Cyber risks have never been greater. Julia Graham, deputy CEO and technical director at Airmic, discusses the main issues.
Cyber risks are evolving with unparalleled speed, complexity and impact. Just as we figure out how to address one risk, a new one takes its place. There is no such thing as a static state in cyber risk.
Cyber risk continues to feature in the top three risk concerns of Airmic members and two-thirds are concerned that a cyber event resulting in business interruption may affect their business in the next three years (Airmic transformation of the risk profession survey, 2017). However, confidence in cyber risk management is low. Less than a third of members are satisfied with their organisation’s ability to manage cyber risks according to the survey.
The key cyber challenges can be divided into two key areas: the first relates to threats to intangible assets and loss of personal data; and the second affects continuity by interrupting business activities.
The issue for organisations is to understand what these challenges and threats look like – and put in place a plan to combat them.
The starting point is to carry out a thorough risk assessment and ensure benchmarks are in place to manage risks. Helpful tools include Cyber Essentials from the UK government, the ISO 27000 series, and the NIST series (National Institute of Standards and Technology). Effective crisis management is of the utmost importance. When something goes wrong, Boards need to know what is going on; what the contingency plans are; how they have been tested; who is in charge; and how effectively they are taking control.
The consequences of getting crisis management wrong can be fatal because mishandling intangible risks can be a brand killer. The other concern is loss of trust from customers because they have provided their data and someone else has taken it.
If this happens, the impact of the GDPR cannot be overstated. Fines could go from £500,000 pre-GDPR to £17 million post-GDPR, which is only a few months away. This means company failure is a real possibility if organisations breach the GDPR.
Looking ahead, education is crucial – and not just for the Board. Everyone should go to a digital boot camp. The use of technology is rapidly transforming the business models of organisations and the risks they face. The speed of change is beyond that of any other risk, and risk managers will need to work collaboratively across their businesses to assess, monitor and ultimately control these risks.
- Digitalisation is driving greater frequency and severity in cyber-crime, creating new paths for malicious attacks, IP loss and theft, business interruption, and first and third-party exposures. Cyber-related business interruption and data loss and theft will be significant focal points for risk and insurance managers in the future.
- For cyber risk to be managed successfully as an enterprise-wide risk (and not a technology risk), the risk needs to be addressed in the wider business context, with partnerships extending from information security and technology managers to business unit leaders in HR, finance, legal and others.
- Having clear and robust cyber governance is important for the successful management and detection of cyber risk and is scrupulously recommended by the UK as well as the insurance industry.