By now, most companies recognize that cyber risk is not just an IT problem. The entire enterprise shapes this risk and can be weakened by it. Aon recently released its bi-annual Global Risk Management Survey. In it, the top 10 global risks to business were revealed. Cyber crime, hacking, viruses, and malicious code—all crimes in which a company’s data is compromised—ranked number five. But if you look closer, of the remaining nine traditional risks, data security is a major driver of all except one. It’s not hyperbole: Cyber risk is one of the greatest business risks on earth, and it exacerbates the other greatest business risks. Mitigation, therefore, requires traditional risk management practices evolve to meet this pervasive, blanket liability.
Global Risk No. 1: Damage to reputation/brand. A major cyber attack can seriously damage a brand. Not only can it cost a company millions in brand reputation, it can directly cause a loss of business. News of the largest, consumer-facing cyber attacks can stay in the mainstream news cycle for weeks, as information trickles out such as the number of records accessed, when they were accessed, and how something like this could happen.
Risk Mitigation Recommendation: Include a communications plan as part of your incident response plan, and begin this process with a stakeholder analysis so you know who should be communicating what to whom.
Global Risk No. 2: Economic slowdown/slow recovery. This is the only top 10 global risk identified by the survey that is not directly affected by cyber risk.
Global Risk No. 3: Increasing competition. Data usage is central in the fight for supremacy between companies. The data collected about a company’s operations, its customers, and its customers’ use of its products can be used in new ways and with new partners to increase efficiency and propel innovation that wows. But keeping this data secure is a major hurdle. Every step forward can be a huge leap backward if the effort backfires by facilitating cyber criminals.
Risk Mitigation Recommendation: To stay competitive without setback, CISOs must participate proactively in the production of competitive advancements to ensure their safety before they go live.
Global Risk No. 4: Regulatory/legislative changes. Cybersecurity regulations are multiplying, particularly when it comes to financial firms. The EU recently finalized its Global Data Protection Regulation (GDPR), placing ambitious requirements on any business serving its citizens. Additional hot topics for financial firms including the Bank of England’s CBEST vulnerability testing framework, the New York State Department of Financial Services cybersecurity requirements (which many are saying may set the precedent for future similar regulations nationally), and the challenging hodgepodge of state laws in the U.S. Non-compliance can come with a hefty price tag. The EU’s law has gotten notoriety for its penalties, for example. As the EU GDPR portal states, “organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
Risk Mitigation Recommendation: Maintain good cyber hygiene with standard data security controls in place at all times. Not only is this best practice but also as new regulations crop up and updates are published, compliance only requires a few tweaks rather than an overhaul.
Global Risk No. 6: Failure to innovate/meet customer needs. This is similar to risk three, increased competition. Companies face intense pressure to innovate to live up to consumers’ ever-growing expectations. However, these kinds of advancements also open the door to new threats. And, if customers don’t trust a company to keep their data safe, they won’t let them use it. In fact, a recent Forrester report calls the conflict between privacy and digital innovation in the financial sector an “epic” battle.
Risk Mitigation Recommendation: The CISO should be an integral part of the product development process, becoming active in all new product and partner decisions soon after conception. If the CISO is brought into the process too late, he or she can only act responsively, rushing to fill gaps in security rather than preventing them from the start.
Global Risk No. 7: Failure to attract or retain top talent. This one is simple. If a company’s trustworthiness is damaged because of a massive data breach or if the company isn’t innovating, talented people won’t want to work there. On top of that, cybersecurity jobs themselves are already hard to fill. The increasing need for qualified professionals to protect company assets in the face of constant innovation, evolving threats, and changing regulatory requirements has resulted in a major workforce shortage. Companies that can’t attract talent for other reasons will suffer even more greatly in the race to attract individuals to keep them secure.
Risk Mitigation Recommendation: Having an experienced and knowledgeable CISO is essential. This person not only drives data security (and trustworthiness) but also gives tech talent someone to learn from, a big incentive in this competitive marketplace. In addition, giving CISOs a place on the management team of an organization will help ensure board and executive-level support for cybersecurity programs, creating an even more attractive environment for top talent.
Global Risk No. 8: Business interruption. Cyber assets are damaged by business disruption, and cyber attacks cause business disruption. First, cyber assets face 72 percent more losses from business disruption than property, plant, and equipment (PP&E) assets, a recent Aon and Ponemon report found. (Yet nearly four times more budget is spent insuring property-related risks than cyber risk.) Meanwhile, a cyber attack like a data breach can suddenly halt business operations, by causing a company to lose control of its data or by causing physical damage such as a pipeline malfunction.
Risk Mitigation Recommendation: Protect against these losses with adequate cyber insurance policies, as well as with continuity planning that focuses on both digital and physical redundancies. Putting protection measures like these in place to cover your critical assets will allow you to limit damages and downtime and restore business operations more quickly in the event of an incident.
Global Risk No. 9: Political risk/uncertainties. Today, political risk directly heightens cyber risk for businesses. In the past, nation states attacked nation states. Today, nation states use cyber attacks to undermine businesses in other nations. The 2014 attack on Sony, allegedly by North Korea, is a top-of-mind example.
Risk Mitigation Recommendation: Simulate nation-state style attack scenarios through red teaming and cyber threat tabletop exercises. This gives you the opportunity to practice your response in advance, increasing your readiness to face such a severe incident.
Global Risk No. 10: Third-party liability. Organizations outsource key functions of their business, especially those that drive high-tech, customer-centric innovations. However, they can’t outsource cyber risk. Companies are only as cyber secure as their vendors. In the case of a leak, the fall-out would be just as damaging as if it had happened on the company’s own network.
Risk Mitigation Recommendation: Develop a vendor risk management program that aligns with your overall enterprise risk strategy. Robust programs should ensure that the cyber policies and procedures of partners and vendors are vetted prior to working together and regularly thereafter, and that cybersecurity issues are addressed in contractual agreements as a matter of course.
Cyber risk mitigation does more than build a company’s resilience to a cyber attack. It builds a company’s resilience against the most predominant and severe traditional business risks as well. This new development necessitates that companies get ready to bring cyber risk management to the forefront of all of their risk management efforts. Because if you’re dealing with one business risk, it likely has a cyber implication. You can no longer deal with one risk without the other.