Cyber Risk of Paramount Concern to Corporate Boards
Lack of History Remains a Challenge
“Cyber security is the most polarizing issue on the corporate board agenda these days,” says Anthony Belfiore, SVP and Chief Information Security Officer at Aon. “It has the most potential impact and the most regulatory pressure among all risks companies face. Nothing is more top of mind right now.”
“You just have to look at the amount of media coverage and the actual realized impacts companies are experiencing. Hundreds of thousands of businesses from big to small are being affected. The entire healthcare system in the UK went down. The impact is tangible. It’s affecting day-to-day operations,” he says. “And no one is immune. Board members come from a diverse set of industries, and all are impacted.”
Why is cyber risk such a hot button for companies versus other types of risks?
“The risk has become more urgent as it has shifted to actual business interruption,” Belfiore says. “Historically companies were concerned with data leakage and loss, or regulatory fines, but now the actual operation itself can come to a halt. When a company goes down for three days that hits the media. Analysts notice. You can trace a specific event to a drop in stock values.”
Aren’t fines still a concern?
“Yes. We are operating in a regulatory environment which can have a significant downside,” Belfiore says. “This is especially true if you are a multi-national firm with considerable operating and capital expenses. You can sustain significant and unforeseen punitive fines which can be imposed anywhere around the globe, for example, if you’re found non-compliant with GDPR.”
What about directors themselves?
“Potential for board liability for failing to protect shareholders is a hot-button issue right now. D&O liability and coverage is evolving,” says Belfiore. “There is uncertainty as to who is protected.”
The digitization of so many aspects of conducting business has been around for a while now. So why does cyber risk continue to present challenges for the insurance industry?
“Historical data is a challenge for insurers because there is very little relative to other risks like those posed by fire or storms for which we have decades of statistics. This makes it difficult to qualify and quantify the risk. Models are used to gauge the potential for losses but, still,” he says, “there isn’t a lot of history to go on.”
Aren’t companies and boards okay as long as they have insurance?
“Organizations who think they are covered may come to a different conclusion when they read the fine print. That’s why it’s imperative to work with an experienced broker to navigate the various coverages and nuances in policy language,” Belfiore says.
At a high-level, what should security leaders at companies do to reduce risk and anxiety around potential cyber losses?
Belfiore urges companies to “set up effective governance and establish an effective governance committee. Examine how you run your operation day-to-day, consider how to best manage the expectations of the C-suite and the board. Get the most out of governance committee discussions, ensure you have alignment up and down the stack, and make sure you have installed effective risk management and risk protocols.”
Belfiore is on “The CISO Perspective” panel at the International Cyber Risk Management Conference (ICRMC) on Dec. 6-7, 2018 in Bermuda, along with Tim Dawson, Cybersecurity Chief Technology Officer at HSBC; Tom Pageler, Chief Security Officer at BitGo, Inc.; and Derek Vadala, Chief Information Security Officer at Moody’s Corporation.
You will be able to hear insights like these, and updates on anything that occurs between now and December in Bermuda.
This posted was edited by HB Founder & Managing Director Tom Hagy. In the 1990s Tom launched one of the first nationwide legal reports in this area — Mealey’s Litigation Report: Cyber Tech & E-Commerce — when he was publisher at Mealey’s, now part of LexisNexis. If you are interested in posting on this site or discussing speaking opportunities, please contact us at Editor@LitigationConferences.com.