Cyber risk increases its prominence in corporate risk management

Threats swell and regulations pressure

According to data provided by INCIBE (Spanish Cibersecurity National Institute ), Spain was the third most attacked country in the world in 2017 with 120,000 incidents, only behind the United States and the United Kingdom; and everything seems to indicate that 2018 has exceeded this number, since By the end of August, 88,677 incidents had been managed, of which 83,165 (94%) corresponded to citizens and businesses and 5,512 (the remaining 6%) to the academic network and critical operators.

This increase in threats together with the pressure exerted by  General Data Protection Regulation (GDPR) compliance , in force since May 25, 2018, has forced companies to become aware of the need to manage cybersecurity and define responsibilities regarding it.

In this cyber risk and regulatory compliance scenario, business organizations should appoint new managers such as the Data Protection Officer (DPO), or the Chief Information Security Officer (CISO)  

On the other hand, we observe that information security standards and best practices, such as ISO 27001, SOC2, the ENS (Spanish National Security Scheme), and the EBA (European Banking Authority) recommendations, among others, point to the  managers as ultimate responsibles for the management of cyber risk, just like traditional risks such as technological, financial, and legal.

Allen & Overy LLP firm and the global risk management brokerage and consulting firm Willis Towers Watson have elaborated a report about directors risks and liability. For the first time, in 2018 they have observed the respondents’ concerns are firstly data loss/breach and cyber attacks, which although they are not new, are now moving forward quickly as shown in the following picture.

The report highlights some significant data:

• 51% of public companies experienced a cyber attack or data loss last year, up considerably on the 30% that did so in 2017.

• 43% of large employers have experienced a regulatory claim involving a director in the last 12 months, and 38% of listed companies.

• The regulatory focus on personal accountability is changing company behaviour, with 60% saying it is impacting decision-making processes, while half of them say that your company's risk appetite is changing.

• Health and safety legislation impacting on a company’s business is now a significant concern for 37% of respondents, as against just 18% of those surveyed last year

Who leads information security management ?

One of the biggest challenges facing the board of an organization in relation to the treatment of cyber risk is determining who should lead the information security management . In this sense, companies face the dilemma of choosing between the generalist and the specialist.

On September 2018, a global survey results of more than 450 companies worldwide, sponsored by Willis Towers Watson, were published, which found that almost 40% of respondents considered the board of directors should monitor cyber risk, while 24% considered it should be a specialized cybernetic committee.

The report includes this quote from Anthony Dagostino, global head of cyber risk at Willis Towers Watson: "Cyber resiliency starts with the board, because they understand risk and can help their organisations set the appropriate strategy to effectively mitigate that risk. While CISOs are security specialists, most of them still struggle with adequately translating security threats into operational and financial impact to their organisations – which is what boards want to understand. To close this communication gap, CISOs need tools that can help them quantify and translate the vulnerabilities uncovered from their cybersecurity maturity assessments” In this sense, and to close this communication gap, CISOs need tools that can help them quantify and translate the vulnerabilities discovered in their security assessments.

José de la Peña Muñoz, SIC magazine Director , in his article "Corporate Cybersecurity: Who is in charge here?" also insists on the idea cybersecurity management should be approached from a corporate point of view: "There is no other focus for the cybersecurity management that corporate point of view (some private companies began years ago to orientate themselves in this line), because the risk is corporate and because the Boards of Directors are aware of their responsibilities and, unlike what happened before, they know their companies are exposed to cyber-attacks and they have an obligation to defend them "

Assist tools to risk management

Managers, executives and CISOs are able and should prepare for this new regulatory approach to their individual conduct, which defines them as ultimately responsible for cybersecurity incidents, and for which they may face heavy sanctions. In this aspect Allen & Overy and Willis report points out cyber insurance and compensation as the main mechanisms to defend themselves; but none of them helps to reduce the penalties derived from dishonest, fraudulent or criminal conduct. In any case it is always better anticipating and preventing . And therefore it's essential to develop a cyber risk management plan including security assessment and which guarantees the strength and resilience of the organization in the face of threats and incidents of security.

Within the risk management plan, LEET Security's cybersecurity rating is an excellent tool since, on the one hand, it allows knowing the cybersecurity  level of capabilities, and consequently reduce the exposure to risk, and on the other, demonstrating the cybersecurity level adopted. In addition, with its requirement to the service providers, this risk management extends to the supply chain, showing due diligence, both in the internal risk treatment , and that which occurs in the relationship with third parties. That is why additionally it can also impact the insurance policy with a cost reduction.

All you need is LEET

Receive our communications by clicking this link