{"id":70209,"date":"2020-05-22T12:32:48","date_gmt":"2020-05-22T11:32:48","guid":{"rendered":"https:\/\/www.commercialriskonline.com\/?p=70209"},"modified":"2021-07-15T16:35:11","modified_gmt":"2021-07-15T15:35:11","slug":"cyber-security-setting-the-tone-at-the-top","status":"publish","type":"post","link":"https:\/\/www.commercialriskonline.com\/cyber-security-setting-the-tone-at-the-top\/","title":{"rendered":"Cybersecurity: Setting the tone at the top"},"content":{"rendered":"

An organisation\u2019s approach to cybersecurity must be embedded within its overall approach to enterprise risk management, with boards responsible for enabling the right culture and frameworks, explain Sebastian Hess and Stephen Morton.<\/p>\n

Companies and their boards are faced with a highly dynamic cyber risk landscape, including more targeted ransomware threats and, more recently, exposures associated with increased remote working. The latest handbook<\/a> from the European Directors\u2019 Association (ecoDa) and the Internet Security Alliance (ISA) offers European corporate boards a series of strategic recommendations and guidance with which to establish an enterprise-wide cyber risk management framework.<\/p>\n

Under constant bombardment<\/strong>
\nA world in lockdown has become a world in which attackers are seeking to exploit fears and potential weaknesses in security introduced by remote working. The latest research figures paint a stark picture. Even in an age of more stringent data protection regulations and increasing cybersecurity expenditure, companies remain vulnerable to breaches of sensitive data. The number of breached records globally surged by 273% in the first quarter of 2020 compared to Q1 2019, according to Atlas VPN (1).<\/p>\n

Three years on from the WannaCry attack, which impacted businesses in 150 countries, ransomware losses are becoming more frequent and severe, according to AIG claims statistics. This is backed up by an external study (2), which shows the number of ransomware attacks has indeed increased each year since 2017. It is not just the prevalence of ransomware that poses a threat, notes Mark Camillo, head of cyber, EMEA at AIG. It is also the fact that attacks are becoming more deliberate, with ransom demands that often begin with six or even seven figures.<\/p>\n

As companies improve their approach to cybersecurity, this raises the bar for attackers, who need to become more targeted in order to maintain their revenue streams. \u201cBefore, it used to be blanket malware where the cybercriminals were asking for fairly low amounts,\u201d Mr Camillo says. \u201cNow they\u2019re taking the time to carry out more targeted attacks, and they are basing the ransom payment on how many servers they\u2019re able to encrypt. So, you\u2019re definitely seeing the quantum on these ransoms increase fairly dramatically.\u201d<\/p>\n

The profile of potential ransomware victims has broadened over time, as illustrated by AIG\u2019s proprietary data within its Cyber Claims Intelligence Series<\/a><\/em>. Financial institutions, retail firms and others holding significant amounts of sensitive data continue to be targeted by cyberattacks, but the modus operandi has shifted, with a resulting impact on the risk landscape. Many of the more severe claims being reported to AIG are coming in from businesses that traditionally did not take out cyber insurance, including manufacturing and transportation logistics.<\/p>\n

A boardroom liability<\/strong>
\nISA\u2019s cyber risk oversight handbook, developed in partnership with ecoDa and AIG, aims to support European corporate boards as they seek to protect their businesses and people from cyber threats. It acknowledges that cyber risk is a board liability, with reputational and legal consequences when breaches and other cyber incidents occur.<\/p>\n

The handbook is intended to promote the continued adoption of uniform cybersecurity principles for corporate boards, not only in Europe but across the globe. It recognises that an organisation\u2019s culture surrounding cybersecurity is set at the top and is not simply a technical issue that can be left within organisational silos. \u201cBoards need to own this risk and sufficiently challenge executive management on cyber to make sure that whatever their approach is to cybersecurity, it appropriately reflects what the business needs are,\u201d says Mr Camillo.<\/p>\n

The following is a summary of the five principles for managing cyber risk, along with key recommendations.<\/p>\n

Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue<\/strong><\/p>\n

Key recommendations:<\/p>\n