Cyber resilience strategy must work hand-in-hand with risk transfer and external counsel
Even the best precautions can fail to keep attackers permanently at bay. Traditionally considered to have secure and protected systems, the financial sector has been particularly prone to cyber attacks in 2022, as in outages in New Zealand for ANZ bank and attacks on Japanese cryptocurrency exchange, Liquid6. Globally, there were various high-profile incidents of bank theft using the SWIFT electronic payment messaging network. The Sunburst hack of 2020 also shows how a backdoor supply-chain attack compromised organizations with best-in-class cyber security practices. These included key US government agencies as well as Microsoft, Intel, cyber security firm FireEye, and more.
Because cyber attacks can never be fully circumvented, no cyber resilience strategy is complete without risk transfer. This involves assessing and quantifying the organization’s cyber risk exposure and risk tolerance and incorporating these into long-term strategy. Appropriate cyber insurance coverage can then be obtained for areas such as indemnification for loss, liability, regulatory omissions, physical damage, and more. This approach also reinforces the corporate risk management mindset and influences cyber security controls and best practices across the organization.
Another key differentiator in leaders’ quest for sustained cyber resilience is a willingness to engage a good external advisor or consultant to help make better decisions and address risk. Resisting the impulse to delay capital investment in response to short-term risks, well-prepared leaders are open to bringing in consultants to help strengthen an organization’s response to real-world threats.