Cyber risk is a mounting concern as businesses are forced to operate – and compete – in a digital, connected world. Last week at RIMS, one of the largest annual gatherings for the insurance industry, Aon released its bi-annual Global Risk Management Survey (GRMS), which reports that companies in North America view cyber crime and hacking as their number one risk and businesses globally ranked cyber at number five. While concern around cyber increased, readiness to meet the challenge of managing the risk actually decreased slightly, and nearly half of companies still do not conduct cyber risk assessments. According to a second study released jointly by Aon and Ponemon, organizations are not adequately budgeting for cyber crime losses: almost four times more budget is spent on insuring property-related risks versus cyber risk, despite the fact that attacks on cyber assets cause 72% more losses than attacks on plant, property, and equipment assets.
In today’s digitalized business environment, organizations find themselves in a constant tug-of-war between implementing growth strategies and mitigating risk. Organizations are operating in a continuously shifting threat landscape, governed by multiple sets of evolving laws and regulations, so being “ready” is of critical importance. The rise of big data, the push for digital innovation and more personalized customer experiences, increasing reliance on third-party vendors for cloud services and the proliferation of Internet of Things (IoT) devices, continuously introduce new risks. Adversaries inside and outside organizations are becoming more sophisticated as criminals and malicious hackers continue to hone their techniques, obtaining access through the IoT, masterminding more sophisticated social engineering methods, or attacking information sources and manipulating data.
These types of threats have broad-reaching implications in any organization, and are impacted by every change happening in the business whether an M&A event, new product launch, or new hire. Despite this, some organizations mistakenly view cyber as a technology risk and try to manage it as such. This is far from the reality: cyber risk is a ubiquitous, enterprise-level risk.
Stakeholder Alignment Needed to Minimize Cyber Risk
Cyber risk affects multiple stakeholders, from the CISO to the risk manager, the board, the C-suite, IT, and even human resources, communications, and third-party partners and vendors. The enterprise nature of the risk means that the organization collectively, and most importantly the CISO and the risk manager, must make decisions jointly to optimize their strategies. The key to managing this enterprise-level risk – and avoiding significant loss and business disruption in the wake of an attack – is to ensure the organization is cyber resilient. Resilience is the ability to withstand or recover quickly from difficult conditions, even conditions one could never anticipate or imagine. In terms of cybersecurity, it means organizations are prepared to rapidly detect, mitigate, and recover from incidents. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization, and also provides comfort to insurers that, in the event of an attack, a company is prepared.
Assessing, Testing, and Improving Your Cyber Resilience Posture
Far from being a one-time exercise, cyber resilient organizations must work continuously across disciplines to assess their vulnerabilities and develop strategic and practiced response plans. The GRMS found that when companies pursue cyber risk assessments, IT departments conduct them 86 percent of the time, risk departments 38 percent, and security departments 18 percent. In assessing vulnerabilities, cyber risk can no longer be relegated to IT; it needs to be inclusive. To illustrate, when cyber risk mitigation is managed solely through IT, significant swaths of critical assets may be overlooked, such as those only an executive privy to M&A decisions may know. Another best practice is regularly testing existing cyber protections and incident response plans, often termed tabletop exercises. Again, if practice only takes place among the technology team, the wider stakeholder network identified above is not prepared to respond. Ideally, the organization has contracted with a cyber insurance carrier and cyber resilience firm, and has cultivated relationships and involved these partners in response drills.
Responding to and Recovering from a Breach to Minimize Impact
As well as being prepared to respond to a breach, recovering from a breach is just as critical. It is imperative that organizations conduct thorough assessments, quantify the intangible damages that could occur in the context of a breach, and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase adequate insurance policies. With the serious disconnect in companies’ concern versus spending and action towards cyber risk, this is easier said than done.
It’s Time to Take Action
We are at a critical point. Knowingly or unknowingly, as an organization grows, it takes on more cyber risk. To combat this risk, it is necessary to take action before attacks occur, or what is sometimes called “getting to the left of line”. This means organizations need to think in terms of what can be done by adversaries rather than what has been done, and develop a proactive strategies as opposed to only relying on investigative response. Organizations must meet this enterprise-risk head on, with a strategic program designed to optimize the ability to assess, test, improve, mitigate, transfer and respond to cyber risks and incidents.