Communicating Risk Information

This time, we are going to talk about the 2nd point under the COSO guiding principle of Information, Communication and Reporting which is Communicates Risk Information.

As a reminder, the COSO guiding principle of Information, Communication and Reporting has three points:

1. Leverages Information and Technology

2. Communicates Risk Information

3. Reports on Risk, Culture and Performance 

An organization must prioritize its capability to communicate cyber risk to internal and external partners. Communication channels are often defined in the organization's general information security policy or its incident response plan, but they are often not available offline. Efficient communication before, during and after an incident provides situational awareness throughout the workforce

Most of the time, you will likely use email to communicate; however, in the case of a wide-spread ransomware event, email may be down. Norsk Hydro did a great in 2019 with their incident and crisis management to their widely publicized ransomware incident. One aspect to their response included greeting employees when they arrived to work with locked doors and paper notes warning them to avoid turning on their computers.

The ability to communicate cyber risk concerns with external partners is also vital. Security regulations worldwide have different reporting requirements from HIPAA and CCPA in the United States to GDPR in the European Union. The TSA is now requiring oil and gas pipeline organizations to report cyber incidents in the fallout of the Colonial Pipeline incident.

Failure to disclose cyber incidents with appropriate detail and timeliness may result in significant fines from multiple entities. Other external communications include bi-directional communications with third-party service providers, especially when they are hosting your critical data and they have encountered a major incident that may put that data at risk. Public Relations communication plans to support disclosing a major cybersecurity incident to the public or to partners are a must.

Key Activities

• Identify internal and external stakeholders that require communication regarding cyber risks.

• Define escalation and communications channels in your general information security policy and incident response plan and ensure they are available offline.

• Ensure you plan on multiple methods of communication should traditional methods, such as email, are unavailable.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.

Have a great week!