The Edge of Risk Menu Search
In Practice

Here’s How Companies Can Set a Cyberrisk Management Strategy

Director, Executive Programs and Treasury Practice Lead at the Association for Financial Professionals

Cybercrime costs the global economy more than $445 billion a year, according to estimates from the Center for Strategic and International Studies. The 2015 AFP Risk Survey found that 34 percent of companies had been subjected to a cyberattack in the last 18 months. For most corporate leaders, last year’s well-publicized cybersecurity breach at Sony was simply reinforcement that cybercrime is on the rise and they need to be better prepared.

The response to the growing threat of cyberbreaches suggests that best practices for proactively managing cyber threats are still maturing. For example, 2015 AFP Risk Survey results show there is currently a strong emphasis on implementing technical safeguards to bolster defenses. Fewer companies are putting an emphasis on training, education, process revisions or developing proactive response plans.

In the new CTC Guide to Cybersecurity: Setting a Cyberrisk Management Strategy, supported by Marsh & McLennan Companies, organizations are presented with guidance to establish a cybersecurity management strategy and policy, both at corporate level and within the treasury department. The treasury group can play a strong role in helping the company plan for and prepare for cyber risks.

Even though key areas of a treasury function’s responsibility are not involved in every cyberattack situation, Treasury does hold or manage much of the data that is often the target of cyberattacks (for example, payment or credit card information). Treasurers need to manage cyber risks associated with most of their core activities: Payments processing, liquidity management—including the operation of in-house banks, supply chain management, and the use of any outsourced services—including treasury management systems and other solutions offered as a software as a service (SaaS). In fact, Treasury may be the department to actually discover any breach. As such, an organization’s treasury team should be a key player in any overall enterprise approach to cyberrisk management.

Companies can be highly effective forces against cyber crime by taking a three-step approach to developing such a strategy:

Understand the nature of the data at risk. Before setting any strategy, the treasurer and relevant colleagues should have a clear knowledge and understanding of the scope of data, information, and activities that may be at risk.

Value the data at risk. Once the scope is understood, the treasurer will help to place a value on all data. He or she will need to determine the assets at risk, such as the long-term value of intellectual property, as well any potential liabilities like compensation payments.

Take action to manage the data at risk. With a clear value of the data, the treasurer can then help the group to prioritize the use of resources to manage cyberrisk effectively. Within this process, there are essentially three tasks:

  • Protect the most valuable data. Companies should dedicate their resources to protecting the most valuable data. This is likely to include data that is central to the financial viability of the organization, including core intellectual property. Protection is likely to be achieved using a series of measures and controls.
  • Manage the remaining risk through insurance and self-insurance. Regardless of how much the company is spending to protect its most valuable data, there is still a chance that security will be breached. It may be possible to use insurance to cover this remaining risk. For example, insurance is often appropriate to protect against any requirement to pay financial compensation as a result of a data breach. However, it may not be possible—or financially appropriate—to insure against every potential loss.
  • Adopt a plan should a data breach occur. Finally, all organizations should expect a data breach to occur at some point. The challenge then becomes how to minimize any financial losses and risks to the company’s reputation.

Ultimately, a corporation needs to be able to determine who should have access to each piece of its data, and have a process in place to protect it and help it recover in the event of loss. It remains likely that all companies will experience a cybersecurity breach at some point in the future, although the costs to affected companies will vary significantly. Despite this, the 2015 AFP Risk Survey found that 60 percent of companies do not have a clear, documented mechanism to respond to a cyberbreach. Every company should:

Adopt a crisis plan. Having even a rudimentary crisis response plan will help the company adopt a more coordinated approach. Where companies have crisis response plans, they are often integrated into their disaster recovery and business continuity plans.

Manage communications. Once a cybersecurity breach has been discovered, the company needs to manage its communications, both internally and externally, including with law enforcement agencies, internal staff, and regulators.

Analyze the breach. Companies need to determine:

  • How was the event uncovered?
  • Who and what caused the breach?
  • How long has it been operational?
  • How has data been affected? Has data been corrupted, stolen or lost? If so, whose data has been affected?
  • How does the data breach affect the ongoing operations of the business?
  • Can business operations continue as normal?

After the breach is taken care of, the company needs to meet a number of longer-term goals.

After the breach is taken care of, the company needs to meet a number of longer-term goals.

Manage the immediate consequences. Relationships with affected customers, suppliers and other parties need to be managed.

Regulatory requirements must be met. This may involve the payment of compensation.
The company may also need to manage public relations, if the breach is high profile.

Improve. The company must have a process that allows it to learn from its mistakes. This may involve implementing additional training.

Review. Finally, the company should regularly review and test its crisis response plan.

The crisis response strategy needs to sit within a broader business continuity plan. This will deal with the longer-term consequences: Lawsuits, fines, reputational impact and loss of income. Enterprise risk management requires the company to understand its risk appetite and to take appropriate action to either accept or transfer the risk or to change behavior.

Business continuity plans should be designed to help the company plan for, and respond to, incidents and business disruptions, so that the company can continue to operate at a predetermined level.

Craig Martin

Director, Executive Programs and Treasury Practice Lead at the Association for Financial Professionals

Craig Martin is Director, Executive Programs and Treasury Practice Lead for the Association for Financial Professional’s Corporate Treasurers Council.

For optimal delivery, select your region:
Please enter a valid email address.
Success! Thank you for signing up.