purposes. We look forward to working with your ecosystem. Thank you for inviting me today.

Wow, an incredible background. Thank you, Chris. Chris, I'd like to move right to our topic. As we know, board members play a critical role in cyber resilience and governance by providing oversight, advice, and strategic direction to ensure the organization effectively manages cybersecurity, risks, and cyber resilience. First, how do you define cyber resilience?

That's an excellent question. The way we define resilience within our community is understanding the level of risk you are willing to accept, to mitigate, and, in some cases, to transfer using an effective insurance platform. So, when we talk about resilience in cybersecurity, we are talking about the level of risk appetite. We've discussed the level of appetite you will take in terms of risk. I'll give you an example. Take the example of a potential ransomware that would cause an outage in your company. You're completely down. We talk with our board members to determine their risk tolerance. Is it 12 hours, 24 hours, 48 hours? A week? As a board member, I discuss with the CISO or the CIO, and you tell me what is acceptable from a risk appetite perspective. And if they tell me we cannot exceed 12 hours, we must ensure we are operational and restore our operations within 12 hours. Those are now my parameters that allow me to build that security architecture to ensure we maintain that point of resilience. So when we talk about resilience, it's the ability to recover within a set of parameters we have defined. It's the ability to recover within parameters based on business, operational, and financial risks.

Thank you, Chris, for that definition, and it's a good introduction to the next questions. In your view, Chris, how do Canadian and American companies approach cyber risk management differently?

In the United States, my experience is mostly oriented toward financial services, Wall Street, the very large banking institutions and, consequently, a significant amount of regulation coming out of Washington DC, whether it's the Federal Reserve Bank, the OCC, the U.S. Treasury, the SEC, etc. That's what we call the "alphabet soup" of regulators, right? It's a very wide range of regulators. In the Canadian markets, from my experience, I haven't seen as much enhanced regulation. Also, the number of regulatory bodies or agencies seems to be smaller compared to what we have here in the United States, so I think that will be a factor. But listen, if you are a Canadian company, you likely do business in the United States or, if you are a U.S. company, you do business in Canada. So I think it should be possible to create synergies from a regulatory landscape rather than creating unique cyber risk resilience and governance profiles for each country, and simply create a unified framework that satisfies both.

Thank you Chris for this overview. My next question is: what are the responsibilities of boards of directors and senior executives regarding cyber resilience and governance? Can you give them three or four pieces of advice?

When I think about board responsibility, I think you're there as an advisor to management. To help provide guidance, you know, bring in external expertise. Hire firms like yours, BrainStorm Cyber Risk, to get an independent view of the effectiveness of their program. Transparency and outside perspectives are therefore essential. It is also important to ask the right questions of management about how they are deploying their program. Capital resources, technology, personnel processes. Regarding cyber risk management, I would also look at it as a board member and as a member of the executive committee. What is the frequency and relevance of the cyber risk reports being provided? What we find, across NACD's 23,000 board members, is that the reports that have the most impact on the board are those that are contextualized to the company's operational and financial risk. Rather than diving deep into technology—we can have those conversations separately through a dedicated risk committee—I think the most effective underlying approach is aligning cyber threats with your company's profile. Based on how they could cause material harm to the business, operations, and finances, and then discussing the level of risk you are willing to accept, you can ask what level of risk can be transferred using a risk management system. What portion of risk can we transfer via a potential insurance policy? Then the balance is reached. So we have this residual risk. How are we going to deploy our limited resources?

Thank you for those three recommendations Chris, and moving to the next question about how the board and management should engage with external stakeholders such as regulators, shareholders, and customers on cyber risk issues.

The external stakeholders—you listed them—customers, regulators, investors and shareholders. I think the time has come to be totally transparent about how you approach and manage cyber risks, and therefore to explain to the public that you have the right processes in place, that you have the right governance capabilities. So you must explain to the public that you have the right processes and governance capabilities in place. Talk about your risk management practices without giving too many details, right? Then, if an event or incident occurs and has a material impact on your business, you have an obligation to inform the regulators. You have an obligation to inform regulators or investors and shareholders that, hey, we had an incident, we've contained it, it's not material. We had an incident, it's ongoing. We're investigating again, but we think it could be a potential material event, so I think the watchword is transparency.

Thank you very much, Chris. Every day we hear about cyberattacks in different countries and industries. What lessons can be learned from recent major cyberattacks in Canada and the United States and how can they inform cyber resilience and governance practices?

So, if we think about it. Some of the main cyberattacks, we see a trend toward ransomware. They cause business interruptions. The inability to run your systems. Some casinos, some gaming platforms here in the United States were hit by ransomware that resulted in an inability to operate their systems. Some of these companies are also manufacturers that suffered significant financial write-downs on the order of hundreds of millions of euros. In Canada, I believe it was in the Toronto area that a hospital system, the health system, suffered a ransomware attack, which resulted in data loss but also operational loss, and led to a class action. There was data loss, but also loss of operations and there was a class action on the order of $500 million against that company, which is very costly, right? If you think about regulatory fines and class actions. But it's also costly if you are unable to operate. So you have to incorporate these cost factors into the board discussion to ensure that capital is properly allocated. I believe these are lessons learned that we must leverage.

Thank you very much Chris for this valuable information. How can boards and executives stay informed about new cyber threats and trends so they can make informed decisions about cyber risk management?

Yes, excellent question. Boards are therefore largely composed of executives or accountants, maybe even lawyers, right? One approach we've seen work very effectively is to bring in insights. They are not necessarily cybersecurity experts. Regarding combating the cyber threat. We use peer analysis, that is, similar-type companies that have faced threats of any kind. What types of events did they have? And to what extent did they recover and respond effectively? Learning through other companies' activities and events can therefore be very instructive for a leadership community. I always encourage boards to engage external experts independent from management. In fact, some U.S. judicial systems, particularly Delaware courts, where many companies are incorporated, recommend that the board engage outside experts for cyber, ESG, or compliance matters. So it's an area receiving particular attention from regulatory commissions here. It's therefore an area that is encouraged and strongly recommended.

Chris, when you talk about external expertise independent from management, is that to compensate for the lack of cyber risk and cybersecurity expertise around the boardroom table?

That's correct. That's absolutely correct and you know, in some cases, some boards may decide to recruit a cyber expert onto the board. I've seen that work very effectively and very limitedly because what happens is you have a very technical person who talks with your management team, and it becomes a very narrow one-on-one conversation, and the whole board, in a way, steps back and doesn't bring much business context to the table. So I encourage organizations to hire those external experts and integrate them with the board and have them work every quarter so they bring new ideas and new perspectives.

Chris, thank you very much for this great discussion and it's always a pleasure to talk with you. We're done for today and we thank you for participating in the discussion on the BrainStorm CyberRisks channel. See you soon and have a good day.

Looking forward to our next discussion - Chris, when you talk about external expertise independent from management, is that to compensate for the lack of cyber risk and cybersecurity expertise around the boardroom table?

Looking forward to our next discussion.

Cyber resilience and governance with Chris Hetner

Transform your cybersecurity strategy