The term “Cyber Risk Governance” is being used frequently. What is a good definition, and how does it differ from GRC?
Two years ago when we began building Cybernance, our strategy was based upon three views not widely held at the time:
- Cybersecurity is not just a technical problem; it’s a governance problem that needs attention across the entire enterprise. Almost every widely publicized breach (e.g., Home Depot, Target, Wyndham) derived from a failure of people and process, not a failure of cyber technology. The rapid growth of phishing techniques and the skyrocketing use of ransomware have made it obvious that effective oversight of cybersecurity must span the whole organization.
- Corporate directors face increasing risk from cyberattacks, including personal liability for breaches. Boards who don’t rank cyber risk as one of their highest priorities can be held liable for failing in their fiduciary duties. They may find themselves dealing with shareholder derivative suits after a significant breach. The most publicized example, the Yahoo breach involving over a billion accounts, will almost certainly lead to a billion-dollar suit against its board and management.
- Standardized data about internal defenses is critical in organizing efforts to combat cyberterrorism and cybercrime. To change the behavior of organizations economy-wide, pressure must come from insurance companies who base their cyber insurance rates on accurate assessments of cyber risk. To develop successful predictive analytics, insurers must correlate behavior (types of internal defensive processes) with outcomes (incidents and claims).
Cyber Risk Governance (CRG)
Policies, processes, and mechanisms enabling non-technical corporate directors, internal auditors, general counsel, and chief risk officers to maintain insight into and exert control over an enterprise’s level of protection against cybercrime.
As we debated the various ways we might introduce our software platform, we briefly considered whether cyber risk governance fell into the category of GRC, or “Governance, Risk, and Compliance”. GRC generally describes “software [that] allows publicly-held companies to integrate and manage IT operations that are subject to regulation. Such software typically combines applications that manage the core functions of GRC into a single integrated package” (TechTarget SearchCIO definition). The massive GRC software and services market started with the passage of the Sarbanes-Oxley Act of 2002, and it addresses the need for adequate financial controls to be established.
Industry analysts have debated about the definitions of “enterprise GRC” and “IT-GRC” and how cyber risk might or might not fit within their definitions. While managing cyber risk is following an analogous path to managing financial risk, its origins and attributes are quite distinct:
Based on this analysis, we define Cyber Risk Governance (CRG) as the “policies, processes, and mechanisms enabling key non-technical stakeholders (corporate directors, internal auditors, general counsel, and chief risk officers) to maintain insight into and exert control over an enterprise’s level of protection against cybercrime.” Our definition has held up very well in the past two years during hundreds of conversations with customers, partners, and prospects.
What is the future of CRG? We expect three trends:
- More solutions will emerge to address the need for multiple types of data.
- Insurers will use CRG software to increase their ability to assess risk more accurately during the application process.
- Initiatives enabling creation of predictive analytics will be broadly supported across industry and government. (Stay tuned.)
In this one-minute video from The Conference Board, industry expert Andrea Bonime-Blanc summarizes why Cyber Risk Governance must be kept as a separate discipline: