What is cyber security risk?
Tanium CFO & COO Eric Brown recently participated in a panel hosted by Nasdaq called Cyber Security: What Board Members Need to Know, alongside moderator, T.K. Kerstetter, CEO & Talk Show Host, Boardroom Resources LLC and panelists, Yafit Cohn, Associate at Simpson Thatcher & Bartlett, A.J. Kess, Partner at Simpson Thatcher & Bartlett and Martin Liutermoza, AVP of Information Security Engineering at Nasdaq.
“Cyber security risk is much like any other risk that a corporation has to deal with and most corporations will typically have, what is referred to as, an Enterprise Risk Model (ERM), which maps out the types of risks that are unique to the company itself.” – Eric Brown, Tanium COO and CFO
Cyber security is a new risk that companies need to be aware of. It’s simply an operational risk that the board needs to provide oversight, just like every other risk it assesses.
“The Ponemon Institute puts out a data breach study every year, including this year, in which they determine that the average cost per data breach, per company is about $6.53 million.” – Yafit Cohn, Associate at Simpson Thacher & Bartlett
She goes on to say that that number gets broke down and of that $6.53 million, $3.75 million of it stemmed from average business loss as a result of the breach. That is more than half of the overall total. While many already know this, the importance to understanding this and taking this risk into consideration is that it’s likely that at one point or another your company or another company in your industry will be breached. And while there are many issues that come up in the following litigation, the real impact can be on reputation.
“Just like cyber is part of the ERM process, it’s part of the enterprise risk management process. I think it’s proper to think about a breach as part of the crisis management plan. It’s just another crisis.” – A.J. Kess, Partner at Simpson Thatcher & Bartlett
How do you combat a breach?
To make sure that a company is ready to combat a breach, one of the best places to begin is by developing a crisis management plan that includes a course of action if a breach occurs. It must be included because when an incident occurs it’s imperative to know whom to call and where the information necessary to the investigation is located.
“The crisis plans need to include having the information available for the investigators when they move in. Quite often we don’t have logs when we’re investigating an incident because that wasn’t part of the crisis plan… You’re going to be hacked, how do you handle that particular incident and have all your ducks in a row to be able to investigate and make sure lateral movement wasn’t done from one server to another? You can identify a hack in one system and they’re still in your system, so you need to be able to handle all those things. That piece of recoverability is going to keep people out of a lot of nightmares.” – Martin Liutermoza, AVP of Information Security Engineering at Nasdaq