Cyber risk is not 'just' a technical issue but a business risk that threatens all parts of the organisation and therefore needs to be dealt with at a boardroom level.
In order to protect the company appropriately, boards must ensure clear responsibility and ongoing vigilance as senior managers are increasingly required to engage in 'legal' conversations around this topic.
The recent ransomware cyber-attack in the US that forced Colonial Pipeline to shut down the main part of its network has again showed the devastating effect such incidents can have on an organisation. The 5,500-mile (8,900km) pipeline network supplies nearly half of the East Coast's fuel. With high-tech sensors and safety systems taken offline, the firm was forced to hire dozens of staff to walk or drive the 5,000-mile length of the pipeline every day. The incident has caused gas prices to surge and gas stations in multiple states to experience shortages, while exerting immense pressure on executive board members as the incident gathered attention globally.
Liability exposure
Quite apart from the business management of risk, the issue of potential personal exposure for directors and officers for failing to mitigate cyber risk is a real and ever-present issue. Despite the recent surge in cyber-attacks, and particularly ransomware assaults, research by the Institute of Directors indicates a disconnect between IT staff, who live and breathe cyber-security and understand the consequences, and other staff in an organisation who may be aware of the issues but just aren't internalising them.
A failure to recognise certain events as financial threats is a management oversight and a potential directors and officers (D&O) liability exposure. Consider the following examples:
- Cyber extortion demands and expenses
- Liability to third parties for data breaches and the failure to protect confidential information
- Liability to third parties for cyber events, such as spreading of malware, or an inability to access online services
- Regulatory fines and penalties
- First party costs to remediate a cyber-attack, including legal fees, public relations costs, IT forensic costs
- Reallocation of internal resources
- Business interruption loss
- Reputational harm
- Damage to hardware and/or software including digital assets.
Quantifying the financial risk
A financial quantification of expected or probable losses arising out of a number of different scenarios is a sensible starting point. Companies can benefit from decades of historical loss data in the insurance sector and calibration tools are available to assist in the calculation of potential losses.
Financial quantification is the first step to enable fully-informed decisions, including a consideration of whether possible loss outcomes can be mitigated by:
- Investment in tighter cyber security protocols
- Risk transfer to insurers
- Both
Assessing the cyber robustness
Cyber risk readiness can be measured. Performance indicators might include, for example, a high vendor-measured security rating, or an analysis of performance when compared with similar organisations. Peer benchmarking in particular is highly valuable when assessing whether a business is meeting a broader sector standard of care.
Performance metrics will extend across a number of disciplines but can include the timely patching of vulnerabilities, regular employee awareness training among other 'maturity' benchmarks.
These metrics can help identify vulnerabilities and areas that need improvement, which over time will reflect in better performance and ratings. The higher the performance, the less likely an organisation is to experience a cyber breach, and the less likely that organisation is to suffer a financial or reputational loss. High cyber security performance is a key indicator of good governance, which is likely to translate into better business confidence and shareholder value.
Recommendations for board members
It is vital that there is a strong alliance between the board and the business's cyber risk professionals; not just communication of the relevant performance measures themselves, but also the contextual and situational awareness to bring those performance measures to life.
If improvements are required, costs should be measured against the benefits, for example:
- expedited international expansion
- reinforced product security
- an embedded competitive differentiator
- well-informed management of the supply chain risk
The board needs this information to allow a translation of the raw performance numbers into opportunities and financial return. This contextual level of discussion will instil confidence in non-technical directors, customers and other stakeholders, and allow the board to understand, rationalise and fulfil its oversight responsibilities appropriately.
Constant monitoring
The cyber threat does not stand still ― it is a dynamic environment that requires constant monitoring to allow for the development of appropriate response measures.
Investments in cyber security mean future proofing the company in critical areas of legal risk, data handling and security breaches, ensuring that the organisation and its officers are well protected from a D&O liability perspective, client liability, regulatory issues, and other financial implications.
For further information, please contact:
Vanessa Cathie, Vice President Global Cyber & Technology
T: +44 (0)20.7933.2478
E: Vanessa.Cathie@uk.lockton.com