Updated: Jun 20, 2019
Cyber risk is often portrayed as being the concern of CISOs and other cyber experts allowing boards of directors and corporate leaders to treat it as a standalone issue with few consequences outside of IT. The illusion of separable IT risk was never and will never be true, and many risk stakeholders have woken up to the interrelated nature of cyber and other business risks.
Cyber risk is a key component of enterprise risk management. The SEC, other regulators, the credit rating agencies and insurers have all been demanding that organizations elevate cyber risk management and integrate it within a comprehensive risk management framework. Companies remain, nevertheless, slow to respond.
Credit Rating Agencies
Warnings and guidance around cyber risk management are not new for rating agencies. Since at least 2015, major credit rating agencies like Standard & Poor’s (e.g. S&P) and Moody’s have stepped in to add their weight to the growing consensus that businesses need to get serious about cyber risk given its influence on all aspects of an organization’s risk profile. The rating agencies are increasingly taking cyber risk into account at the firm and sector level when determining credit ratings.
Businesses that don’t take adequate steps to manage cyber risk might see decreased credit ratings after a significant cyber incident. Specifically, Moody’s has indicated that businesses in sectors that rely on personally identifiable information (PII) are at greater risk of data theft on a scale that could impact future credit ratings. Earlier this year Moody’s released a report that “credit implications of cyber risk will hinge on business disruptions, reputational effects.”
S&P has provided guidance that cyber risk is weighed in credit decisions by stating that a bank could have its credit rating lowered after a cyber-attack if it appeared that cyber risk was poorly managed. Whether a bank, health care company, or retailer, businesses need to seriously consider the long-term credit risks posed by not managing cyber risk. Despite these warnings, many organizations still treat cyber risk as a standalone issue to be handled by IT leaders alone with little or no board level interest. This is not a sustainable position.
Regulators (like the SEC) have been becoming more insistent that companies get serious about cyber risk management, especially disclosure of cyber incidents. SEC guidance is clear: “cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management.” This guidance is driven by the fact that more and more activities of organizations and businesses, from utilities to entertainment, are made possible by digital technology. The result is that cyber risk is omnipresent and touches every aspect of an organization.
The implication is that every business must take efforts to integrate cyber risk into decision making – from the board to employees using IT systems. In addition to general cyber risk management, regulators are expecting organizations that hold PII and other sensitive data to take more seriously the data governance responsibilities that come with collecting sensitive data. The SEC guidance makes this explicit with expectations that businesses must have “sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is . . . reported . . . up the corporate ladder."
Finally, privacy regulations, from the EU’s GDPR to California’s Consumer Privacy Act (CCPA), are increasing the potential penalties for slow disclosure of breaches, data loss and poor cyber risk practices. GDPR requirements are broad but it is clear that organizations that are subject to the regulations must take measures to properly manage risk, or as the law states: “[firms] shall implement appropriate technical and organisational measures” to ensure compliance. Failure to do so can come with steep penalties.
Under the EU regulations firms can face fines ranging from 12 million dollars, or two percent of worldwide yearly revenue (whichever amount is greater) or up to 4 percent of annual worldwide turnover or 24 million dollars (whichever amount is greater) depending on the nature of the violation or non--compliance. Like GDPR, the CCPA has broad requirements including a “duty to implement and maintain reasonable security procedures and practices” which should start with strong cyber risk management practices.
The CCPA exposes firms to regulatory and civil liability. In addition to fines for n on-compliance, which includes not disclosing data breaches, the CCPA makes it easier for consumers to sue if their data, “ is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Despite apparent soft language good cyber risk management practices should not be considered merely a suggestion, but rather an implicit mandate of the CCPA.
Get Smart On Cyber Risk
From regulators to market stakeholders it is clear that cybersecurity risks are material to the performance of businesses. Gone are the days of a minimal fine and small costs for failing to manage cyber risks. Today organizations are increasingly going to be held to account for poor cyber risk management, be it in court or in the market. The question is how to respond?
First, governance is critical. If cyber risk isn’t managed with the same rigor from the top to the bottom of a firm, then expect credit agencies and regulators to pounce because weak governance is easy to spot.
Second, develop and document good risk processes – from a strong framework to assessments and mitigation, get the tactics of cyber risk management right.
Last, do, don’t just show. If GDPR is any indication, not only documentation but action will be needed to satisfy regulators and other stakeholders that your organization is serious about cyber risk management.
Ready to respond to the high stakes reality? Contact us to talk about how to enhance IT risk management in your organization.