Only with an increasing ownership of cyber risk at board level will we begin to see improved cyber mitigation in our region, argues financial and professional risks practice leader at Marsh Asia, Stella Tse
Cyber risk has shot to the top of corporate agendas across Asia during the past 12 months, as senior management continues to gain greater understanding of the extent of the cyber threat in today’s rapidly changing technological environment.
While this increased awareness has raised the profile of cyber risk, acquiring a complete understanding of the cyber threat requires having a comprehensive knowledge of both the external risk as well as the liabilities that are specific to your company.
For this reason, companies cannot afford to treat IT security as a peripheral risk that can be outsourced to third-party security providers, or even left to the responsibility of the chief information security officer (CISO).
Organisations require an approach to cyber risk that detects opportunities resulting from technological innovation, while also identifying and mitigating accompanying cyber exposures, as well as those of legacy systems. In this respect, responsibility for cyber security needs to sit above the role of chief information security officer (CISO); it must sit with the board. This is because it is the board that, while not managing day-to-day cyber risk responses, needs to be satisfied that they are robust.
Top-down work must be carried out to map all areas of a company’s technological infrastructure, data-related tools, and systems and processes. This will make it much easier to establish those points of weakness that are traditionally found at connection points between programs and systems. External service providers need to be carefully assessed and should be clear on any liabilities and recourse rights. The training of staff is equally important, as human error is also a major cause of data breach.
With these areas identified, businesses can begin to quantify the risk in terms of its potential financial impact, and develop an incident response plan in case an incident should ever occur. This should involve undertaking a program to improve the general understanding of the company’s technological structures, and how they are integrated, throughout the entire organization.
Finally, insurance can also play an important part in a business’s cyber mitigation strategy. While insurance will never eliminate the risk, company data identifying cyber liabilities and potential impairment to reputation that may lead to loss of business are essential to enable organisations to assess the risk at hand and, as such, determine whether it is value for money for them to transfer the risk to the insurance market.