Jun 07, 2016
Defining Risk Appetite: Cyber Risk and Our Hunger for LeadershipBy Richard Olver
“You don’t have to be one of the recent, high profile corporate victims of a cyberattack to realise that cyber is a clear and present danger.”
So began Will Brandon, the Bank of England’s Chief Information Security Officer, in his speech to the recent City Week conference. Brandon, the man charged with advising Britain’s financial sector about cybercrime, couldn’t be more correct. Despite businesses’ being more aware than ever of the serious threat cyberattacks pose, they are not doing enough to protect themselves and their customers.
Security of organization cannot be sole responsibility for IT
There are no excuses for this lack of leadership. The security of a company’s systems and data cannot be the sole responsibility of its technical staff. Even if cyber threats are, as Brandon suggests, “unclear” and the “perpetrators notably absent,” the fiduciary duties of board members must include being aware of all possible threats.
Yet many boards are still grappling with understanding cyber risk and ultimately determining their appetite for that risk. Our own research, conducted in partnership with NASDAQ and Goldsmiths, University of London, has shown that only 10% of non-Executive Directors from highly vulnerable businesses agree that they are regularly updated about the types of threats to cybersecurity that are pertinent to their business. In the United Kingdom, only 29% of the most-vulnerable C-suite executives have gone through risk assessments related to cybersecurity — globally, this drops to 13%.
We’ve seen a number of high profile hacks dominate the headlines this year, and it’s not just businesses being affected. Nations suffer, too, including Ukraine’s power-grid being breached and the Philippines losing great swathes of its electoral voting records earlier in the year. But for businesses, it’s easy to imagine the amount of reputational and financial damage that might have been saved had the leaders of the organization been more aware of the threats or had clear and consistent data to measure their appetite against these risks. Drops in pre-tax profits, ballooning exceptional charges, public embarrassment, and many unhappy customers — all could potentially have been avoided.
Balancing cyber risks against other risks
“So how do you balance cyber risk against other risks?” Brandon asked. “I suppose the first thing is to quantify it, at least to the extent you can. That might involve assessments or testing, but it probably starts with working out who might do what to which part of your estate. Or to put it another way, breaking the risk down into threats, vulnerabilities, and assets.”
Joan Conley, Senior Vice President and Corporate Secretary, Nasdaq, counsels businesses that “in determining risk appetite, the board should define its commercial objectives and understand all of the risks, including legal, operational, competitive, and reputational, that might impact those objectives. Only then can the board express the levels of risk that are desirable. They’ve then got to continue to understand the likelihood and impact of key risks across the entire company – and monitor that the executive continues to operate within the established risk appetite.”
Building an incident response plan
No matter the risk appetite, every organization can minimize risk by following basic practices of security hygiene and having a tested incident response plan in place. Boards also need to ask questions to ensure leadership is taking cybersecurity into account as part of overall business operations:
- What is the company’s level of cyber risk, and what sources and types of sensitive data inform this assessment?
- Has the company created a baseline cyber risk assessment, and is there an ongoing process to map improvement over time?
- Is there a cyber-breach response plan or crisis management plan?
- What information will be shared with the board regarding cyber risk — is there a regular process to review status with the CIO at a board committee level?
- Should we appoint a lead director within the Audit Committee, formally expand the charter of the Audit Committee to include cyber risk, or is our cyber risk deemed high enough to create a separate, standing Cyber Risk Committee?
- What is the cost of cyber risk management in comparison to the cost of a data breach — have we looked at breaches in our industry to understand what the all in costs of a breach are?
- Should the company consider a Cyber Security Insurance Policy or other new classes of security technology to mitigate risk and costs?
Once you have a common set of metrics defined, IT and Security leaders can jointly determine the company’s risk appetite, along with leadership peers and governance members.
Cybercrime is a serious and complicated risk. If a company’s leadership takes the time to become aware of the unique challenges facing their organisation, that risk can be mitigated. As Will Brandon put it, “People need to be led. Processes need to be managed…. cyber is, to a great extent, a leadership and management issue. Leadership that needs to be applied from the top – not just from the IT department.”
Richard Olver, Vice President, EMEA, Tanium.