A holistic approach to cyber risk management
The digital revolution has meant that organisations are becoming increasingly connected, businesses are more open, and many companies have longer-term relationships with customers than ever before. At the same time, cybercriminals are constantly expanding their own scope and capabilities, leading to an unprecedented level of sophistication. This, coupled with an increasingly complex regulatory environment, means that companies of all sizes and industries have seen a significant increase in cyber risk – thus reinforcing the need to develop their cyber resilience.
Historically, companies often looked at cyber risk from an internal perspective – the integrity of their own systems, data, controls and processes around protecting their critical digital assets. And while this is still an important facet of information security and risk management, there is much more to cyber resilience than the integrity of internal networks. It is about understanding the importance of preparation and response, and how pre- and post-breach cyber services and even cyber insurance can play an important role in cyber resiliency, both from an internal perspective, as well as across all relevant stakeholders – including suppliers, vendors, customers and employees.
Preparation and response
There has historically been a focus on cybersecurity, but it is no longer enough just to have technology trying to protect the business from outside attack. There is a growing need for companies to look at how to prepare for attack scenarios and respond to incidents and breaches. Organisations suffer cyberattacks every day, but it should not necessarily mean that the business is severely impacted.
There is an increasing acceptance and awareness by the general public that cyber incidents are going to happen with greater frequency. But how swiftly an organisation responds, how forthcoming they are about it and, most importantly, how quickly they can minimise any impact to customers, has a major impact on how the public views the organisation.
This is why we encourage companies to focus on redundancies and incident response programmes so that they are prepared and can minimise the impact both on quantifiable damage and reputational harm.
Pre- and post-breach services
Business leaders want to ensure that they are prepared, so that if an incident happens, they have a plan to recover as fast as possible. The services that companies can seek typically fall into two categories: pre- and post-breach. Pre-breach services are largely focused on becoming more cyber resilient. Companies are asking: how do I better manage cyber risk, how do I mitigate it, and what steps can I take to minimise any vulnerabilities?
Vulnerabilities are often found externally – if suppliers and other parties are not using the same diligence or standards, these vulnerabilities will further extend in the supply chain. Companies need to be aware that their supply chain may not have enough time and resources to invest in security and therefore could become a threat.
User-awareness training and education about social engineering is also extremely important. It can be relatively simple things, such as recognising a phishing or social engineering attack, or thinking twice before clicking on a link. It is sometimes referred to as basic ‘cyber hygiene’, with the idea that eventually these actions will become second nature to people. But for now it has to be reinforced and companies have to be vigilant because the threats are becoming more sophisticated and targeted.
The second category of services are post-breach services and often refer to those activities that are needed if and when a company experiences a cyber incident. These can include crisis management services such as notification costs, public relations expenses and forensic costs associated with determining the scope and severity of the incident. Such costs can be expensive and add up quickly. Having dedicated providers and procedures in place prior to an incident actually occurring is often the best way to minimise the impact to the company, both from a first- and third-party perspective.
Insurance and risk mitigation
In addition to being prepared for an incident, cyber resilience can also be supported through the procurement of a dedicated cyber insurance policy. Having an insurance policy in place to cover the costs associated with a cyber incident is often viewed as the ultimate backstop. But cyber insurance can not only provide an effective method of risk transfer, it can also provide a variety of services, including those pre- and post-breach services necessary for cyber resilience. A cyber incident can be disruptive to a company, but it does not have to destroy it.
Getting the right balance
In all of this there is a balance to be achieved: a company needs to be protected and prepared, but it also needs to run its business to make profit and take advantage of opportunities. Ultimately, this means that cyber is no longer just a technical issue but an emerging business challenge.
Business leaders must make decisions every day but these often come with trade-offs, and cyber resiliency is no different – how much is this risk worth and how much do they want to invest? What is the most cost-effective way to reduce the risk to a level acceptable to the business? An organisation might need increased speed to market for a product, but it might have to compromise security as a result. Or increased security in a particular area might compromise the speed to market.
The challenge in cyber risk management is trying to keep equilibrium but understanding that there needs to be give and take. Getting the correct balance between cost, security and speed can not only build cyber resilience but also enable businesses to create opportunities.
Contributed by Lori Bailey, global head of cyber risk, Zurich Insurance Group, and Ronen Lago, CTO and co-founder, CYE
