CASE STUDY: Cyber Risk and Internal Controls

Global Company (GC) is a leading provider of content, connectivity, digital media, and operations data solutions to the travel industry across the world. The companys mission is to provide products and services that help aviation, maritime, government, and enterprise customers entertain, engage, inform, and monetize their end customers in new, unique, and differentiated ways. GC operates in three different, yet interrelated and interdependent verticals (or business segments): 1) Inflight Connectivity (IFC), 2) Maritime, Enterprise & Government (MEG), and Media & Content (M&C).

GC operates with more than 1,000 employees in 30 offices across five continents. The Company grew by acquisition of legacy companies that operated in the entertainment and connectivity industries since 2013. Every legacy company that was acquired by GC had its own culture, employees, business processes, and technology infrastructure. Many of these business and information technology processes were not documented, and if they were, documentation was not standardized to reflect risks and controls.

Across the various business segments that GC operates, there are more than 80 information technology systems supported by more than 1,300 servers. Although servers are backed up regularly, these backups are maintained internally on the companys network and a copy of such backup is not maintained offsite. For a company of the size of GC, the number of systems and servers may be too large especially that many of these systems are not operational, but they are still on the companys network and not retired. It is also important to note that servers that support IFC are on a different network than those that support MEG and M&C, although there is limited connectivity between the two networks. Each one of these two networks are protected by different firewalls. One of the firewalls had a published vulnerability, by the firewall developer, that was not patched and acted upon by GCs IT security team according to GCs vulnerability management program within IT Policy. GCs IT Policy calls for maintaining an enterprise vulnerability management program. GCs IT security team do not perform regular review of setup of the firewalls, nor do they monitor the firewalls regularly for vulnerabilities.

The company had several Material Weaknesses (MW) in its internal control over financial reporting, including IT, for several years. The Company had eighteen IT General Controls (ITGCs), some of which required complex password configurations for its privileged accounts over systems and network. The company does not have a 2-step or Multi-Factor Authentication implemented for its user accounts, including privileged accounts with elevated system access.

In 2020, GC was a victim of a ransomware cybersecurity attack that disrupted the use of corporate network and encrypted multiple servers of corporate and media and content applications. Global connectivity network was not impacted.

GC had never performed a cyber risk assessment and regular penetration testing to evaluate vulnerabilities, as required by the IT Policy. Although the companys IT security team used to send regular emails advising employees to beware of phishing e-mails, GC had never implemented a robust phishing program that monitors and deleted external phishing e-mails, and that evaluate and report on internal employee violations that become victims of targeted phishing

Issue: For a company of the size of GC, the number of systems and servers may be too large especially that many of these systems are not operational, but they are still on the companys network and not retired.

Support your findings with research and elaborate on risks and best practice mitigating control activities. Why is it a risk? What are the consequences? Discuss the Boards, managements, and Internal Audits roles in implementing, operating, and monitoring internal controls that mitigate those risks?