Over the last several years, the increasing sophistication of cyber attacks has left the risk management industry at something of a loss as to how to keep up. The types of attacks and hacks might continue to change, but businesses are slowly coming to grips with their vulnerabilities and putting cyber risk at the top of the agenda. The challenge now is implementing risk management solutions as part of the risk management plan.
While some companies might have these plans firmly in place, in a 2017 Airmic survey, less than a third of its members thought their organization was suitably managing cyber risk.
It’s also true that there are now better levels of protection available. Cyber liability insurance, for example, is now becoming more standardized across the industry. As insurers and companies have learned the risks and impacts of an incident, the policy cover has evolved to provide a much better level of protection as well as improved guidance on mitigating risks.
Risk managers at the forefront of the cyber challenge
Obviously, risk managers have a key role to play in managing and mitigating the potential effects of a cyber attack. This role is vital in identifying risks, advising on options to prevent or manage them, and implementing change.
As a risk manager, you might consider these steps as part of the successful implementation of your cyber security plans:
- Identify vulnerabilities and potential risks, keeping up to date with the latest cyber-hacker techniques
- Understand how the incidents highlighted in the risk portfolio will impact the business as a whole as well as departmentally
- Work with internal functions, such as Audit, Compliance, HR, the Board, and Finance to develop an enterprise risk management framework—remember embedding risk management is everyone’s responsibility, not just the risk manager’s
- Choose the right protection—from purchasing insurance policies and training staff to updating IT systems and keeping up with industry standards
- Investigate all options—find out what additional support your insurer offers from crisis management to risk mitigation guidance.
You should also investigate your membership and association benefits. Airmic members, for example, get access to many reports and advice on the latest risks and risk management techniques.
The time is now for businesses to manage cyber risks
There really are no more excuses to ignore cyber risk. For one thing, the General Data Protection Regulation (GDPR) compliance deadline looms—it comes into force in May 2018—and will impose fines of up to 4% of global revenues (or €20 million, whichever is greater). Good data-management practices are tied inextricably to cyber risk, so you simply cannot ignore these two major priorities.
It’s not just the fines that could put companies out of business. Reputational risk is equally important, as losing customer trust can also have devastating effects. Protecting your data from cyber crime has to be at the top of the risk agenda. The alternative option is opening yourself up to an incident.
In the UK, take a look at the National Audit Office’s (NAO) report into the NHS WannaCry hack, which identified major IT security flaws as the underlying cause of the NHS’s worst cyber attack in history. In the United States, credit-reporting firm Equifax allowed hackers to enter its system and perpetrate a massive theft of consumer data—even though a patch for the web-application vulnerability that hackers exploited was available approximately two months prior to the attack. Organizations just can’t afford to have these sorts of basic lapses in security.
The business protection available now is much better, so not investing in upgraded technology and insurance is unwise. The same can be said for staff training and awareness through practicing test incidents, just as you might a fire drill.
Finally, what the the risk management industry now knows is much better. We have fantastic risk management information systems (RMIS) available which can analyze copious amounts of data. We have knowledge of hacking techniques and understand the weak links in our defenses. So, the time is here to properly manage our cyber risks, and future surveys of risk managers will hopefully highlight the positive views of their organization’s cyber risk management.
Scott Wilson is Chief Information Security Officer & Privacy Officer for Ventiv Technology. Contact Scott at scott.wilson@ventivtech.com. Connect with Scott at LinkedIn.
