From the boardroom to the desktop to mobile devices, cyber risk is as close and omnipresent as the next click.
Trusted, solid brands can be shaken by a cyber breach, while the ensuing costs—both in terms of sullied reputations and financial loss—can have material impacts on the bottom line.
Here is a recap of BRINK’s five top cyber risk management stories that go from a hunt inside a company’s computer network for intruders to inside the boardroom for a look at how companies can set a cyber risk management strategy. Because as cyber experts often say: “It’s not a question of ‘if’ your company will suffer a cyber event… it’s ‘when.’”
Many companies still don’t have a full appreciation of cyber risk, writes Shawn Henry, president and CSO of CrowdStrike Services. “Businesses have to gain an appreciation for what adversaries are really interested in and get sensitized to what the real threats are,” writes Henry, former deputy director of the FBI.
Corporations need to stop playing defense when it comes to cybersecurity and go on the offense or “get proactive about hunting for adversaries roaming their networks,” Henry writes. “Don’t believe you have a problem there? Think again, because the perimeter is gone.”
For 20 years, the conventional cybersecurity wisdom was to defend the perimeter: install a firewall, intruder detection system, etc. All are critical parts of a defense; however, a proactive stance takes security one-step further, “and that has to be done in today’s environment,” Henry writes. “This is a long-term problem with no short-term solution. Companies must be innovative and creative, and must insist the government become a full partner. Anything less is likely to fail miserably, and the results will be disastrous.”
In today’s interconnected world, a company has to not only be concerned about the cyber risk on its own network, but also be cognizant of how vulnerable its data might be in the downstream of its supply chain, outside partners and vendors.
“Insecure third parties pose a significant risk to an organization: Just ask any of the high-profile businesses hit with a headline-grabbing breach caused by a security breakdown on the part of an interconnected business partner,” writes Jacob Olcott, Vice President of Business Development at BitSight Technologies.
Olcott outlines four critical elements needed in managing downstream cyber risk:
- Focus on business partners that pose the most risk.
- Build a team to identify the most critical third-party risks.
- Select security standards suitable for your business partners.
- Continuously monitor your business partners.
“What happens beyond the firewall can cause significant harm to your organization,” Olcott writes. “Cybersecurity is now becoming a key factor in business decisions. Organizations are learning that strong cybersecurity can be a market differentiator, helping them earn and retain business with customers.”
Cyber risk can easily become “tail risk,” that is, one which “provokes acute, public and potentially catastrophic damage, whether to data, reputation, property or the ability to trade,” writes Mark Weil, CEO of Marsh UK & Ireland. The catch is, few companies are used to dealing with kind of risk.
For many companies—with the exception of banks, utilities and other critical infrastructure—this kind of risk is managed “well below board level,” Weil writes. “Cyber risk changes that by bringing tail risk to any firm, large or small,” he writes. “As a result, it obliges firms to think hard about their ability to avoid and withstand a substantial and potentially fatal impact.”
Weil outlines four pillars firms need to consider when assessing cyber risk:
- Manage cyber risk as a board-level risk with consequences for all aspects of the firm, not just as an IT or security issue
- Adopt some of the methodologies of risk management appropriate to coping with tail risk
- Quality assure their supply chain on cyber risk
- Look at mitigation through insurance
“The heart of the issue is for the board to put in place risk-management disciplines fit for the purpose of protecting them from and coping with a fast-moving threat to their viability,” Weil writes. “That goes well beyond the historic expectations on risk management for many firms and will require a significant elevation and investment in risk.”
Company treasurers need to be fully incorporated into cyber risk strategies because most of their core activities are critical to a company’s resilience. “In fact, Treasury may be the department to actually discover any breach,” writes Craig Martin, executive director, Corporate Treasurers Council at Association for Financial Professionals. “As such, an organization’s treasury team should be a key player in any overall enterprise approach to cyber risk management.”
Martin outlines how this management process should work by taking a three-step approach to developing such a strategy:
- Understand the nature of the data at risk.Before setting any strategy, the treasurer and relevant colleagues should have a clear knowledge and understanding of the scope of data, information and activities that may be at risk.
- Value the data at risk.Once the scope is understood, the treasurer will help to place a value on all data. He or she will need to determine the assets at risk, such as the long-term value of intellectual property, as well any potential liabilities like compensation payments.
- Take action to manage the data at risk.With a clear value of the data, the treasurer can then help the group to prioritize the use of resources to manage cyber risk effectively.
Cyber insurance has the potential to create powerful incentives that drive behavioral change in the marketplace, writes Peter J. Beshar, executive vice president and general counsel for Marsh & McLennan Companies.
Just applying for cyber insurance helps promote better cyber hygiene because it “induces companies to conduct gap assessments of their own capabilities, because insurers will want to know: Do companies have an incident response plan, good protocols for patching software and regular monitoring of their vendor network?” Beshar writes.
And once an insurance policy is in place, the insurer has “every incentive” to assist the policyholders to make sure all necessary steps are being taken to help mitigate future cyber risk, Beshar writes.