The frequency and scale of cyberattacks continues to grow, and the financial stakes appear to be rising too. Revenue losses, liability costs, recovery fees, and even regulatory fines are all consequences facing companies experiencing successful cyber incidents. In the recent past, ransomware attacks like NotPetya, one of the most devastating cyber events ever, caused millions if not billions in economic ruin to companies like Maersk, or WannaCry, whose targets included European Hospitals and domestic Radio Stations while disrupting business operations, production, and logistics across its victims. Other ransomware attacks have held domestic hospitals hostage, and the frequency of ransomware and other malicious cyberattacks appears to be growing.
This upward trend is moving companies of all sizes and industries to make cyber risk a corporate priority. Cyberattacks rank among top corporate risk concerns. It is no longer seen as a problem to be solved by throwing more money at technology alone. Now, cyberattacks are perceived as a risk to be actively managed across many corporate venues. It’s a new perception of cyber reality that adds cyber insurance to the mix of strategies a company needs to use to manage its risk, regardless of its perceived vulnerability profile.
The concern does not stop with corporate Boards of Directors, CISO’s, CIO’s and other senior executives. Now regulators are more actively examining how organizations address cyber risks and how they manage their responsibilities to key stakeholders. These interests and concerns are finding their way into the language and obligations of regulations. So, the regulatory stakes are going to rise as more regulators—including the US Securities and Exchange Commission (SEC), FFIEC, and others, begin to impose stricter requirements on regulated businesses.
Assessing IT risk, and the potential for damage and disruption following a successful cyberattack is much more complex than estimating limits on IT downtime. Companies are increasingly dependent upon their technology, even losing basic systems like email, messaging, and word processing, not to mention transaction systems, logistical managers, and internet access to name a few. Operational automation has become so ingrained in daily work it appears nearly transparent, like lighting and power, until it’s suddenly lost. We are dependent upon our technology. The impact of sudden pervasive loss from malware or ransomware attacks eliminating all access to data and the ability to operate is devastating. Losses mount rapidly, and recovery, depending upon planning, preparation, resources, and the sophistication and scope of the attack may be lengthy and expensive. It is unreasonable to expect to deploy and operate “risk free” technology. That is an illusion, and a fantasy, at any price! Risk management is a critical strategic component for coping with the potentials involved in contemporary business operations. And one effective risk management strategy is to transfer some of the risk through acquisition of cyber risk insurance.
Of course, one immediate question raised is how to determine the amount of insurance needed. Somehow assessment always seems to play a role in contributing data to answering cyber risk questions, this one included. And, in this case, assessment data’s scope needs to extend beyond the realm of IT systems and management. It’s about all the processes, functions, services, and data these systems enable and support. Financial management is as much a part of the risk footprint in this case as are operations, human resources, communication, distribution, or any other business practices a company employs. And the operating footprint needs to consider the impact of loss of remote and mobile services if they are part of the company’s digital portfolio. Third parties, contractors and suppliers, are also impacted. A review of backup, recovery, and restoration plans and services needs to be examined too. All these inputs contribute to the calculation of a reasonable amount of risk to transfer through cyber insurance to offset possible losses. Then, in regulated industries, there’s the additional financial risk in the form of regulatory fines, should the lack of due diligence and satisfactory compliance with regulatory requirements be determined to have contributed to the success of a cyberattack.
But where will all this assessment data be sourced, gathered, organized, and evaluated? It’s clearly too large a job for spreadsheets or home-grown databases. These might serve as potential containers for all this data, but by themselves provide poor mechanisms for analysis, reporting and decision making. Cross discipline data analysis and actionable reporting are strong attributes in quality Governance, Risk, and Compliance (GRC) products. In the case of cyber insurance estimating, factoring in the strength of controls associated with threat detection, identification, remediation and recovery are critical to estimating potential financial impact resulting from operating losses, staff expense, support, external expertise acquisition, and brand impact at the least. Performing assessments, matching findings to regulatory and best practice requirements are a big part of GRC software suite features. So is correlating IT and operating risk, helping to identify vulnerabilities and in so doing potential operating loss from disruption. Data on the strength of discovery, response and recovery practices helps estimate the duration and scope of potential service disruptions, which enables accurate cost estimates for potential losses. Amassed together, these factors give Senior Executives and Boards of Directors the information they need to make informed decisions about cyber risk insurance.
There is no perfect solution to risk management that renders an organization risk-free; cyber risk while topical now is just one more piece of the overall risk footprint of any firm operating today. And transfer of risk is just one strategy for addressing the problems presented by aggressive and sophisticated malware assaults on companies in the United States, and throughout the world. Nobody has immunity. No company can be made absolutely safe. In fact, many of the successful attacks reported in the past years have relied upon basic controls not being understood, being ignored, or mismanaged in execution. Far too often resources were curtailed or otherwise redirected to address other matters, leaving devices unpatched for extended periods, access controls inadequately managed, and aging systems working far beyond support end dates by providers being pressed into continued service to avoid the cost of replacement. These are common practices in many forms in many industries and government. Such practices enhance the vulnerability of all to cyberattack, and increase the value of some cyber risk insurance to address these needs in the near term. We cannot predict tomorrow with certainty, but we can protect ourselves from uncertainty today.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.