An organisation’s approach to cybersecurity must be embedded within its overall approach to enterprise risk management, with boards responsible for enabling the right culture and frameworks, explain Sebastian Hess and Stephen Morton.
Companies and their boards are faced with a highly dynamic cyber risk landscape, including more targeted ransomware threats and, more recently, exposures associated with increased remote working. The latest handbook from the European Directors’ Association (ecoDa) and the Internet Security Alliance (ISA) offers European corporate boards a series of strategic recommendations and guidance with which to establish an enterprise-wide cyber risk management framework.
Under constant bombardment
A world in lockdown has become a world in which attackers are seeking to exploit fears and potential weaknesses in security introduced by remote working. The latest research figures paint a stark picture. Even in an age of more stringent data protection regulations and increasing cybersecurity expenditure, companies remain vulnerable to breaches of sensitive data. The number of breached records globally surged by 273% in the first quarter of 2020 compared to Q1 2019, according to Atlas VPN (1).
Three years on from the WannaCry attack, which impacted businesses in 150 countries, ransomware losses are becoming more frequent and severe, according to AIG claims statistics. This is backed up by an external study (2), which shows the number of ransomware attacks has indeed increased each year since 2017. It is not just the prevalence of ransomware that poses a threat, notes Mark Camillo, head of cyber, EMEA at AIG. It is also the fact that attacks are becoming more deliberate, with ransom demands that often begin with six or even seven figures.
As companies improve their approach to cybersecurity, this raises the bar for attackers, who need to become more targeted in order to maintain their revenue streams. “Before, it used to be blanket malware where the cybercriminals were asking for fairly low amounts,” Mr Camillo says. “Now they’re taking the time to carry out more targeted attacks, and they are basing the ransom payment on how many servers they’re able to encrypt. So, you’re definitely seeing the quantum on these ransoms increase fairly dramatically.”
The profile of potential ransomware victims has broadened over time, as illustrated by AIG’s proprietary data within its Cyber Claims Intelligence Series. Financial institutions, retail firms and others holding significant amounts of sensitive data continue to be targeted by cyberattacks, but the modus operandi has shifted, with a resulting impact on the risk landscape. Many of the more severe claims being reported to AIG are coming in from businesses that traditionally did not take out cyber insurance, including manufacturing and transportation logistics.
A boardroom liability
ISA’s cyber risk oversight handbook, developed in partnership with ecoDa and AIG, aims to support European corporate boards as they seek to protect their businesses and people from cyber threats. It acknowledges that cyber risk is a board liability, with reputational and legal consequences when breaches and other cyber incidents occur.
The handbook is intended to promote the continued adoption of uniform cybersecurity principles for corporate boards, not only in Europe but across the globe. It recognises that an organisation’s culture surrounding cybersecurity is set at the top and is not simply a technical issue that can be left within organisational silos. “Boards need to own this risk and sufficiently challenge executive management on cyber to make sure that whatever their approach is to cybersecurity, it appropriately reflects what the business needs are,” says Mr Camillo.
The following is a summary of the five principles for managing cyber risk, along with key recommendations.
Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
- Information security should not be considered as purely a technical issue left to the IT department
- Cybersecurity has to be perceived as an enterprise-wide risk management issue through the whole lifecycle of the company
- The risk oversight should be a function of the full board
- The board should not rely on a one-size-fits-all approach – the members have to define their own tailor-made plans
- The board should develop the right culture inside the company to ensure that all employees take cybersecurity seriously
- The management’s duty is to make information related to the prevention, detection and response capabilities and knowledge of the maturity scale in which the company operates, available to the board. In doing so, the management should not consider only the organisation’s own networks, but also its larger ecosystem.
Principle 2: Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances
- Cybersecurity is not just about reputational issues, it is also about liability of board members
- Board members should have a good knowledge of the existing legislations, whether at the European or national level, or even industry-specific in order to exercise properly their duty of care.
Principle 3: Boards should ensure adequate access to cybersecurity expertise and appropriate reporting, at both board and committee level
- Board members should employ the same principles of inquiry and constructive challenge as for strategic decisions
- The board has the duty to precisely specify its expectations to the management and be directive in the type of information they wish to receive
- Even if cybersecurity is entrusted to a specific committee, the full board should feel concerned and get at least quarterly debriefings from the management
- Cybersecurity should not be treated as a standalone topic. It must be embedded in all dimensions of the company’s strategy.
Principle 4: Board directors should ensure that management establishes an enterprise-wide cyber risk management framework which encompasses culture, preventive, detective and response capabilities, and monitoring and communication at all levels. Resources should be adequate and allocated appropriately by the strategies adopted
- Management should establish both an enterprise-wide technical framework as well as a systematic framework (with a forward-looking approach) to facilitate board oversight of cyber risk
- Management should have an integrated approach to cyber risk in order to establish a clear accountability framework, clear processes and communication guidelines
- Management should opt for a bottom-up aggregation approach
- The board and senior management should set the tone at the top and develop the right culture and raise awareness to develop cyber resilience.
Principle 5: Board discussion about cyber risk should include strategies on its management (mitigation, transfer through insurance or partnerships, etc)
- The board should consider the return on cyber investments and shift to a risk-based approach
- Cybersecurity must be conceptualised as a measure of future loss.
The role of risk transfer
Cyber insurance plays an important role in sharing some of the financial risk of a cyber loss. But it is just one part of an organisation’s cyber risk management approach. The role of cyber insurers and brokers is to work proactively with clients to mitigate the chance of a loss occurring. With clients currently highly exposed to ransomware attack, AIG is focused on loss prevention by providing services such as training, vulnerability scanning and threat intelligence to help clients avoid a loss from occurring.
It is the role of the board, together with the executive management, to find the right equilibrium between the risks that will be shared with the insurer and other expenditures made to enhance the organisation’s cybersecurity, and mitigate its exposures.
There has been a natural progression towards multinational cyber insurance. For multinational organisations, deciding where to implement a local policy can be complex. It is important to understand where they have potential cyber exposures, including from customers, suppliers and servers, as well as where coverage may be required by local counterparties and whether a claim will need to be paid in country. As the cyber insurance industry continues to grow and mature, with an increasing emphasis on affirmative coverage, it is important to ensure there are no exposures not contemplated and as a result, left uncovered.
Captives are more and more frequently being used as retention vehicles for cyber risk and it is one of the fastest-growing captive business lines. Captives are another important potential tool to use in an enterprise-wide cyber risk management framework.
Contributed by Sebastian Hess, cyber risk adviser, EMEA at AIG, and Stephen Morton, head of multinational at AIG Europe.