Advice

Cyber resilience and governance with Chris Hetner

François M. Tremblay

10.5.2024

minutes to read

We had the privilege of discussing cyber resilience and governance with Chris Hetner a few days ago. BrainStorm CyberRisk makes this conversation available to you:

‍

Chris Hetner is a Senior Executive, Board Director, and leader in Cybersecurity recognized for raising cyber risk to the Corporate Board level to protect industries, infrastructures, and economies. He creates operational resilience by aligning robust Cybersecurity strategies with business objectives. Mr. Hetner’s professional judgment combined with a public company perspective and SEC regulatory and investor oversight experience has led to his success in corporate and government roles. Currently, he is on the board of directors of a PE Fund TCIG, a Senior Advisor for the Chertoff Group, the Special Advisor for Cyber Risk for the NACD, Chair Cybersecurity and Privacy for the NASDAQ Center for Board Excellence and a National Board Member of the Society of Hispanic Professional Engineers.

He served as the Senior Cybersecurity Advisor to the Chair of the United States Securities and Exchange Commission and as Head of Cybersecurity for the Office of Compliance Inspections and Examination at the SEC. He also represented the Chair of the SEC as a senior member of the US Department of the Treasury Financial Banking Information Infrastructure Committee. His greatest contributions included vision for and implementation of the first agency wide Cybersecurity governance structure, threat intelligence program, and incident response capabilities. The Cybersecurity framework he implemented improved the National Examination Program’s ability to monitor and respond to Cyber risks and threats across the US Securities market

Tania Tanic has accumulated twenty-five years of industry experience as a senior executive in cybersecurity, business and technology, specializing in professional services, banking, insurance, financial services, technology, telecommunications and other sectors. Tania's signature is establishing a holistic vision and strategy with boards and executive teams to mitigate cyber risks and improve security awareness while solving business challenges through governance, risk mitigation, compliance, innovation, transformation and changes in methodology and operating model to enable growth, efficiency, agility and better competitive positioning in the market.

Tania earned an Executive MBA and Master’s in Corporate Management to go with a BSc in IT and the Harvard Cybersecurity Certificate. She holds CPA, ASC-C.DIR, PMP, ITIL and Lean Master certifications. She is an advocate for Women in IT and a DEI Championin the various organizations she has worked with. She was a member of the Board of Directors of the Institut des auditeurs internes du Québec (IIAQ) for two years

‍

Tania Tanic (TT)

Welcome to the Brainstorm Cyber Risk channel. We are here with the distinguished guest Christopher Hetner and the theme today is about the cyber resilience, governance for board and C-level. Hi Chris. How are you today?

Christopher Hetner (CH)

I'm doing fantastic. Thanks for having me this opportunity. I really appreciate the opportunity.

Your are welcome Chris, Please can you introduce yourself to the audience?

Yeah, sure. So again, Chris Hetner, I’ve been in the cybersecurity industry for close to 30 years. Most of my earlier days I was supporting and building security, data centers and operation Centers for financial services organizations here in New York. I had the opportunity to serve as a global. Chief Information Security officers for GE Capital. We had a very large financial institution, roughly $500 billion in assets across 100countries. And then a few years within management consulting, running the Ernst and Young cybersecurity practice for wealth asset management. During that time, I had a very unique opportunity to go serve as senior cybersecurity advisor to the Securities and Exchange Commission within the Chairs Office. So, I served and was named under both Mary Jo White and Jay Clayton. And most of my policy and rulemaking activity is now bleeding through the financial markets pertaining to SEC disclosures for publicly traded companies. In my current role, I serve as a senior cybersecurity advisor to the National Association of Corporate Directors, where we serve roughly 23,000 board members and really the focus is on driving effective cyber risk governance reporting and now with the new SEC rules providing that level of transparency for disclosure purposes. And look forward to working across your ecosystem. So, thanks for having me today.

Wow, amazing background. Thank you, Chris. So Chris, I want to jump to the purpose. As we know board members play a critical role in the cyber resilience and governance by providing oversight, guidance, and strategic direction to ensure the organization effectively manage in cybersecurity, risk and cyber resilience. First of all, how can we define the cyber resilience?

It's a great question. So the way we define resiliency within our community is the understanding of how much risk you’re willing to accept, mitigate and in some cases transfer using an effective insurance platform. And so, when we talk about resiliency as it pertains to cyber. We talked about the level of appetite that you're going to undertake in terms of risk. I'll give you an example. Let's talk about a potential ransomware event that creates an outage across your business. You're completely shut down. And we have conversations with our board members to talk about what's their risk appetite. Is it 12 hours, 24 hours, is it 48 hours? Is it a week? You tell me as a board member, I'm talking to the CISO or with the CIO, you tell me what's acceptable from a risk appetite standpoint. And if they say, well, we cannot exceed 12 hours, we have to make sure we're up and running and restoring our operations within 12 hours. Well, that's now my parameters by which I go and build that security architecture to make sure that we're maintaining that resiliency point. So that's when we talk about resilience it's talking about. The ability to recover within certain parameters that are informed based on business, operational and financial risk.

Thank you, Chris for this definition, and it’s a good introduction for the next questions. In your point of view, chris, How do Canadian and American companies approach the cyber risk management differently?

So within the US, my experience is fairly oriented towards financial services, Wall Street, very large banking institutions and so with that comes a significant amount of regulation emanating from Washington DC whether it be the Federal Reserve Bank. The OCC, U.S. Treasury, SEC. We call it regulatory alphabet soup, right? It's a very wide broad range of regulators. Within the Canadian markets, based on my experience. I haven't seen as much heightened, you know, regulation. And plus, the number of bodies or regulatory bodies seem to be reduced relative to what we have here in the US so I think there will that. But look, if you’re a Canadian company. You're likely going to be doing business in the United States, or if you're a U.S. company, you're likely going to be doing business in Canada. So, I think there should be an opportunity to create synergies from a regulatory landscape instead of creating unique cyber risk resiliency and governance profiles for each country just create a unified construct that satisfies both.

Thank you Chris for this overview, so my next questions, What are the responsibilities of boards and C-level in cyber resilience and governance. Can you give them a three or four advices?

So as I think about the board responsibility, I think about #1 you're there as an advisor to management. To help provide guidance, you know, bring in outside expertise. Engage companies like you, Brainstorm cyber risk as an independent perspective as to how effective they're running their program. So having transparency, having outside perspectives is supercritical. It's also important to ask the right questions of management in terms of how they're deploying. Capital resources technology-person process. Surrounding the management of cyber risk management and then, I would also look at it as a board member and as a board room. What's the frequency and substance behind the cyber risk reporting that's being delivered and what we see is a pattern across our NACD 23,000 board members is the board reporting that most closely resonates with the board is one that's contextualized to business operational financial risk. Versus going deep dive into the technologylike we can have those separate conversations through a separate risk committee, but I believe the really the underlying approach that's most effective is aligning cyber threats to your business profile. Based on how it could introduce material business, operational and financial harm, and then having a conversation around, OK, so how much risk are we willing to accept? How much risk can we transfer using a potential insurance policy? And then the balanceis OK. So we have this residual risk. How do we go and deploy our limited capital resources to maintain to your prior question, the right level of resiliency, right?

Thank you for the three takeaways Chris, to jump to the next question about how we should board and executive engage with external stakeholders such as regulators, shareholders and customers on cyber risk matters.

So external stakeholders, you've listed,you know, clients, customers, regulators, investors and shareholders. I believe now's the time to be completely transparent around how you're addressing and governing cyber risk, so explaining to the public. That you have the right processes in place, you have the right governance capabilities in place. Talk about your risk management practices without giving too much detail, right? And then secondly, if an event were to occur or an incident were to occur that has a material impact in your business. You have an obligation to inform the regulators or inform the investors and shareholders that, hey, we had an incident, we contained it, no big deal. We had an incident, it's ongoing. We'reinvestigating it, but we think this could be a potential material event so that I believe that it's really the undertone here is transparency.

Thank you very much, Chris. Every day we hear about cyber attacks in different countries and industries. What lessons can be learned from the recent majors cyber attacks in Canada and the US and how can they informed the cyber resilience and the governance practices?

So if we think about. Some of the major cyber attacks, it's because we're seeing a trend towards ransomware. That's creating business interruption. The inability to operate your systems. There are some casinos, gaming platforms here in the United States that had. A ransomware attack resulting in disruption to their business. Some of these companies are also manufacturers that have taken significant financial write-downs in the order of hundreds of millions of. In Canada, I believe in the Toronto region,there's there was a hospital system, the healthcare system that was ransomed.Believe there was a loss of data but loss of operations and there is a classaction suit. Being targeted against that platform in the order of $500 million.So it's really costly, right? If you think about the regulatory fines and the class-action suits. But it's also costly if you're unable to operate. And bringing those cost factors into the boardroom to make sure that you'reallocating capital properly. I believe these are lessons learned that we need.To move forward with.

Thank you so much Chris for this precious informations. So how can boards and executives stay informed about emerging cyber threats and trends to make informed decision about cyber risk management?

Yeah, great question. So the boardroom is largely composed of executives or accountants, perhaps even lawyers, right?They're not necessarily cyber experts, so. An approach that we've seen that work very effectively is bringing forward insights. In terms of how other companies are performed. Relative to addressing the cyber threat. We bring in peer analysis, so similar type companies had what types of threats have they faced? What types of events have they realized? And then how effectively did they recover and respond? So learning through other activities, other events can be very informative for a boardroom community. And look, yeah, I always encourage boards to bring in outside expertise independent of management. In fact, some of the court systems within the United States, particularly in the Delaware courts, courts where many corporations are incorporated us they recommend maintaining outside expertise to the board on matters of cyber or matters of ESG or matters of compliance. So. So that's an area that is encouraged and highly recommended.

So, Chris when you talk about the outside expertise independant of management, Is it to overcome the lack of expertise in cyber risk and cyber security around the boardroom table?

Correct. That's spot on and you know in some cases some boards may decide to bring in and hire a dedicated cyber expert on the board. I've seen that work in very effectively and very limited cases because what happens is. You have a very technical individual speaking with your management team, and it becomes a very myopic one-to-one conversation and the entire of the board, it kind of checks out and it's not bringing much business context tothe table. So, I encourage organizations to hire those outside experts, bring them into the board. Had them retained on, you know, a quarterly basis to bring in fresh insights and fresh perspectives.

Chris thank you so much for this amazing discussion and it's always a pleasure to speak with you. We are done today and thanks to participate to the Brainstorm cyberrisk Channel discussion see you soon and have a nice day.

Looking forward to our next discussion- Chris, when you talk about external expertise independent of management, is this to compensate for the lack of cyber-risk and cyber-security expertise around the boardroom table?

Looking forward to it.

Transform your cybersecurity strategy