The First Steps to Managing Cyber-Risk

Thomas Dunbar


October 5, 2012

Today, every company is reliant on technology, and data is often a critical asset. Managers and IT personnel must monitor reports via their computers and mobile devices 24/7—but even that seems like a futile attempt to keep up. Because each day, according to a June Financial Times article, companies generate 2.5 exabytes, or 1 billion gigabytes, of data. This daily deluge means that nearly 90% of the stored data in existence today has been created in just the past two years.

With this unprecedented growth, new threats emerge constantly. Such risks historically have been the domain of the IT department, but while cyber-risks are by definition rooted in technology, they are not actually technological risks; they are business risks. And business risks are best addressed through a holistic risk management process that includes systematic risk identification, assessment, quantification and mitigation.

The following three steps will pave the way for risk professionals to better protect one of their company’s most important assets: data.

Step #1: Assemble a Cyber-Risk Team

When it comes to cyberthreats, it is not about if the company will be attacked but when. The first, and one of the most important, things a risk manager can do is to talk to the information security team and involve them in a cyber enterprise risk management effort. Specifically, ask them what assessments have already been done. Then, examine what they have put in place to provide reasonable safeguards spanning people, processes and technologies. And keep them involved throughout the process, not just at the outset.

A good way to get the input and buy-in of the entire organization is to appoint a cyber risk management team to evaluate the company’s enterprise-wide threats. Include the chief information technology officer, head of IT security, general counsel and others from departments including communications, manufacturing and human resources. These are the personnel who will stand as the frontline response to any threat.

Get everyone involved and keep the organization informed of the efforts and steps you take to protect the corporation. Periodically report on the state of the organization’s cyberpreparedness to top executives and the board of directors. Both the board and senior leaders have a fiduciary responsibility to protect the information assets of the company.

In particular, the board needs to be made aware of all cyber-risks and receive regular reports on how new developments and trends could affect the company. Recently, the SEC weighed in on the issue, stating that it is a company’s responsibility to not only understand its cyber-risks, but to ensure that the corporation secures its computer systems.

If there is an incident, the company’s reputation is on the line. News outlets will be quick to pick up on cyberincidents, and most company officers will not know where to turn.

Take the recent LinkedIn breach, which exposed some six million user passwords. Not only was LinkedIn lax with security measures, but it took the company hours to discover that its network had been attacked—and hours longer to notify the victims. No one was managing the risk. And that is not unusual. Only after Sony was the victim of an attack in 2011 did it hire its first chief information security officer.

Step #2: Identify and Assess the Risks

Once you have formed the cyber risk management team, the second step is to identify, assess and measure the risks for their potential frequency and financial impact. Think in terms of vital data and where it resides—not just on the computer in an office, but how it flows throughout your organization. Is the data in transit (on a USB drive), at rest (on an employee’s desktop PC) or mobile (on an iPhone)? Once you understand where the data is and its importance, you can assess the risk and develop strategies to protect it.

Work with your team to understand your situational awareness. Think about the value of your data to a hacker, hacktivist or cybercriminal. What information would they target? Or, could you be a potential target of cyberespionage or cyberterrorism? And do not forget about non-tech-based threats, such as a hurricane, that could shut down systems or prevent access to data. Or, consider the exposure when an employee unintentionally obtains unauthorized access to data. These are risks related to technology but ultimately rooted in other realms (natural disasters and access control management).

Examine the vulnerabilities and current mitigation practices and then, based on resources, make determinations as to where people, processes and tools must be deployed. Threats must be evaluated for their potential likelihood and financial severity. Risk managers need to be part of the decision-making process to determine which risks pose the greatest threat to the corporation and which of the many IT security options will best mitigate these risks.

Step #3: Develop an Incident Response Plan 

Companies with incident response plans fare much better after a data breach than those without plans. Thus, the final step is to develop a plan that, first and foremost, defines who will be the point person for external and internal activities when a breach occurs.

Unfortunately, very few companies maintain internal experts who can deal with all aspects of this kind of risk. So one thing to note while creating the plan is whether or not a cyberinsurance policy exists. If it does, alert all departments about its existence so that the company can take advantage of the insurer’s expertise.

Some insurers offer crisis management experts, frontline breach professionals and cyber-risk lawyers. Some policies even provide a risk management package that includes self-assessment tools.

But whether you buy insurance or not, you will need an incident response plan. So ensure that the company does research beforehand to find third-party experts to lean on when disaster strikes.

One last component of any plan is to ensure it includes a means to learn from the breach. Include a formal debriefing step after an incident to get to its root cause and understand when the attack took place, how the system was infiltrated and what the motivation of the attacker was.

Lastly, remember that a plan is only valuable if it works and if everyone involved knows it. So even if you are lucky and no breach occurs, take the incident response plan out and test it at least once a year.
Thomas Dunbar is chief information risk officer of XL Group.