February 28, 2018
Breaking Down Silos on Cyber Risk
by Jason Hogg
Executive teams must urgently stop thinking about cyber risk as an IT issue and lead a shift to managing its impact across the entire organization.
The cyber attacks in the past year spread with startling frequency and intensity and demonstrated that cyber risk is not only a concern for organizations holding sensitive or regulated data, but also a material threat to businesses across all industries. The WannaCry and NotPetya attacks, for example, resulted in large-scale interruptions to global commerce, with companies reporting significant losses in sales caused by business disruption. Far-reaching regulations such as the EU’s General Data Protection Regulation (GDPR) open up businesses to large potential fines and consumer class action suits. The cost of cyber crime keeps rising, with data breaches predicted to cost businesses a total of $8 trillion over the next four years, exceeding worldwide IT security spending, which is expected to be upward of $120 billion by 2021. In this climate, executive teams must urgently stop thinking about cyber risk as an IT issue and lead a shift to managing its impact across the entire organization.
Companies’ cyber exposure has dramatically increased beyond the risks to their data and intellectual property (IP), exacerbated by the convergence of the physical and digital worlds. To drive efficiencies, organizations are bringing processes and infrastructure online, for example, through connected grid systems, supervisory control and data acquisition (SCADA) and industrial control systems (ICS). At the same time, the need to innovate and compete drives businesses to introduce an ever-increasing number of endpoints, significantly expanding the cyber attack surface – whether through a retail bank’s mobile app, a manufacturer of connected cars or even office equipment like printers or employee devices. Every change in a company, be it an M&A transaction, working with a contractor, introducing new software or moving data to the cloud, affects a company’s cyber risk posture. Securing this shifting target requires a holistic view of how all the activities of all departments affect the company’s exposure.
See also: How to Manage Claims Across Silos
One of the core business challenges hampering executives’ ability to look at the impact of cyber risk beyond individual silos is that members of the C-suite are not collaborating effectively over this issue. Every executive has a different lens on how to view, assess and manage cyber risk: The general counsel, for example, will be focused on compliance with information security regulations and disclosure requirements; the chief information security officer (CISO) and chief information officer (CIO) implement technical controls and remediation efforts; the chief risk officer (CRO) and chief financial officer (CFO) will be quantifying the financial exposure to cyber risk and mitigating it through insurance; product developers may view security as a roadblock to meeting product launch deadlines; and human resources (HR) will institute internal training for employees. Multiple parallel work streams like these exist in silos, rarely with any common framework for taking an integrated view.
The fragmented cybersecurity market reinforces these challenges, as organizations work with multiple providers for different elements of their security needs. For example, a company may contract with an incident response provider for post-breach services, separate external experts on assessments or penetration testing exercises and a separate insurance broker to assess the implications of cyber risk from a balance sheet perspective. Multiple providers such as these are working with different internal stakeholders, who aren’t effectively communicating with each other, exacerbating the ineffectiveness of the approach.
As companies wake up to the impact that cyber risk can have on their business, C-suites in mature companies will break down organizational silos to create a holistic view of their risk exposure. CROs and CISOs will work collaboratively with others across the C-suite, including IT, legal teams, HR and finance, to understand how technical vulnerability affects financial exposures and potential risk scenarios. This will happen in sectors beyond the early adopters in financial services, healthcare and retail. As an example, a shipping firm will assess how cyber risk affects physical operations and revenue-generating activities, such as tankers being remotely diverted by hacked GPS systems, or look at the potential benefits of smart contracts and blockchain technologies with regard to tracking goods and inventory and verifying manifests.
To support more coordination and informed decisions within organizations around their cyber risk management, they need a technology platform such as the one Aon Cyber Solutions is building to provide a single point of visibility into all aspects of an enterprise’s cyber risk profile, across all C-suite functions. The platform will enable companies to conduct cyber risk assessments, dynamically quantify risk across multiple dimensions, optimize efforts to remediate risk and reduce the organization’s overall risk posture. Executives can leverage quantitative information in real time to model security plans and budgets, as well as receive recommendations as the threat landscape evolves and requires new insurance options. Bringing together all the elements that affect cyber maturity across the organization through a centralized portal view enables anyone in the C-suite – whether it’s the chief executive looking for a high-level view, or the CFO or CRO prioritizing investment decisions, or the CISO examining the remediation activity – to have a more holistic understanding of how the activity within their function affects the company’s cyber exposure as a whole.
See also: How to Link Risk and Strategy
The industry needs to collaborate to drive this holistic approach. For our part, Aon has teamed up with Apple, Cisco and Allianz. This combined solution helps protect a wider range of companies from cyber breaches associated with ransomware and other malware-related threats. Customers who deploy Apple devices and software and Cisco cybersecurity products, such as Cisco Ransomware Defense, and conduct Aon’s Cyber Resilience Evaluation, will be eligible to apply for more enhanced cyber insurance coverage than are available in existing cyber insurance products through Allianz. In addition, companies can take advantage of access to Cisco’s or Aon’s industry-leading incident response teams, should an incident occur.
Through these and other innovative solutions, Aon Cyber Solutions is focused on helping companies eliminate the silos that typically hamper effective cyber risk management. This is an urgently needed shift in thinking throughout a currently fragmented industry, so that clients can manage their evolving cyber risk exposure in a digital, connected and regulated world.