Hardly a week goes by these days without news of another high-profile cyber security breach. Over the past couple of years, organisations across a broad set of industries (including banking, retail, media, healthcare and online commerce) have been infiltrated. And the victims are often household names such as Sony, JP Morgan Chase, eBay, and Yahoo! Even the US government hasn’t been immune. The US Office of Personnel Management was recently hacked (twice!), resulting in the loss of, among other data, forms submitted by intelligence and military personnel for security clearances.
According to HM Government’s 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small organisations in the UK have suffered a security breach. Unfortunately, other statistics suggest that the majority of organisations aren’t even aware that they have been compromised.
Traditionally, cyber security risk management has been left to the IT team, but recent incidents have highlighted three reasons why CEO’s, CFO’s and Boards need to become more actively involved in managing cyber security risk.
Severity of consequences
Organisations are increasingly realizing that cyber attacks are not just a nuisance. They can have dire consequences both for the organization and senior management. When Ashley Madison, a dating website for married people interested in affairs, was hacked in July 2015, the attackers demanded that the website was permanently shut down. In 2014, both the CEO and CIO of Target were fired in connection with the loss of credit card details. When the results of a data breach can result in the departure of the senior management team, the threat must be understood and managed at the Board level and not just treated as a technical detail for the IT team to handle.
Technology is just one tool for cyber risk management
When organisations consider how to manage cyber security risk, the default answer seems to be to deploy sophisticated technology. While this is certainly an important step, a more holistic approach, which considers the operating model, organization culture and insurance, would provide a more effective long-term solution. Most organisations, unfortunately, are not yet deploying these other tools. According to a recent survey conducted by Marsh and Zurich, only 10% of UK firms have cyber insurance, whether as stand-alone cover or as implicit in other policies.
Assessing value at risk
An essential aspect of managing any risk is understanding the value at risk. In the case of cyber risk, organisations often do not take a systematic approach to doing so and jump straight into implementing security solutions and in some cases buying cyber insurance. But how is it possible to know what mitigation measures are appropriate without understanding the potential consequences of an attack?
When Target was hacked in 2013, it, fortunately, had $100m of insurance cover in place through its various policies. Unfortunately for Target, analysts estimate the total fallout from the breach will be between $400m and $500m. IT teams can help understand the nature of the threat and how to protect against it. Understanding the consequences of a breach, however, requires commercial insight from throughout the organization. As such, assessing the value at risk from cyber security risk is a priority that must be owned by the CEO, CFO, and the Board, and ideally should be a precursor to determining which risk management solutions (technical or otherwise) are most appropriate.
Cyber risk management is a cat and mouse game that by its nature will continue to become ever more intricate. Given the severity of the threat and the tools required to fully understand and manage it, Boards and Senior Execs cannot afford to delegate the responsibility to the IT team.
If you would like to learn more about managing cyber security risk, please contact Vikrant Pratap of Capri Capital at firstname.lastname@example.org.
Like our advice? Hear even more at one of our events:
An event was hosted my Natwest called Growing inclusive leadership in Tech. The topic addressed was ‘Key ways to create a positive company culture’
We had the pleasure to co-organise a roundtable breakfast discussion with Learnitect. The topic for the day – Recruiting and Empowering Top Performers
On Thursday 28th September, movemeon and On Purpose hosted an event for consultants and ex-consultants interested in building socially impactful careers. We were joined by Parita Doshi, Seigo Robinson, Sophie Runcorn and Jeroen Sabbe. These are 5 of the evening’s top tips