Cyber Risk: Adapting to the Changing Landscape
The COVID-19 pandemic is accelerating the pace of digitization across every stage of the product lifecycle. The move to adopt new technologies and ways of working to bring products to market urgently could mean that assessing cyber risk is not prioritized, leaving organisations exposed.
Adapting to a Changing Environment
The COVID-19 crisis has only accelerated the interest of cyber-criminal activities beyond predictable levels. The consequences of an attack on existing operations, intellectual property safeguarding, and reputation are severe. As every system has vulnerabilities, companies should take a holistic approach to reviewing each stage of the product life cycle. Identifying vulnerabilities will allow companies to devise a robust risk mitigation plan.
- Undertake an exercise to define the main forms of cyber threat faced by the business; identify the underlying cause and loss consequences (such as liability to stakeholders, reputational damage, property and asset damage, and business interruption), and score cyber loss scenarios based on likelihood and impact.
- Quantify the level of cyber risk exposure in relation to a data breach and/or system interruption to understand how much investment is required, in terms of risk mitigation and management, to optimize risk transfer solutions.
- Evaluate the current cyber security maturity of the organisation to identify strengths and areas for improvement across the organisation; do this against a leading cyber security framework. Benchmarking maturity can help organisations develop a balanced cyber mitigation and management strategy.
- Recognize that this process is an ongoing activity that needs to be refreshed at least annually. Some exercises such as compliance, low-level risk management processes, and technical evaluations at a project and operational level, need to be refreshed on an ongoing basis.
- Assess your risk appetite. With new collaborations, Joint Ventures, and increased M&A activity to meet the COVID challenge, organisations should very carefully evaluate the technical debt or cyber risk that they take on during product or organizational M&A activity, to avoid unanticipated risk exposure. Companies can do this by developing a cyber due diligence process alongside other areas of due diligence — such as financial — during a transaction.
A strategic overview of the organisation's cyber security position goes beyond IT teams. Taking a complete view of people, processes, and technology, and developing a culture of risk awareness and ownership from the top down across the organisation is essential.