Companies addressing cyber risk have one of four options: accept it, avoid it, mitigate it, or transfer it.
A few weeks after Yahoo revealed the 2014 hack of some 500 million accounts, they announced the 2013 hack of one billion email accounts. Yahoo’s stock dropped 6% in one day, and Verizon is threatening to cancel the pending transaction. How was the Yahoo board unaware of their cyber risk condition for years? Clearly, overseeing cyber risk wasn’t a high priority.
An article from the Harvard Law Forum states that “directors can only be liable for a failure of board oversight where there is ‘sustained or systemic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists…’” In Yahoo’s case, it’s hard to imagine how the board will not be held liable for failing to exercise proper oversight.
Overseeing cyber risk is no different than keeping an eye on other forms of risk. After the Sarbanes Oxley Act of 2002 passed, internal auditors at public companies implemented control systems for assessing and reporting traditional forms of business risk to their board’s Audit Committee. Similar discipline should be applied to cybersecurity risk.
Companies addressing cyber risk have one of four options: accept it, avoid it, mitigate it, or transfer it, as depicted in the chart below:
Source: Jeff Welgan of Cybervista in LinkedIn Pulse
Accepting Cyber Risk
Businesses and agencies face different levels of inherent risk that are unique to the organization. They may opt to avoid, mitigate, or transfer many risks, but others are either impossible or cost-prohibitive to address. For example, Cybernance can mitigate its risk by running its SaaS cybergovernance platform on a highly secure host like Amazon Web Services, but a small chance remains that AWS could be breached, so we had to accept that risk to pursue the opportunity facing us.
Avoiding Cyber Risk
The most direct way to manage cyber risk is to avoid it. An extreme form of avoidance is to employ processes that don’t require the internet, but there are less drastic alternatives. For example, don’t store high value data without a compelling business reason; instead, archive or delete it immediately after use.
Mitigating Cyber Risk
Implementing the third option effectively requires integrating new cyber policies, processes, procedures, and technologies into daily operations. NIST’s Cyber Security Framework (CSF) is the gold standard for risk mitigation. Incorporating its guidance into daily operations can significantly reduce the chance of a cyber breach. If Yahoo’s board had been continually monitoring operations via CSF, they would have known about the process failure that allowed the breach.
Transferring Cyber Risk
As cyber risk continues to grow, transferring cyber risk through insurance becomes more and more compelling. While the cyber insurance market is growing briskly, the fact is that insurers lack strong predictive analytics that would enable them to assess relative cyber risk effectively. Cyber insurance remains more expensive than it otherwise would be, and most policyholders lack sufficient coverage as a consequence.
No matter which of the four strategies are employed, significant advantages accrue to organizations led by boards that insist on prudent oversight. A recent Cisco report revealed that the most sophisticated practitioners of cyber risk oversight and management report significant improvements in their operations. Some are even realizing gains in competitive advantage through improvements across the organization uncovered and spurred on by cyber risk management initiatives.
(To learn about the current state of cyber insurance’s effectiveness at transferring risk, watch a panel of experts discuss it at a recent conference sponsored by The Chertoff Group.)