Cyber preparedness: the next step for boards
When the World Economic Forum unveils its annual Global Risks report each January, it lays out the challenges that keep business leaders and risk managers awake at night. In the 2015 report, No. 10 on the list of “Likelihood” was large-scale cyber attacks. A separate list presented risks in terms of the “Impact” they would have, and No. 7 on that list was critical information infrastructure breakdown.
As with many global risks, these two are linked. When Global Risks 2016 was released, these two concerns still resonate still at the highest levels of business. Similarly, the EY Center for Board Matters recently listed cybersecurity preparedness as one of the top five priorities that boards and companies will continue to focus on in 2016.
Preparedness bookends for the board perspective
The average annualized cost of cybercrime for 58 benchmarked organizations in the US in 2015 was $15 million per year — up 19% from $12.7 million in 2014, according to the Ponemon Institute1, a research center dedicated to privacy, data protection and information security policy. Organizations that deployed security intelligence systems, however, saw an average savings of $3.7 million. Cyber attacks linger, too; the average time to resolve an attack was 46 days.
The numbers paint the outline of an impactful narrative that necessarily pushes cyber preparedness into the top echelon of priorities for boards and CEOs in 2016.The bookends within which boards should frame cyber risks are “risk” and “response,” as they attempt to align a business’ strategy with the opportunities created by ongoing technological innovation while being aware of cyber vulnerabilities.
According to Ruby Sharma of the EY Center for Board Matters, “Cyber risk is top of mind as companies and their boards more clearly recognize the cyber landscape and engage in discussions about not only mitigating cyber risks, but also how to live with them.”
The risk bookend is relatively clear-cut for boards, including the potential impacts of increased costs, threatened business continuity, and reputational and customer experience concerns. But what about the incidence response, the who, what, how and when in the event of a data breach?
Response begins with preparedness. “Too many businesses are taking an ad hoc approach to managing cyber risk, which can lead to greater exposure,” says Jennifer Lee of the EY Center for Board Matters. Many organizations do not have the cybersecurity preventive measures they need and have insufficient mechanisms to adapt to evolving cyber threats and vulnerabilities.
According to EY’s Global Information Security Survey 2015, only 7% of organizations claim to have a robust incident response program that includes third parties and law enforcement and is integrated with their broader threat and vulnerability management function. Some basic controls, processes and appropriate cyber governance (including incident response plans) need to be put in place so the board and business leadership can assume responsibility of cyber risk oversight.
An alphabet soup of federal organizations, including FFIEC, FISMA, FedRAMP, NERC and the SEC, have issued insights about improved cyber preparedness, including the SEC’s proclamation that, “Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cyber security events and have clear procedures in place rather than waiting to react once a breach occurs2.”
Awareness of expectations
The response component of managing cyber risks is driven in large part by knowing what is expected of the board.Audit committees and boards should have a working understanding of the business implications of cyber risks. Better alignment of the risk objective with business objectives and strategy is of paramount importance.
Cybersecurity needs to be “built in” so that it is interwoven into everything the organization does. An organization’s approach to cybersecurity needs to be dynamic, flexible and under constant revision. As part of this, incidence response plans should consider the scope, trigger points, reporting and control, and clear decision-making authority. What resources will be needed, including outside experts’ assistance, and appropriate communication protocols should be established.
“Our research indicates that only about 5 percent of directors of the Fortune 500 have an educational or professional background suggesting that they are likely to be knowledgeable about cyber-security matters, and that approximately two-thirds of the Fortune 500 have no directors who are cyber-sophisticated. We often recommend that boards retain a ’cyber-adviser,’ an independent third party, who can advise the board about reasonable best practices,” says Joe Grundfest, Senior Faculty, Arthur and Toni Rembe Rock Center for Corporate Governance.
Awareness and establishment of cyber governance are also critical, and they are evolving from many sources and angles. The Public Company Accounting Oversight Board, for example, will be considering cybersecurity risks as part of its plan to analyze emerging areas of audit risk. Both the U.S. House of Representatives and the Senate are evaluating cyber threat information-sharing legislation and data breach notification standards. In addition, driven by the demand from investors and the public for more transparency, the Center for Audit Quality and the National Association of Corporate Directors are advocating greater focus on cyber risks and third-party reporting.
Insurance as part of the risk management toolbox?
as discussed, and ask management the right questions. Organizations that have activated the foundations for cybersecurity but not moved beyond this typically will display shortfalls in their capabilities in that their cybersecurity is “bolted on” and not fully integrated into the business. A board’s considerations of cyber risk include identification of risks to avoid, accept, mitigate or transfer through insurance. Organizations should keep abreast of how the insurance market is changing to make cyber insurance an effective tool to transfer cyber risk.
Cyber modeling and benchmarking tools help companies determine how much insurance they might purchase and how much risk to retain; but for such modeling to be accurate, cost data and the related ramifications of cyber exposure must be widely available. Some companies not only have difficulties quantifying and measuring the impacts of cyber breaches, but also see a risk in publicizing their exact losses because it could create reputational risks and unintended consequences. Effective cyber modeling must be able to incorporate cyber exposure, its frequency and its severity, which will further allow companies to understand the insurable and the uninsurable aspects of the risk. Progress is being made in honing the precision of such risk modeling, but it’s not quite there yet.
“The cyber insurance market seems to be very dynamic right now,” says Sharma. “It’s not like traditional insurance where the risks are known. With cyber, there are changes every day. A lot of risk insurance companies are now starting to grapple with how to underwrite cyber policies because they have to be comfortable with the risk profile for the company so that they understand what types of risks they’re taking on. Still, more and more businesses are looking at cyber, and having cyber insurance is now becoming a consideration or a part of their cyber strategies.”
Currently, most insurers offer cyber policies that allow companies to choose which coverage is appropriate for the organization, but the average take-up rate for cyber insurance among US businesses is only 24%, according to the Council of Insurance Agents and Brokers (CIAB)3. That percentage could climb, however, if businesses, insurers and the tech community better align and collaborate to define the appropriate “risk transfer” model that works with cyber insurance. Despite challenges, the CIAB believes that the developing cyber insurance market is expected to remain favorable and expand.
Managing cyber risks is a multifaceted process. Cyber risk is pervasive, and organizations and boards need to identify their breach exposure, pre-emptively identify counterparty risks, develop an incidence response plan and transfer the risk, while weighing the option of purchasing cyber insurance.
For boards, it involves knowing and overseeing the steps a business has taken in terms of preparedness and building an active defense against cyber attacks. Cyber insurance is becoming a more important element of this. It’s not a cure-all, but it’s a new and important tool to be better understood and watched to see how it develops.
1Larry Ponemon, “Cyber crime costs jump by 19 percent,” Ponemon Sullivan Privacy Report, 13 October 2015.
3Mark A. Hoffman, “Cyber insurance market continues to expand,” Business Insurance, 29 October 2015.