September 18, 2015
7 Stakeholders for Cyber Risk
by Tom Reagan
Cyber risk management is no longer just an IT issue -- employees, the board and even customers and suppliers now have a stake.
Imagine you’re the CFO at a firm involved in sensitive M&A discussions with your bankers, and you receive an email asking for a small bit of non-public information on your company, the kind you’ve passed on before. You send the information – and later find you were the victim of a sophisticated cyber-attack.
Now imagine you’re in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It’s impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber-attack.
These events underscore the new reality in cyber risk management: It is no longer just an IT issue. Everyone – from individual employees to risk managers to your board of directors – now has a stake in managing cyber risk comprehensively, across the enterprise.
Following are seven key stakeholders to consider as you look at your cyber risk management strategy:
- Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing and responding to cyber risk. Understanding the evolving cyber insurance market and overall risk finance options is also important.
- CFO: Concerns range from the potential costs of a cyber event and what the impact could be on the bottom line to the security of the office’s sensitive information.
- CEO/board of directors: Accountable for overall business and company performance, they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission and Federal Trade Commission, have made clear they expect companies’ top leadership to be engaged on the issue.
- Legal/compliance: As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. And, if a cyber incident occurs, lawsuits often follow within hours.
- Operations: Maintaining daily operations, business processes and workplace stability is critical during a cyber event.
- Human resources/employees: Simple errors – or deliberate actions – by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear phishing” attacks targeting specific employees.
- Customers/suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don’t become the weak point in your cyber defenses.
Protecting your organization’s data and individuals’ privacy is becoming more difficult by the day. Successful cyber-defense strategies are comprehensive and multi-pronged. A critical component is understanding and defining the roles and responsibilities of all key stakeholders.
To participate in a webcast on how to assess cyber risk, click here.