Governing Cyber Risk: Grabbing the Bull by the Horns
“The digital revolution has brought along many opportunities. But it has also brought cyber risk. Businesses are responding, but often with limited information on the risks they face or limited ability to validate whether they are doing enough of the right things. Add General Data Protection Regulation to the mix and boards have the unenviable task of governing an intangible and ever-evolving risk.
Of course, cyber risk arises because of technological change – but cyber is fundamentally “just another risk”, albeit one with some unique characteristics. The same tried-and-tested risk management disciplines that companies apply to all of their other top-level risks need to be applied to cyber. The difficulty is that cyber risks are often presented in complex technical terms, leaving boards as passive recipients of reporting, rather than as active participants and challengers.
Although cyber risk is constantly evolving, boards need to take ownership and ensure cyber management is being prioritised and executed in line with the company’s risk tolerance and other strategic risk considerations. This, of course, requires a layered approach to managing cyber risk: with specialist functions there to address day-to-day IT and security functions, and higher management and the Board to ensure that the right actions are being taken to maintain cyber risk within the Board’s overall risk appetite.
However, there isn’t much guidance to help companies integrate cyber risk into their existing enterprise risk management (ERM) processes, or to help draw out the strategic-level considerations that should be of most concern to boards. On the flipside, there are a variety of standards and best practices that can help companies manage the detailed technical and operational elements of cyber risk governance. But exhorting boards to examine detailed issues concerning the functioning of IT and security operations is unlikely to provide them much assurance. Instead, they need to focus on more fundamental questions of strategic exposure, structural accountability, and corporate resilience and preparedness.
And although there is no magic formula, conducting a cyber risk governance review that uses these elements to provide company boards with a way to benchmark their performance against peers is a good place to start. It can also help to identify practical steps that can be taken to improve the way cyber risk is managed within the company. By assessing current performance against peers, boards will have a clearer view of their current posture, and be in a better position to assure investors and other external stakeholders of the strengths and acknowledged-weaknesses of their approach*.
* In April 2018, Marsh and TheCityUK published Governing cyber risk - a guide for company boards. While this report has emanated from the UK market, we deem it a very good reference for our Marsh Ireland clients and their respective company boards. The report is available to download at: https://www.marsh.com/content/dam/marsh/Documents/PDF/UK-en/governing-cyber-risk-report.pdf