Cyber risk – out of the server room and into the boardroom

The scale of the impact caused by a cyber incident, the array of cyber attackers and attack ‘vectors’, and the absolute dependence on information makes cyber the most significant operational risk to major businesses today.

Cyberspace is a thin nervous system that runs throughout companies to enable business decisions and operations. Specifically, it directly enables digital operations and supports the flow of those activities used to turn data into information, then information into knowledge.

It is therefore no surprise that cyber risks feature so highly on Lloyd’s and other global and national risk registers (the World Economic Forum and UK National Security Strategy to name but two).

Far too few businesses take the time to properly assess the value of information as a critical business-enabling asset. If they did so, they would quickly see what a huge contribution it makes to the achievement of corporate objectives and the risks it poses to the achievement of those objectives.

Many surveys show that cyber is a priority for the board. Yet the Ponemon Institute’s Cost of Cyber Crime Study 2013, showed 343 successful attacks per week among its respondents. That is 1.4 successful attacks per company per week - a 20% increase from the previous year. Why is this happening?

Cyber crime investment outweighs cyber security

First, the level of investment from criminals in developing their attack capabilities outweighs the investment in corporate IT security, which is usually viewed as an overhead. 

EY’s Global Information Security Survey from 2013 provides further insight as to why the current state of security is lacking. The survey showed that:

• 31% feel that their security governance and management (for example, metrics and reporting, architecture, programme management) is not yet developed or non-existent;
• only 46% of respondents say that their information security strategy is aligned to their business strategy;
• 62% have not aligned their information security strategy to their risk appetite or tolerance;
• 68% of organisations say that information security only partially meets their organisational needs.

The need for a business-driven approach to risk

This and other surveys suggest that a business-driven approach to the assessment and management of this risk is required.

The setting of a clear risk appetite and focusing on the business value of information, its contribution to the execution of corporate strategy and achievement of KPIs, are absolutely essential to be able to accurately assess the risk and allocate sufficient resources to its management.

Yet this is not happening. Too often, information is forgotten as businesses seek to address the cyber threat as a silo information and communications technology (ICT) risk rather than an information-driven risk to its business objectives. If ‘cyber’ is there to support and enhance day-to-day business operations, so then the risks driven from the cyber threats should be managed as an operational risk.

Additionally, the effect of a cyber incident, such as fines, loss of reputation and loss of intellectual property rights, would place it as a “critical driver of business and strategic risk”, which was the first category of the Lloyd’s Risk Index, rather than a “security and crime risk”, the third category in which cyber was placed.

Furthermore, with the strengthening of legislation and regulation looming it could also be seen as a key emerging regulatory risk. For example, in September 2013, the UK’s Financial Policy Committee stated that the next step was for ‘the boards of the relevant supervisory bodies to ensure that there was a concrete plan in place to deliver a higher level of protection against cyber-attacks for each institution at the core of the financial system, including banks and infrastructure providers’. Meanwhile in the US, the President’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to assess whether and how existing cybersecurity regulation could be streamlined and better aligned with the Cybersecurity Framework launched in February 2014.

Cyber: a strategic, regulatory and operational threat

This suggests that cyber is a manifold risk to businesses – strategic, regulatory and operational. Therefore, opportunities and risks cannot be left to IT security teams to manage, as is so often the case. These teams are good at what they do – namely, security – and have a valuable contribution to make in helping the business understand the threats. These teams do not, however, have the remit or skills required to address the opportunities and risks strategically.

Having a capable chief information security officer is exceptionally important and reports highlight that many businesses do this, recruiting former law enforcement personnel and IT specialists into such roles.

Yet as cyber enables modern operations, it is logical that the opportunities this capability provides should be managed by those responsible for the business operations – for example, the chief operating officer.

Furthermore, the cyber threat needs to be fully integrated into existing risk registers and managed in an integrated manner across the business. This should be driven from the risk function, which can provide the much-needed business link between operations and security.

Using tools such as value profiles (where factors such as the usage, accuracy and deterioration of data is studied) can aid businesses in monitoring and reporting both the returns from its information management (enabled by ICT) and the risks, driven by the cyber threat.

Conclusion

The immense opportunities and incident-impacts businesses are exposed to through embracing the cyber age mean that financial services organisations can no longer ignore cyber as a key operational risk.

Only by fully integrating the cyber threat into an existing strategy execution and enterprise or operational risk frameworks, can businesses enhance performance and future-proof themselves against the emerging regulatory landscape.