As Cyber Risk Rises, Is The C-Suite Looking In The Right Places?

Jump to Section:

This content originally appeared as an Aon-sponsored article for Wall Street Journal Custom Content.


In spite of the endless headlines about data breaches, regulations and growing data privacy concerns, many companies still have a limited understanding of their cyber vulnerabilities. And this lack of awareness is costing them: the global average cost of a data breach in 2018 has been pegged at $3.86 million.

And that total doesn’t include the damage to reputation and brand. Since the advent of social media, the value impact of a reputation crisis – such as a cyber breach – has doubled. “Nothing vaporizes enterprise value faster than a cyber breach,” says Jason J. Hogg, CEO of Aon’s Cyber Solutions.


There is a growing concern that companies are not making a fully informed choice when it comes to cyber security decisions. While the use of cyber risk assessments has been rising steadily over the past few years, only 59 percent of companies apply a formal process to identify and evaluate their risk.

“Nominally the proximate cause of a data breach can be a missing patch on a piece of software, but the real cause is the leadership that doesn’t put in the resources, energy and commitment needed to keep the systems patched,” says Stan Stahl, founder of SecureTheVillage, a nonprofit that educates executives about security issues.

Hogg says companies have to understand their risk posture, identify what gaps exist and then take steps to reduce or remediate the risks. “You have to assume the threat is persistent and dynamic – and you can never have it always totally locked down,” he says.

Third Parties Can Be Problem No. 1

One common mistake companies make is not being as diligent about third parties and subcontractors that might handle their information. “Supply chains and third-party providers provide exponential risk to the firms they serve,” Hogg says. “Because of cloud computing, increasing end points, consumer connectivity and the internet of things (IoT), the heightened risk now cuts across everything from agriculture and auto manufacturing to health care and financial services – and everything in between.”

In fact, Hogg brought this risk up to one company that dismissed it with the following comment: We’ve tested our own system and have limited liability with our subcontractors. “Not six weeks after that conversation, their third-party provider got breached, and ultimately exposed their customer information,” he says. “No one among the general public knew who the third-party provider was, and no one cared who the third-party provider was. It was the firm itself that received negative media while, simultaneously, customers were calling up irate.”

The IoT has changed the risk landscape as well. Today, connected medical devices, smart elevators and other IoT devices provide cyber criminals millions of new access points to corporate networks. However, the focus of liability is changing as well.

“Connected, autonomous vehicles shift the liability from the driver to the product creator – the auto manufacturer,” says Christian Hoffman, president of Aon’s Cyber Solutions.

Companies need to keep a close eye on the way and speed that cyber risk is expanding – and tailor their defenses accordingly. Stahl says companies can put themselves in peril by thinking of cyber security solely as an IT issue. Too often, chief information security officers report to chief information officers, when they should be reporting to senior management. “Security and IT need to be collaborative,” he says. “But they each have to have their own way to go to the people above them.”

Cyber risk touches many parts of an organization, from IT to legal to the HR department that teaches employees how to avoid social-engineering attacks. “There needs to be cross-functional teaming within the C-suite in order to manage risk,” Hogg says. “It can’t just be an IT issue or an operational issue or a legal issue. The three areas need to come together and assess the risk from a holistic viewpoint looking through all three lenses.”

Concerns For New Industries

Heightened risk is also changing the nature of risk transfer. Cyber insurance has become more diversified as the types of industries that seek it out have changed. Originally, the protection was primarily used by companies that handled large amounts of personally identifiable information (PII), such as retailers, financial firms and health care providers. The primary worry was data loss.

Now, more industries – such as energy, transportation and manufacturing – are concerned about their operations being disrupted by a cyber event. Automated agriculture and water-treatment processes provide new exposure points, just as the control systems of energy plants do. Business downtime and property damage are among the new concerns.

“In some cases, board members and executives have faced liability claims following cyber incidents, but a number of these cases were dismissed because they were able to show rigor in their cyber security procedures and risk transfer decisions,” says Hoffman. “To protect their balance sheets, companies must have the right protection, and that can only happen if they have a true understanding of their risk and the potential magnitude of a cyber event.”

Read the original article on Wall Street Journal Custom Content.