When Facebook chairman and CEO Mark Zuckerberg faced the press after hackers stole data from up to 50 million social networking accounts last September, he said “we need to do more to prevent this from happening”.
It’s a typical response, the sort of reaction you get from CEOs when the data horse has already bolted. Unlike the CEO of Equifax, which saw 693,000 UK data records stolen in 2017, Zuckerberg kept his day job.The problem most boards have is that, following a cyber-attack and data breach, there is little more you can say other than “sorry”.
For Facebook and the many other businesses that suffered cyber-attacks in 2018, the real implications are still being felt: lost revenue, lost customers, fines (Facebook was fined £500,000 by the UK’s ICO) and ongoing reputational damage. The average cost of a data breach to a business is around $3.86m. For all businesses—even Facebook—it’s not just a case of “doing more” and expecting this will be sufficient in preventing further attacks.
If 2018 proved anything, it’s that everyone and everything is a target, hackers are persistent and mistakes happen. This is why the forecast figures are always rising. On a global basis, cybercrime will cost $6trn annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures. It’s one of many similar forecasts.
The important thing to remember is that it’s not someone else’s problem to solve. As AON revealed in its Global Risk Survey 2018, cybercrime is top of the charts when it comes to ranking risk, so businesses and boardrooms have to take control and minimise that risk where possible.
“There is no such thing as 100% secure,”says Mark Camillo, head of cyber, EMEA at global insurance organisation AIG. Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making. It’s about top-down culture: if the boardroom takes it seriously and acts, the rest of the organisation will take it seriously too. A key part of that is being prepared for all eventualities.
Make a plan
A cybersecurity plan should be as much about cure as prevention. If you accept, in all likelihood, that at some point the business will be breached, the mindset has to be about continuity and recovery. No board wants to see all the hard work of a business be undermined within a few days due to a cyber-attack.
Every business should have a cybersecurity policy. This is essentially a plan for making sure the whole organisation pulls in the same direction when it comes to preventing attacks, but also knowing what to do post-breach. A comprehensive plan for
protecting data, networks and devices will ensure nothing is left to chance.
A cybersecurity policy should cover four main areas—compliance, infrastructure protection, recovery and employees.
- Compliance Detail what is expected of the business when it comes to managing data and how to adhere to the EU’s data protection rules in GDPR or US rules such as the HIPAA.
- Infrastructure protection What and who will be protecting the data? Ensure that there is a coherent plan of protection, from a multi-layered software approach (antivirus, firewall, anti-malware and anti-exploit software) to comprehensive insurance cover. Who is in charge of this and how will software updates and patches be applied and data backed up?
- Recovery Who does what in the event of a breach? What is the action plan to isolating an incident and getting the business back up and running as quickly as possible? Who is going to communicate with regulation bodies, customers, partners and suppliers and deal with an insurance claim?
- Education The business needs a clear communication strategy to all staff about internet and email usage and best practice. Clear guidelines on what is acceptable usage, how to detect scams, how remote workers should access the network, social media regulations, password management systems and reporting incidents.
Building a plan will focus the minds of the board. Cybersecurity is no longer a specialist field that concerns only the IT department or a chief security officer. A breach can affect the whole organisation and even put it out of business, so cybersecurity awareness training is now essential for everyone within the company. Human error is after all, the biggest culprit. According to Experian’s Managing Insider Risk Through Training and Culture report, 66% of the data protection and privacy training professionals questioned said employees were the weakest link.
The insurance safety net
More than ever, businesses need to protect themselves, physically, virtually and financially, from the threat of cyber-attack. By transferring risk to an insurer, boards can build a robust strategy to deal with threats.
Knowing where to start is often a problem, but risk can be measured. An insurance firm or broker should be able to model a company’s risk and provide feedback in terms of how their current risk level will translate in terms of premiums. This will also have recommendations on how to improve their risk score.
“We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk,” says Camillo at AIG, adding that this data also builds a benchmark for vertical sectors. “This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”
Interestingly, despite being one of the biggest safety nets for businesses, insurance is underutilised when it comes to cybersecurity. A survey in August last year by digital research firm Ovum found that only 38% of firms had cybersecurity insurance covering all eventualities. The survey also revealed a lack of understanding among companies of the impact a cyber-attack can have across an organisation.
A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business. “It’s an essential tool in giving more transparency and intelligence back to companies, and an entry point to more comprehensive cover that could also include incident response, forensics and legal and PR support from crisis management experts,” says Camillo at AIG.
A recent PwC report believes this is the future, and it’s already gaining recognition from organisations looking for solutions to the growing threat. PwC estimates that annual gross written premiums for cyber insurance will rise from roughly $2.5bn today to $7.5bn by the end of the decade. “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape,” says the report.
However, the problem for the board is identifying policies that work specifically for cybersecurity and are not just bolted-on, often expensive, extras. As the Ovum study found, 62% of US companies reported they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk. This has to be an education for both insurer and insured, and demands more extensive risk modelling.
As with all specialist insurance sectors, cyber insurance cannot blanket cover a business and expect to be sufficient. Cover has to be designed to meet the urgent needs of a breach. It has to be 24/7 responsive, help cover investigations and fines, protect a business from the intensive costs of data recovery and reputational mitigation but also lost revenue.
Supplier and customer trust are fundamental to the ongoing success of a business. Few if any businesses can afford to jeopardise that trust. A cybersecurity breach, with potential loss of sensitive data is now one of the biggest, if not the biggest threat to that trust, placing more importance than ever on remediation, insurance and that often under-appreciated notion, peace of mind.
TOP FIVE RECOMMENDATIONS FOR MANAGING CYBER RISK
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas.
- Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
For more details download the Internet Security Alliance’s Managing Cyber Risk: A Handbook for Boards of Directors.
This article was produced in association with AIG, which is a supporter of Board Agenda.