Cyber risks like data breaches and ransomware are too often shrugged aside. The possibility of a cyberattack is rarely ignored, but it also rarely receives the attention it deserves. There are a few reasons for this:
There’s another motivation for developing a strong answer to cyber risk, as we discussed in a joint webinar – How to Strengthen Cybersecurity with a Risk-Based Approach – with OCEG in September. You can be slapped with hefty risk-management negligence penalties even if there is no attack. As Dwolla – a small, private company – found out the hard way, regulators like the Consumer Financial Protection Bureau (CFPB) randomly select companies to evaluate.
Executives have a personal stake in this process, since “liability for data breaches that affect customers leads directly to the C-suite,” according to the Harvard Business Review. Risk management negligence is much easier to prove than fraud, and standards like the Yates Memo and the SEC’s proxy disclosure enhancements make it ever more difficult for culpable individuals to hide behind the company.
It’s not enough to schedule annual security assessments and then tend to other responsibilities. Cyber threats are constantly proliferating (see our previous post, “New Technology Brings New Risks”). Executives need to start by understanding their current procedures.
The best way to accomplish this first step is by adopting a root-cause risk library, which can be used to push risk assessments to different areas. Risk assessments are the foundation of threat mitigation, and when they reach all the way down to the front lines, they’re indispensable tools. As we discussed in our recent webinar with OCEG, risk management creates a common framework for all governance areas to help manage risk and allocate resources towards more effective controls, starting with risk identification.
Executives clearly can’t be directly involved in mitigating every cyber risk, but by pushing out standardized risk assessments, they can:
Designing your cybersecurity program with a risk-based approach makes it standardized, regular, and easy for different departments to understand. It also makes it easy for senior executives to ensure their strategic objectives are incorporated into day-to-day operations.
The majority of breaches can be prevented with an enterprise risk management approach. Target, Wendy’s, and many others were breached not because of technology, but because of poor third-party risk management. Cyber insurance is immature and doesn’t currently provide protection over third-party breach risks, punitive damages, or class action law suits. All of these are avoided with evidence of an effective risk management program.
Assess the effectiveness of your ERM program here.
The uniformity of the risk-based approach allows for the most specialized cyber officials, like the CTO or CISO, to take the lead but still “work with each team to determine ways to reach goals in the most secure fashion,” according to the Harvard Business Review.
To learn more about taking a risk-based approach to cybersecurity, download our free eBook, SEC Cybersecurity: An Annotated Guide. Also download our presentation with OCEG, How to Strengthen Cybersecurity with a Risk-Based Approach.