Drawing up a cyber risk management plan frequently leads to IT and the C-suite butting heads. The dangers of being unprepared, however, hardly bear thinking about
The most crucial aspect of a cyber risk management plan is that is it needs to be created ahead of time, before a business has experienced a cyber event. Swiss Re Corporate Solutions claims expert Catherine Lyle says: “You must perform penetration testing, which is something that’s part of the IBM – Swiss Re Corporate Solutions agreement to offer advanced cyber risk protection. After that, the risk manager will go back and work with IT on lessons learned.”
The human risk is an important factor when it comes to creating a secure cyber risk management plan, according to IBM Security Europe associate partner, Serdar Cabuk.
“When you get a risk management plan down, it is a full stance of security around technology. Your risk management should not just rely on tools and typically, one typical mistake is to start throwing technology at the cyber risk, which doesn’t really work,” he said.
“What you end up with is a lot of patchy solutions or point solutions that are not effectively used and that actually gives you a bit of an over reliance on technology and a bit of a false sense of security if you only use technology to start to try to fix your cyber risk issues. Start with the human risk but use technology the right way, in an integrative way, in a cognitive way, to manage your cyber risk,” he added.
According to experts, risk managers have a unique role to
play when it comes to cyber risk because they often act as an intermediary between two groups that do not always communicate well with each other and can have opposing desires. “On the one hand, you have the members of the C-suite who are focused on costs and the bottom line. In other words, the health and wealth of the corporation. On the other hand, you have IT, which is focused on the systems and prevention of a cyber event. Sometimes the views of those two groups don’t correlate; they don’t coincide,” adds Lyle.
A risk manager must create a team that can balance each point of view effectively, according to Lyle.
“Once you have those grouped, I think the best way to do this is then to create a team with members from each of these stakeholder groups and have them assist in the creation of the cyber response plan. It’s basically having buy-in before you need the plan to be in place. This all must be done before an event occurs.”
Company-wide cyber risk assessments are a vital part of any prevention plan.
Kevin Kalinich, global practice leader for cyber/network risk at Aon Risk Solutions, says: “Given the evolving nature and complexity of cyber exposures, we found that the use of cyber risk assessments is surprisingly low.”
He adds: “Conducting such an assessment is a useful tool for improving risk understanding and maturity, as well as for helping organisations better prepare for potential business interruption during or after a breach.”
Aon recommends the following three steps for a cyber risk assessment:
- Scenario analysis: Benchmark the existing cyber risk profile and work with business stakeholders to prioritise cyber risk scenarios.
- Financial modelling: Leverage advanced financial simulation tools using deterministic modelling to quantify first and third-party costs of select cyber scenarios. Consider performing an analysis on non-damage business interruption scenarios using forensic accounting capabilities.
- Insurability risk review: Test the adequacy of limits against the assessed cyber risk and review the optimisation of the proposed insurance programme.
Once a plan is being executed, the next stage of successful cyber risk mitigation is to remember that “people are the perimeter”, says Fifth Step chief executive Darren Wray. “Make sure that your people have awareness of the landscape, of the environment that we live in. It’s synonymous with when we teach children how to cross the road. We assume everyone knows how to use a computer today and how to stay safe online, but they really don’t.” Wray adds that cyber criminals are using tactics that can snare even the most tech-savvy employee. “We need to help people. We need to help employees and staff understand how to keep themselves safe, both for their personal safety and for the benefit of the organisation’s safety.”
Importantly, cyber risk management plans must be under constant scrutiny. Airmic board member Tracey Skinner says there is no such thing as a ‘job done’ moment when it comes to the creation of a cyber risk management plan. “It’s very much an ongoing process because all of the pieces are constantly changing. Your use of technology within your organisation is changing daily. Your cyber criminal is changing daily. The impact on your business will be changing, so all of those things need to be monitored.”
The nature of the business means people resources are not static and require a higher degree of flexibility, she adds. “Teams change, so you can have people around a table and give them training so they understand what the issues are. They understand how they’re going to be dealing with the situation. All of these issues are kind of scoped out and three months later, somebody that was at that table may not be at that table any more. You need to identify that risk. You need to make sure all the players are fully up to speed as to what their roles are and what they’ll be doing on the day. Then, test it and test it again.”