1. What do you say to small organizations who don’t think they are big enough to have cyber resilience programs or engage in testing exercises?
No matter how big your company or organization, you have to come to terms with cyber risk. The quadrant we spoke to at the end of our program helps you think about the ways you can deal with cyber risk. Anybody can be victimized. Doing nothing is not a good management or strategy. It’s better to do something “good” that you can achieve now, than doing something “perfect” you will not get to. No matter the size of your organization, there are some steps you can afford to adopt and embrace to improve your risk management strategy. From the cyber insurance perspective, there are some resources you can leverage to improve your risk management strategy. Ponemon reported last year that around 25% of businesses bought cyber insurance, but that number is increasing due to the fact that a breach in a smaller organization could be a bet-the-organization type of event, significant enough to shut down operations or disable the ability to execute on customer demands. The point is that all sized businesses are susceptible, and only a small percentage of them have cyber insurance coverage.
2. What are the top things I should do to get executive sponsorship for a proactive cyber resilience program in my organization?
The key thing in obtaining executive sponsorship is to talk about security in business terms rather than technical terms. When you are approaching people like the chief executive officer (CEO) or the board to discuss risk to the company, talk about the impact that risk could have, and why the vulnerability could really hurt the organization—whether it’s depleting revenue, or whether it is reputational risk, or the operational shutdown that would occur if something were to happen. If you do not frame your concern in business terms, the impact of the risk isn’t clear to the governance side of the business and won’t serve your efforts. On the other side of the coin, there are things that you don’t want to do. Don’t try to obtain sponsorship by telling your board or CEO that the sky is falling. We have seen some of the largest companies fall, who had budget and head count, across all industries. This goes back to looking at your most coveted assets – your crown jewels – with the chief risk officer (CRO) and assessing what is exposed, and, if you were compromised, what your plan would be. Talk about this in a business context rather than using fear of being a front page story as your tactic. The focus should be: what is impacted and how will you manage risk.
3. How do you recommend we review our overall insurance portfolio or program to determine whether we have sufficient cyber coverage?
Coverage for a cyber event can be found in multiple policies across an organization’s insurance portfolio, including a dedicated cyber policy, property, casualty, crime, kidnap and ransom, and potentially others. We suggest conducting a coverage gap analysis, which Aon can facilitate, to determine where the insurance portfolio does or does not address cyber exposures. Once the gap analysis is completed, the organization, in conjunction with the broker, should review existing insurance policies to fill in any gaps by bolstering the current portfolio, or purchase a more robust, dedicated cyber enterprise solution for clarity and consistency. The final step is to define adequacy of protection. A limits and retention quantification exercise will determine limit suitability and ultimately financial statement impact from a cyber event.
4. Large organizations have the financial wherewithal to avoid or mitigate cyber risks. Most medium to small-scale entities cannot afford dedicated CROs, which was alluded to earlier in the program. Besides the risk transfer mechanism, such as cyber policies, what other cost-effective measures can these smaller enterprises take to address cyber risks around their IoT?
This question talks about outside risk transfer, but on a front-end basis you can invest in security and run exercises internally in order to be ready to respond to an incident. Incident response is key. Investing, practicing, and being ready to respond to an incident quickly is important, as is having all the stakeholders we talked about earlier in this program ready and in the incident response mix. Also having a retainer with partners like Stroz Friedberg, who are ready and on call to move in swiftly when an event occurs, is wise.
Each organization will need to evaluate its risks, threats, and vulnerabilities in the context of its business and regulatory environment, looking at what its peers are doing, what the market is telling them, and what sort of significant cybersecurity incidents or breaches are occurring. What we’re saying is that no one has a crystal ball, but if we root decisions based on a preponderance of risk from a quantitative and qualitative standpoint, as well as an evaluation of regulatory matters, and an evaluation of what is going on in the industry, we can make solid, fact-based, information-based decisions. Thoughtful, business-oriented analysis is the best that we can do. This is not a technology discussion with leadership. It is a discussion about risk concepts and regulatory risks around cybersecurity. Finally, do what you can inside the organization, but remember outside help is available.
5. We are a law firm who outsources our clients’ data to a third party that processes, analyzes and/or hosts the data. Do we have a right, obligation and/or responsibility to vet that company’s security?
Just remember, you can outsource the work to anyone, but you can’t outsource the risk. That being said, you have the responsibility and the right to vet third-party security. When working with a third party vendor, get a right of audit clause, and where you can, negotiate the right of audit into your contracts. If you cannot get the right to audit, then you need to get other elements of third party assurance of security. You need to have an appendix behind security standards, key control objectives, and translate that into something relevant for vendors, referenced in the contract. Build in a program of governance into the contract which puts the vendor on the hook via key performance indicators, service level agreements, cyber and data protection. Trust but verify and monitor. If the vendor gives you that SOC2 or ISO certification or PCI Report of Compliance, you need to review those, and potentially visit their site to perform monitoring.