Risk managers already face a plethora of challenges managing their organizational risks in today’s hard insurance market, and the compounding threat of cyberattacks to the business is making their work more demanding and essential. Cyber risk is no longer solely a technology issue, but also an enterprise risk issue, and is coming under heightened scrutiny in the C-suite, boardroom and from investors.
Risk managers and their organizations have a duty to understand their cyber perils and their growing threat to business continuity and customer data, and how cyber impacts their total cost of risk.
The disruption to businesses’ growth, competitiveness, operations and existence continues to be played out – and will dramatically increase in the coming years. No industry, business or business segment are immune:
- Ransomware is the newest concern, and for good reason: Attacks are up 716% from 2019 to 2020, with predicted damages from attacks expected to be $20 billion in 2021.
- The widespread 2020 attack on SolarWinds, attributed to foreign nation state threat actors, targeted supply chains and impacted public and private organizations around the world.
- Attackers are increasingly intercepting money transfers, stealing sensitive commercial strategy, intellectual property (IP), and running extortion schemes.
- The FBI reports that cyber attacks are up 400% from pre-COVID pandemic levels.
As a result, cyber risk is firmly at the top of C-suite and board of directors’ agendas, as threat actors continue to develop sophisticated business models to monetize and profit from exploiting technical and human vulnerabilities. Many organizations have much work to do:
- The human factor in cyberattacks continues to be a concern, with employee/user actions accounting for 30% of all data breaches.
- Intellectual property (IP) theft is estimated to be a $1 trillion problem, yet just 1/3 of companies protect trade secrets.
- C-suite executives continue to be prime targets for attacks and are 12 times more likely to be pursued and nine times more likely to be victimized.
- The need for thorough cyber due diligence is critical in any M&A activity.
5 Basic Fundamentals that Risk Managers Should Ensure are Implemented
Risk managers must ask themselves if their organization is prepared for the new world brought on by increased threat actor sophistication, combined with our remote working arrangement brought on by the COVID-19 pandemic. In our ever-changing cyber environment, it is important for risk managers to work closely their C-suite, Information Technology and Information Security leaders to develop a “new better” and implement these five basic cyber fundamentals:
- Create a multidisciplinary committee for cyber risk management: The impact of cyber risk can be felt across every department in a business – from legal, to compliance, human resources, finance, communications, operations, information technology and elsewhere. A cyber risk committee is a relatively low cost organizational change that brings together the relevant expertise to assess how cyber risk will impact multiple functions, and how changes in the business – such as an M&A transaction, working with a new vendor, or implementing new technologies – will alter the security posture. The General Counsel, due to their apolitical position in the organization, as well as familiarity with the regulatory environment and downstream liabilities should chair this multidisciplinary committee and report out to the CEO and Board with their findings.
- Conduct a security assessment: The best way to understand the current state of a company’s security, is to conduct an independent security assessment. Smaller organizations with less complex systems may consider SaaS-based solutions, which can be cheaper and allow IT or information security leaders to input information and receive an instant score on their security posture. The results of the assessment should then be shared with the multidisciplinary committee so as to inform where budget is spent to close gaps, prioritize critical data and assets for protection, and what to insure. Investing in red team exercises will help to expose weakness and identify priorities for remediation before a real attack can strike.
- Create a culture of security: Weaponize your employees in the fight against cybercrime by investing in the right training and awareness programs, with a focus on engaging programs that change human behavior. No one should be exempt from these exercises – including the board and senior executives. For example, proactively teaching how to spot suspicious phishing emails as well as implementing better password management practices. These small security strategies can have an immediate positive effect.
- Incident response planning: Incident response planning focuses on improving the company’s resilience in the face of attacks. Many companies now have an incident response plan, but it’s important to test the plan with all stakeholders involved and keep it regularly updated. Planning for an incident – particularly ransomware – also involves creating regular back-ups of critical data and systems to reduce downtime, and testing defenses, all by simulating attacks.
- Have a tailored cyber insurance policy: Even after taking a number of proactive steps such as those outlined above, the evolving threat landscape means that no company can be completely secure. It’s important to ensure that any cyber insurance policy considers the risk exposures of greatest concern to the company, as there is no “one size fits all” from a coverage standpoint. A cyber policy should always be treated as part of a broader cyber security strategy that has, at its heart, a proactive approach to risk mitigation.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.