Ten Rules for the Cyber Incident Responder
Risk managers’ focus on the seemingly unlimited array of cyber threats to their organizations is steadily growing. The 2014 BDO Technology RiskFactor Report, for instance, which analyzes SEC 10-K filings and other data from the largest publicly traded U.S. technology companies, found that “breaches of technology security or privacy” ranks at number seven in the top 25 risk factors cited by these 100 companies. Ninety-one percent of companies cited the risk this year, compared to 57 percent in 2011.
No doubt, those sorts of numbers won’t really surprise anyone, but they do raise questions. In particular, what will be done about these concerns? Tracking the trends surrounding the attitudes of risk managers, those cybersecurity risks, and other major risks, has been the goal of the Emerging Risks Survey for the last seven years. It’s produced by The Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries’ Joint Risk Management Section, and after the 2014 results were released, I asked the report’s author, Max Rudolph, about some of the results around cybersecurity risks and what risk managers plan to do about them.
The 2014 survey, Rudolph explained, closed before the massive Target data breach, and of course before Target’s CEO lost his position as a result. Without the influence of that and other recent cybersecurity events, and based on seven years of data, the survey’s results were deemed to be predictive, rather than reactive. “Cyber risk has steadily grown,” said Rudolph, “from 21 percent in 2009 to 47 percent of responses in 2013 with continuous (monotonic) increases.”
That trend, along with a reduced focus on the economic risks that preoccupied minds for the last five years, has created a crossroads, the survey indicates. For some large enterprises, a risk management strategy may require special examination as the emerging risks switch places. Financial volatility, while still the number-one emerging risk, has gone from 68 percent of responses in 2011 to 59 percent in 2013. Cybersecurity responses have risen from 38 percent to 47 percent in the same period. Strategic risk management of financial volatility can include an upside. Cybersecurity threats do not generally provide that same upside opportunity.
Rudolph also points out that survey responses indicated interest in a response to cybersecurity risks that may send enterprises in the wrong direction, especially in the long term:
“It concerns me that the current push is to buy insurance rather than to improve practices, as that is the ultimate solution. Boards may feel the issue is addressed with insurance, but coverage will become unavailable if you are a repeat claimant.”
Major cybersecurity stories, including the NSA’s data breaches, have developed since these results were compiled only a few months ago. Enterprises fortunate enough to have risk managers or risk teams, the report concludes, must beware of missing the forest for the trees:
“A risk manager who has their nose to the grindstone might accomplish the immediate task but be woefully unprepared for longer time horizon risks that emerge over time. Those who strike a healthy balance between improving existing practices, improving transparency, and becoming a lifelong learner will better understand their risks and make better decisions.”
