Businesses must understand how cyber risk impacts their operations, how it can be mitigated and then determine their own risk appetite.
> Download the full publication "A Guide to Cyber Risk"
Everyone is a target
Whatever their size or sphere of operation, all organizations need to consider their cyber exposures and prepare for a potential incident.
“Too often we find that people believe that cyber is only an issue for the big brands, banks and retailers,” says Rishi Baviskar, Senior Cyber Risk Consultant, AGCS. “In reality hackers are more likely to target the companies with the weakest security, irrespective of their size.”
Broad risk spectrum
Depending on the nature of its business and the sector in which it operates, a company is exposed to its own set of cyber risks.
For example, a financial institution will hold a wealth of data on its customers, the theft of which would cause immeasurable damage to its reputation. Banks also face huge business interruption exposures through the use of electronic trading systems.
In contrast, a utility company will be exposed to risks associated with industrial control systems, where a hack could cause catastrophic damage to property or subsequent business interruption.
Meanwhile, a pharmaceutical or tech company will hold valuable intellectual property, and a professional services company will hold sensitive client data.
Risk identification and response
When identifying cyber risks, companies should consider both physical and digital security controls – such as password procedures – as well as which third parties have access to systems or those of cloud providers, advises Baviskar.
“Know your assets and prioritize them. If resources are limited, identify key assets at risk, as well as potential weaknesses and put policies in place to protect them,” he says.
Businesses should also not underestimate the “human factor”, adds Jens Krickhahn, Practice Leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe. “Employees can cause large IT security or loss of privacy events, either inadvertently or deliberately.”
Cyber risk management is an emerging area, but companies can gain assistance from governments and third parties. It is also worth considering using a third party to test and audit cyber security.
“Know your assets and prioritize them. If resources are
limited, identify key assets at risk, as well as potential
weaknesses, and put policies in place to protect them”
As a senior cyber risk consultant, Baviskar helps underwriters understand and benchmark cyber risk exposure. This is achieved through desktop studies or workshops and dialogue with businesses for larger more complex risks.
When assessing a risk, cyber risk consultants consider a company’s IT security and data processes. They will also look at business continuity plans, as well as breach response procedures.
Assessment of business interruption risk requires financial analysis of the health of the company, service/production processes and their bottlenecks, computer/network infrastructure management, as well as discussion of loss scenarios and modeling. It also pays to plan ahead.
“Companies need a crisis response or breach response plan. Then test it,” advises Krickhahn. “It’s better to draw up a plan in peace-time ready for the war. That way you will know who to contact, who does what, and how to communicate.”
Of course identifying and evaluating threat scenarios is difficult. Different stakeholders from the business need to share knowledge – IT experts or production engineers can identify the scenarios, business continuity managers can quantify the duration and financial departments the cost. Previously siloed knowledge needs to be incorporated in one “think tank”, including the set-up of IT, processes and risk transfer. Everything should be interlinked.
In Germany AGCS has partnered with T-Systems, the security specialist arm of Deutsche Telekom, and is running workshops with businesses with complex cyber exposures. These can help firms map their data and IT risks and make decisions around which risks to avoid, accept, control or transfer.
Such workshops can also help companies prioritize actions, according to Krickhahn. Following one such workshop, a business decided to create a centralized system to manage client data.
“Given merger and acquisition (M&A) activity, and complex company structures, it’s not surprising that many companies struggle to quickly identify all the data they collect on third parties,” he says.