The list of cyber attack victims grows ever longer, with multiple organizations joining the ranks of the hacked each week. We’re becoming all too familiar with the names of ransomware and malware through high-profile breaches such as WannaCry, NotPetya and Bad Rabbit.
An increasingly connected world has brought new business opportunities, increased efficiency and consumer convenience. But it has also increased risk.
As cyber attacks have become more frequent, it’s become abundantly clear that all organizations, regardless of size, scope and industry, face cyber risks. And those risks are significant and threaten the entire organization.
Aon’s 2018 Cybersecurity Predictions report found that last year businesses suffered significant financial damage as a result of cyber attacks. Data breaches led to the resignations of several top executives and sparked big falls in market capitalizations. Companies faced regulatory investigations over the handling of breaches. According to a recent Bloomberg Law study, from January 2017 to February 2018, nine federal class action securities fraud lawsuits were filed against public companies after data-security incidents. Further, with the U.S. Securities and Exchange Commission issuing guidance to public companies about preparing cyber security risk disclosures, cyber security is increasingly on regulators’ priority list.
The fact that cyber attacks now affect every aspect of an organization means that cyber security is no longer simply an IT issue. To combat cyber risk successfully, the organization’s exposure must be understood and addressed by the entire c-suite, with board involvement. All departments need to know their roles and responsibilities well before an attack happens.
“You can’t pick your players on the day of the game,” says Jason Hogg, CEO of Aon’s Cyber Solutions Group. “Collaboration is key – you have to take silos down and work in a cross-functional manner.”
The cost of cyber attacks is escalating rapidly and outstripping IT security spending, which is expected to reach $132 billion in 2021, an increase of 8 percent since 2016. Yet close to $600 billion – nearly 1 percent of global GDP – is being lost to cyber crime each year, up from $445 billion in 2014.
The Nature Of The Risk
A host of factors are driving the increase in cyber risk.
- Increased connectivity: Organizations’ myriad connections to the web – which are growing dramatically with the rise of the Internet of Things and a mobile workforce – offer cyber criminals an ever expanding number of entry points. Meanwhile, an organization’s cyber exposures aren’t just a function of its own security posture. Risks often arise from the supply chain, including the business partners and vendors it’s connected to.
- Looking beyond intellectual property and personally identifiable data: The exposure of customer and client data is one important and widely recognized and reported risk of a cyber attack. But organizations also face business interruption issues from the loss or corruption of their own proprietary data, being locked out of systems due to ransomware and other exposures.
- “Physical” world vulnerabilities: Beyond data or system risks, the rise of the Internet of Things across industries – for example, industrial control systems and supervisory control and data acquisition systems in manufacturing, oil and gas, energy and other sectors – increases risks of property damage or bodily injury as a result of cyber attacks.
- Varying regulations: Regulatory risk is another potential exposure, particularly as the European Union prepares to implement its General Data Protection Regulation. The GDPR applies to all companies processing and holding data related to European residents – not just EU-based companies. And, while regulations related to data privacy and data breaches vary across industries and jurisdictions elsewhere in the world, the GDPR is likely to become the global standard.
A Far-Reaching Risk Demands a Broad Response: The Responsibilities of the Entire C-Suite
The impact of a cyber attack can be truly far reaching – and devastating – to an organization, notes Aon Risk Solutions’ Senior Vice President and U.S. Cyber Sales Leader, Stephanie Snyder. The threat, she states, has become an enterprise risk. “Because of the nature of cyber, there are no geographical boundaries for these types of attacks. All industries – regardless of size – have exposures to cyber risk.” And the exposure can’t be successfully addressed if viewed in a silo. Instead, it must be considered holistically, with each member of the c-suite taking steps to mitigate risks in their area of the operation, as well as coordinating across the organization.
- Chief executive officer (CEO): Provides the essential buy-in from the top to address cyber exposures and maintains an overall perspective on the organization-wide effort.
- Chief financial officer (CFO): Evaluates potential financial exposures and risks through relationships with financial partners. They also find the funds needed to support cyber risk management efforts, including working alongside information security teams to understand where the budget should be prioritized across infrastructure investments, technical remediation and insurance.
- Chief risk officer (CRO) or risk manager: Often works with the CFO to gauge the potential financial impact of the organization’s cyber exposures and examine risk-transfer options. Ultimately, the CRO also ties the cyber risk management process together, promoting an enterprise-wide view of cyber risks and the steps to address them.
- Chief information security officer (CISO), chief technology officer (CTO) and chief information officer (CIO): Work together to identify vulnerabilities and lead efforts to implement the necessary people, processes and technologies to address them. While not all companies have specific functions or officers for each, security, technology and information leads are responsible for not only building and maintaining the enterprise’s technology infrastructure and information assets but also ensuring those assets are secure and protected. As changes in any area of the business can affect security posture, it’s critical the CISO is embedded with leaders across departments to bake security into all decisions. CISOs should work especially closely with risk management and finance teams to provide them with an accurate perspective of the organization’s vulnerabilities and whether to commit resources to technical remediation or insurance.
- Chief compliance officer (CCO) and chief legal officer (CLO) or general counsel (GC): Responsible for ensuring the organization complies with privacy and data breach regulations, including litigation work in the event of lawsuits post-attack. These teams should work with IT and information security teams to understand which technical controls are in place to protect the organization’s data and to ensure compliance with various regulations across the globe.
- Chief human resources officer (CHRO): Focuses on training employees and works with various teams to ensure the pipeline of talent is in place to help mitigate and manage cyber risks. With many data breaches the result of insider behavior – often inadvertent – understanding the role that people play, and helping address the risk, is an increasing priority of the CHRO.
- Chief marketing officer (CMO) and chief communications officer (CCO): Become the frontline representatives before, during and after the cyber breach event. These leaders also perform any internal communications functions necessary in the wake of an incident. They are responsible for post-event external communication and limiting damage to the brand and reputation.
- Board of directors: Is becoming more involved in addressing this risk given the impact that cyber risk can have on a company’s finances and ability to operate. Chris Rafferty, Managing Director of Aon’s Financial Services Group, notes that, “In addition to the impact on the overall organization, increased regulations as well as post-breach management of a cyber-related event could implicate directors and officers themselves. The risk is truly far reaching and requires involvement at the board level.”
Closing the Cyber Risk and Cyber Insurance Gaps
According to Ponemon’s 2017 Global Cyber Risk Transfer Comparison Report, 87 percent of risk-management professionals view cyber liability as one of their organization’s top 10 business risks. But, if organizations are truly to address their cyber exposures, Snyder says that business leaders must better understand the risk that they face and how they are currently addressing it. For example, the report shows that organizations value data assets more than physical assets such as property. Snyder notes that the amount of insurance purchased to cover these data assets, however, is four times less than property – indicating a “mismatch between value and protection.”
Organizations should evaluate their cyber exposure across the organization by conducting a cyber risk quantification study, in conjunction with deep technical assessments, to determine the current status of the cyber security posture and the potential impact of various attack scenarios. Snyder expands on this idea: “Organizations might not truly understand the potential financial impact of a cyber breach. Cyber risk quantification studies can paint a better picture of possible losses, including how those losses can be transferred using insurance.”
And while companies cannot expect to be 100 percent secure, “proactively assessing their risk and aligning teams across the organization are key first steps to making themselves more resilient in the face of sustained, sophisticated attacks,” says Hogg. People from IT, legal, compliance, finance, HR and other departments must form a multidisciplinary team to assess exposures and recommend strategies for managing and mitigating them. Increasingly, such cross-team collaboration is not just confined to an organization. Partnerships, including acquisitions, are developing to bring together industry leaders across technology and insurance to support a more holistic approach to cyber risk management.
A Holistic Approach to a Growing Risk
Cyber attacks will only intensify with the growing dependence on technology and online connectivity. “The attacks we have seen so far are only the tip of the iceberg in terms of their reach and impact,” says Hogg. Recent large-scale attacks have struck companies indiscriminately, with the goal of disrupting as many organizations as possible. In that environment, every organization, regardless of size or industry, should consider itself a target.
Forward-thinking organizations will work proactively to address cyber risk holistically, engaging the entire c-suite in the cyber risk management effort.
Cyber First Responders – Risk & Insurance, March 27, 2018
C-Suite A Cyber Attack Risk, Say Security Chiefs – ComputerWeekly.com, March 19, 2018
Why The Entire C-Suite Needs To Use The Same Metrics For Cyber Risk – Harvard Business Review, November 17, 2017
2018 Cybersecurity Predictions – Aon Cyber Solutions, 2018