Anna Mazzone, MD and GM of UK and Ireland at MetricStream, discusses the role of cybersecurity in enterprise risk management.
The importance of cybersecurity has never been so acute with data breaches and cyberincidents regularly making headlines. The fallout from cyberattacks can be far-reaching and long-lasting, and no organisation is safe. The impact can include financial cost, operational disruption and – most significantly of all – long-term reputational damage and loss of trust.
For each organisation there is a pressing need to protect its data and safeguard its ability to operate. This requires an in-depth understanding of cybersecurity risk, a structured approach to managing it and aligning cybersecurity risk to enterprise risk appetite, thresholds and organisational business objectives.
From the outset, both rigour and flexibility are key: rigour in the implementation and application of risk management practices, and flexibility in adapting to the ever-evolving cybersecurity landscape.
According to a PwC survey conducted in 2017, the total cost of cyber incidents to UK companies averaged £857,000. Financial impact can include the cost of fixing the issue, loss of revenue during disruption and even penalty fines if there has been a regulatory breach. The longer-term impact on the brand is, of course, the most difficult to estimate but is quite possibly the largest figure of all.
High risk probability: High impact
The impact of a cybersecurity incident is therefore high and there is also a high risk of such an incident occurring. So much so in fact, that in the World Economic Forum’s Global Risks Report 2018, cyberattacks rank among the top three risks in terms of the likelihood of them occurring.
Yet, while PwC reports that 64% of UK organisations have an overall security strategy in place, in only 34% are boards actively participating in the strategy. This, despite the high level of cybersecurity risk and the calculable and incalculable cost to the business of that risk occurring.
To mitigate this risk and protect the organisation and its assets, cybersecurity must be included in the overall enterprise risk management (ERM) plan. This enables enterprises to involve all required stakeholders and business lines in strategic decisions and helps enterprises respond with the necessary speed to cyberattacks.
Security considerations, quite often factored in only after a system or process has been designed, should be an integral part of planning, design and decision-making. It’s an ethos that is in fact inscribed in the recently introduced General Data Protection Regulation (GDPR), applicable to all organisations that process personal data of individuals in the European Union. It mandates ‘data protection by design and by default’, so that such protection is built in to processes and practices from the start and throughout.
Cybersecurity in the ERM plan
When incorporating cybersecurity into ERM, it’s important to address these four impacting factors:
- Board and leadership involvement – this is critical in the creation of a cybersecurity response plan, not least because a cyberattack response will span departments and disciplines across the company. The very real and threatening risk of a cybersecurity incident is a business, not just an IT, risk. The involvement of leadership not only enables a risk management culture – in itself an important outcome – but also practical progress to be made in areas such as budgeting and resourcing. Every organisation should know the financial, business and reputational impact of a cyberattack and should allocate budgets and resources based on their risk appetite and risk tolerance thresholds.
- A common taxonomy – Common taxonomy enables employees across functions to develop a common understanding towards risk management. It also allows the various components of risk management such as processes, assets, organisation structure, policies, risk statements, controls and metrics to be harmonised and cross-linked so that the top management can get a common consistent picture of overall state of readiness. Through consistent, shared descriptions of important metrics such as probability, impact and thresholds, all involved parties in cybersecurity planning and risk mitigation can share a common understanding.
- Risk resilience and business continuity – A business continuity plan with focus on cybersecurity is essential for every digital enterprise today. It should contain the key roles and responsibilities along with clear communication activities and their co-ordination. To respond quickly and decisively and to minimise as much damage as possible, the plan must be exercised as a table-top exercise, kept up-to-date based on the findings of the exercise and must be available with multiple teams across devices to be activated swiftly in the unfortunate event it is needed.
- Risk insight – Cybersecurity as part of ERM requires information that is scattered across systems and departments. Ability to aggregate and harmonise the data as well as to be able to update it in real-time is key to support derivation of richer and more immediate risk insights which can be applied to gain a competitive advantage.
Effective planning underpins effective cybersecurity. With the risk of cyberattacks so high, there is no defensible reason for failing to have robust ERM and business continuity plans in place. These plans should address all conceivable cybersecurity issues and be regularly tested and updated.
Cybersecurity in ERM: A checklist
One way to start an assessment of cybersecurity in an ERM framework is to ask five simple questions:
- Are cyberattacks considered a top threat?
- Is cybersecurity an enterprise-wide risk management issue, not just an IT risk?
- How engaged is the CEO and the board in managing cybersecurity risks?
- Is there a business continuity plan to deal with the aftermath of a cyberattack?
- How is threat intelligence/monitoring incorporated into cybersecurity and risk evaluation efforts?
It’s important that these questions can be answered as part of evaluating cybersecurity and ERM but also that comprehensive insight and planning should sit behind each answer. Falling short in any of these areas could well result in a failure to protect company data and assets – not least the brand and reputation – and the company’s ability to operate in the short-term and grow in the long-term.
Cybersecurity must form an integrated part of the overall ERM plan if an organisation is to mitigate risk and stay secure. Through the right planning, the involvement and advocacy of senior leadership, and risk management solutions in support of a comprehensive ERM plan, companies can achieve a more comprehensive understanding of the level of cybersecurity risk and sustain mitigating measures.