Webcast: Steps Toward Cyber Risk Resiliency
Some businesses already have plans and processes in place to manage and mitigate evolving cyber risk, but many still have a long way to go before achieving cyber risk resiliency, according to panelists on Marsh’s The New Reality of Risk® webcast.
Asked to rank the three most important elements of their cyber risk management strategy, nearly half of the webcast participants selected incident response plans and understanding and quantifying cyber-driven business interruption risks. But only 29% of respondents said they were confident that their organizations’ cyber risk management planning fully prepares them for a business interruption loss stemming from a cyber event. And less than half said their organizations’ cyber risk strategy included international data and privacy regulations.
The evolving nature of cyber risks constantly challenge organizations to keep pace with the exposures. This was underscored by this year’s WannaCry and NotPetya attacks, where many organizations suffered significant business interruption losses.
Cyber-attacks are evolving as organizations’ use of data and technology evolves, said Steve Chabinsky, a partner with White & Case LLP. “Our networks and our network security programs are becoming more complex over time, not less — and complexity always leads to more vulnerability,” he said. The increasing reliance on Internet of Things (IoT) devices is also creating vulnerabilities that can exploited by attackers, as in the 2016 Mirai botnet attack.
At the same time, data privacy risk should not be overlooked, especially as regulators continue to strengthen data protection rules, the webcast panelists said. The European Union’s General Data Protection Regulation (GDPR), which will take effect in May 2018, gives individuals enhanced rights to protect their personal data, including the “right to be forgotten.” Businesses that collect and use data — and subcontractors that process data — will need to comply with the GDPR, which includes strict accountability and financial consequences for companies that violate the regulation.
A recent Marsh survey found that two-thirds of organizations subject to the GDPR say that they are preparing for or are compliant with the new rules. But preparedness varies significantly by company size and other factors.
Data mapping is one way organizations can achieve cyber risk resiliency and comply with the GDPR and other key regulations. “Data mapping allows for a meaningful legal analysis of what laws or contractual provisions apply, and how best to comply,” Chabinsky said. “The best practice for handling data is to know what you have, what you’re doing with it, and what laws apply.”
Moreover, businesses must look at cyber risk holistically. “Cybersecurity cannot be simply reduced to a technical issue — it has to include physical and personnel security,” said Jamie Saunders, a strategic cyber consultant with Marsh Risk Consulting. “It’s also vital that you take full account of any third-party suppliers who hold your data or on whose services your company depends.”
Senior leaders, including boards of directors, should also be engaged in their organizations’ cyber risk strategy. “Too many business leaders have been caught by surprise by the extent of their exposure to cybersecurity risk, and have been taken aback to learn that they were more vulnerable than they had been led to believe,” Saunders said. “Boards should expect a level of assurance commensurate with the severity of the risk.”
And insurance should be considered as part of an organization’s cyber risk strategy. “If we look at cyber resilience from the CFO or treasurer’s perspective, it involves implementing the right mix of cyber risk mitigation, risk quantification, and risk transfer strategies,” said Bob Parisi, Marsh’s cyber product leader. “Risk transfer, be it through a commercial policy or captive, is an integral part of cyber resiliency.”
Insurers are addressing business interruption and other cyber risks beyond data and privacy breach, Parisi said. “Cyber underwriters now include not just technology errors and omissions underwriters but staff with information security, legal, and even defense department experience,” he said. “Insurers also have taken the time to reach out to their property and casualty colleagues to better understand how to address and align coverages.”