As organisations evolve their business models to embrace digitalisation they open themselves up to new cyber risks. Matthew Worsfold, a partner in Ashurst’s Risk Advisory practice, and Rachel Sexton, the head of the Risk Advisory Practice explore how firms need to think about managing these exposures
As they continue the journey through the digital age, organisations of all types are embracing digitalisation as a transformational power, putting technology at the foundation of their businesses.
Digitalisation is seeing organisations evolve their existing business models, by leveraging new and emerging technology such as generative AI, intelligent automation, IoT (Internet of Things) and blockchain to become data-driven.
This trend is not confined to specific industries or company types, instead, it is being harnessed by both traditional brick-and-mortar businesses and start-ups alike.
With use cases for this new technology still being developed, many are looking to leverage digitalisation for a variety of purposes, from cost-saving and operational efficiencies to managing risk more effectively.
However the increasing adoption of technology and data presents new and emerging risks, and in particular, it exposes organisations to greater levels of cybersecurity risks than ever before.
Safely embracing large-scale digital transformation
Organisations embarking on large-scale digitalisation initiatives often focus on implementing cutting-edge technologies, retiring legacy systems and upgrading existing systems, often partnering with third-party providers in order to both unlock and expedite new capabilities.
A by-product of this digital transformation is the proliferation of data, with increasing amounts of data being captured, produced, consumed, and therefore needing to be managed.
“This underscores the need for organisations to adequately invest in cyber risk management in order to protect the value gained from digitalisation.”
With digitalisation comes the necessity to manage, store, and, most crucially, protect this ever-expanding data ecosystem.
This also comes amidst the backdrop of heightened hostile cyber activity, with threat actors becoming increasingly sophisticated in their attempts to take advantage of the myriad of vulnerabilities that can arise as a result of the digitalisation process.
Combine this shift in the cyber threat landscape with a sharpened focus from regulatory bodies on the protection and privacy of an individual’s data, and it underscores the need for organisations to adequately invest in cyber risk management in order to protect the value gained from digitalisation.
Managing cyber risks effectively
To effectively manage cyber risks, it’s important to recognise that whilst technical measures and controls are essential, many cyber incidents typically come down to poor governance and inadequate preparation, and are magnified by the age and extent of data that many organisations are unnecessarily retaining.
Whilst GDPR does not specify time periods for retention, organisations must be able to justify why they are still retaining data, which aside from the legal and regulatory requirements, many organisations fail to do.
”This is a significant set of risks that boards need to be aware of and have oversight of.”
Fundamentally, much of this comes down to robust risk management which in itself is not new. It involves understanding the cyber risk profile, but importantly recognising how the move to digital heightens and changes this risk profile.
Digital transformation programs will need to include considerations around new or improved data security and cyber controls, both technical and non-technical.
Finally, cyber risks need to be effectively governed, monitored and reported on, all the way up to the board. This is a significant set of risks that boards need to be aware of and have oversight of.
The importance of data governance
Another foundational element of cyber risk management is data governance.
In today’s world, any organisation undertaking a large-scale digital transformation needs a fit-for-purpose data governance framework that has been designed and implemented effectively.
As part of the implementation of the framework, businesses must have a clear understanding of what data they hold, the level of risk it carries, where it resides, what their legal obligations are in relation to data retention, whether they should be retaining that data, and whether they have the right controls to safeguard it.
Given the increasing deployment of new platforms and technologies and the complexity of many IT environments, many business executives fall at the first hurdle.
Undertaking a detailed data cataloguing and mapping starts with identifying key systems, and identifying the types of data that sit in those systems.
“Any organisation undertaking a large-scale digital transformation needs a fit-for-purpose data governance framework that has been designed and implemented effectively.”
For example, for a financial services business, this will typically have customer, product, transaction and payment systems. Within these, the categories of data may include name, address, payment details, card details, identity details (e.g. passport number) and more.
Each data category will have different retention periods, for example, a requirement to hold the data for the length of the customer relationship, meaning deleting or archiving the data for a period after the relationship has ceased.
During the life of the customer relationship however, given much of this information is sensitive, it needs to be stored and managed in such a way that should a cyber breach occur, the data is secured through methods like encryption, masking, or access controls.
Third-party risk management
As organisations increasingly look to leverage software-as-a-service models and rely on third-party providers for data processing and access to the latest technologies, ensuring these providers adhere to rigorous cybersecurity protocols becomes paramount.
Continuous monitoring and assurance over the cybersecurity practices of third parties becomes a critical component of the cyber risk management framework.
This has been brought to the fore by recent third-party cyber incidents including the MOVEit hack.
Incident Response Planning
Given the importance of the first 24 hours of a cyber incident, crisis management planning is essential.
Organisations need to have clear incident response plans that have been adequately stress-tested. Senior leaders at the board and executive level need to clearly understand these protocols, including having clear decision-making rights and lines of accountability for managing the incident.
A recent IBM study found that the average cost of a breach increased by USD $1m where firms were unable to identify, contain and resolve within the first 200 days.
Skills and training
Finally, organisations need to ensure they have sufficient investment in people, skills, and training around cyber security and risk management.
Raising the awareness of cyber risks across the organisation for all staff, equipping IT teams with the right skills, and fostering an understanding and culture of good cybersecurity hygiene are pivotal.
This is a challenge for business leaders.
Ever greater demands are being placed on an already stretched and highly sought-after cybersecurity workforce, with cybersecurity one of the most cited expertise businesses need in order to meet their growth objectives.
As business leaders look to embrace digitalisation, they are presented with unprecedented opportunities and challenges.
While digitalisation offers many benefits, from efficiency gains to enhanced risk management, it also introduces heightened cybersecurity risks.
To navigate the digital transition effectively, business leaders must prioritise robust cybersecurity risk management as an integral part of their strategy.
This is only achieved by taking a proactive and holistic approach, taking into consideration the many facets of cyber readiness.
This entails embedding technical cybersecurity controls into new systems, practising good data governance, establishing clear lines of accountability for cyber risk management, formulating incident response policies, rigorously managing third-party risks, and investing in the skills and training necessary to safeguard the organisation against these threats.
Matthew Worsfold is a partner in Ashurst’s Risk Advisory practice, and Rachel Sexton is the head of the Risk Advisory Practice