Cyber risk management is racing to the top of the boardroom agenda as corporate directors wake up to the catastrophic potential of an attack. With the increased board focus, risk managers can expect to spend more time on cyber in the year ahead.
Boards’ heightened fear is justified. Cyber crime runs up a bill of US$1.5trn each year – only about 15% of which is currently covered by insurance policies, says a new joint report by WomenCorporateDirectors and Marsh & McLennan Companies’ Global Risk Center, ‘Cyber Risk Management Response and Recovery.’
“As the global regulatory landscape becomes more complex, cyber security is gaining increased board level attention,” said Elisabeth Case, US cyber advisory leader at Marsh. “Boards are definitely stepping up their oversight.”
With directors and executives now looking to CROs to lead the charge, risk managers are keen to know – what are the cyber challenges keeping directors up at night?
First, that depends on where you are.
There’s no generalising board focus when it comes to cyber risk. It varies significantly across industries, countries, and organisations of all sizes. In the Asia Pacific region, for example, executives ranked cyber among the top five risks to business, but on average, organisations took nearly twice as long as the global median to detect a cyber breach. By comparison, companies in North America spent 47% more on cyber security than Asian firms, according to the report.
Yet tightening regulatory requirements seemingly knows no boundaries. The EU’s General Data Protection Regulation (GDPR) is set to roll out this May, threatening violators with a fine of up to 4% of worldwide annual revenue. Australia’s Privacy Amendment, which lays out a mandatory data breach notification scheme, took effect just over a month ago. In China, a new cybersecurity law put into place in June 2017 requires companies to submit to security checks and store user data on domestic servers. And in the US, cyber risk management firm Stroz Friedberg predicts big data aggregators will come under intense scrutiny from regulatory authorities in the year ahead.
Directors in the report were especially concerned with third-party risk that leaves companies vulnerable to slip-ups from their suppliers and vendors. “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain,” said Shirley Daniel, director, American Savings Bank, and Pacific Asian Management Institute. About a third of organisations fail to assess cyber risk exposures from third-parties like software and cloud service providers, according to data from a recent Microsoft and Marsh report. And as the cyber landscape grows ever more complex, these vendors are increasingly embedded in organisations’ value chains.
As cyber concerns snowball, directors recognise the need to work on developing cyber attack response plans. A clear majority of companies – 77%, in fact – don’t have a formal cyber incident response plan in place, according to a recent global study by IBM. Suffice to say, most organisations have room for improvement. “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve,” said Jan Babiak, director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal.