Cyber security was number six in the top 10 global risks in this year’s Aon Global Risk Management Survey.
The risk is recognised for good reason: 48% of companies surveyed in Ponemon Institute’s 2019 Intangible Assets Financial Statement Impact Comparison Report say they have suffered a data breach that caused disruption to business and IT operations. Despite these warnings, Aon’s cyber experts have seen that an organisation’s first attempt to address cyber risk generally takes place at the worst possible time – right in the middle of a cyber attack. Aside from the immediate costs stemming from a breach, the long-term impact on a brand’s reputation and loss of consumer trust can be irreparable.
We know from working with our clients on their most critical risk issues that cyber risk is a priority for boards, the C-suite and business leaders. Yet when it comes to solving the problem, the long-term, multifaceted nature of achieving cyber resilience can leave these leaders scratching their heads.
That confusion is understandable. The easiest way to get from A to B is usually a straight line. But developing cyber resilience isn’t a linear process. It’s a repetitive, circular one, with several critical stages along the way: risk assessment, risk quantification, cyber insurance and incident-response readiness. We call that strategy the ‘Cyber Loop.’ Every organisation will enter this loop at different points.
Combating cyber risk is a precise science – every organisation varies in its level of exposure and stage of preparedness. Every organisation has a slightly different risk profile, even those that are in the same industry. Although organisations might enter the Cyber Loop at different points, continuously circling through the stages leads to the best possible outcomes.
However, far too many organisations enter the Cyber Loop at the incident-response stage – when they’re under attack. Responding to a cyber event is not an ideal entry point into the Cyber Loop. Unfortunately, many companies get forced into it – and after managing the immediate threat, they ask: ‘how do we prevent this from ever happening again?’
A common challenge to addressing cyber perils is finding quality data on which to base better risk-mitigation decisions. Continuously circling through the Cyber Loop can help organisations gather the right data to inform better decisions.
Assessment: what’s at risk? Where are the threats?
During this phase, a company needs to determine:
Assets they need to protect
Current state of security and controls
Business behaviours impacting or related to critical assets or potential threats
How to balance business needs with cyber-risk considerations
Existing policies and procedures aren’t fail-safe. Assessments often reveal that many employees aren’t following them. As the assessment phase focuses on people, process and technology, it can give the organisation a picture of its actual state of cyber resilience and position it to take steps to move toward an improved state of resilience.
However, many organisations are challenged with decision-making that’s based on hypotheticals rather than assessment-derived information. It’s imperative to move from basing decisions on hypothetical risk to instead basing them on an understanding of the actual risk.
Risk quantification: what are the potential losses and how are they best addressed?
During this phase, a company needs to assess:
What sort of losses might we suffer in a cyber attack?
How are we making more data-driven security and insurance-investment decisions?
Can we measure and track our cyber costs?
Do we provide our executives and board actionable, intelligible insights on the importance of cyber risk?
Financial quantification helps build consensus across the various teams that manage cyber risk as to the top challenges and business case for greater resources and capital. Insights derived from the assessment process will form the basis for dynamic modelling frameworks, which give organisations a better understanding of the potential impacts of various possible cyber events. This can then be fed back into the Cyber Loop.
Organisations should follow a three-step approach to assessing cyber risks:
Financial modelling of first- and third-party cyber exposures.
Stress-testing assumptions of the organisation’s existing cyber security roadmap, its cyber insurance strategy and capital expenditures for cyber security resilience.
Insurance: making the risk-transfer decision
During this phase, a company needs to:
Understand their exposures
Ensure they have an effective strategy to mitigate loss
Decide whether they should transfer a portion of their risk to the insurance market or pursue other risk-transfer strategies
Often, companies that don’t handle credit card or personal data think they don’t need cyber insurance. Two things that can impact any company have made it imperative for every company to consider cyber insurance: ransomware and business disruption. This year’s Ponemon Intangible Assets report also found a disconnect in how organisations protect physical versus information assets. Organisations reported 60% of potential losses to physical assets were covered by insurance, while only 16% of potential information-asset losses were covered.
Incident-response readiness: preparing to deal with a cyber attack
During this phase, a company needs to:
Create and practice an appropriate incident-response plan
Ensure the organisation has the necessary people and tools in place to respond to a cyber event
Ensure those people are properly skilled and trained, and that the tools are properly deployed and configured
Incident-response readiness is proactive, and organizations that have engaged in the other aspects of the Cyber Loop will typically have a better experience responding to a cyber event.
The response plans must be easy to follow and well practised. It can be helpful to invite experienced professionals to present commonly encountered threat simulations and join in dry-run responses to those threats. Readiness assessments can also ensure that the response team is well trained, ready to act quickly and confidently when a cyber incident occurs and has access to properly configured technology that is typically used in incident response.
A continuous response to an evolving threat
Faced with complex and constantly evolving threats such as cyber risk, organisations should embrace a comprehensive, continuous framework that acknowledges the cyclical nature of the risk.
Adam Peckman, global practice leader at Aon Cyber Solutions, adds that this type of circular framework can lead to other benefits: “A framework like this can help break down organizational silos. It gets teams working together, generating actionable insights to help decision makers improve operational and financial solutions for cyber risk,” he says.
“Building resilience is a continuous process – it’s not linear with a defined start and finish line,” says Pinson. “Cyber risk is not static, so your approach to mitigation can’t be.”
This article originally appeared on Aon’s The One Brief.