Cyber Risk as a Core Pillar of Business

Marc Ashworth, Chief Information Security Officer, First Bank

Marc Ashworth, Chief Information Security Officer, First Bank

Unlike any other time in history, there is a risk to all organizations. Whether it is a single person small business, a non-profit, government agency or a large enterprise. This threat is so real that it can severely impact operations or reputation of the organization. The losses to the organization can be in the millions of dollars. It may even be so severe that the company may not ever recover.

This threat is almost unavoidable due to the nature of doing business today. Every organization is on the internet in some form, and this connectivity comes with a risk. That risk is the looming threat of a cyber-attack on the organization. Due to this constant cyber threat, many experts, investors, security professionals and government agencies are calling for cyber risk as a new pillar of business. To support this new pillar the proper board governance of the organization is required.

At any given time of the day, 100’s if not 1000’s or more scans per minute occur on any given internet connection. These scans are looking for a way to compromise the connection whether it is a business, a home, or a mobile device. Attackers are always looking for a vulnerability to get into an environment. In addition to the scans the company’s email servers receive thousands of phishing and spam emails. Just waiting for a user to click on a link or open a malicious file that will provide access to the system.

No organization is safe or immune from a cyber threat. Whether it is a criminal actor or nation state sponsored groupthey provide a persistent threat to everyone connected to the internet. Some organizations have large budgets and teams that reduce the risk of a successful attack, but not everyone is so fortunate. History has shown us that the largest companies and even the governments cannot fully prevent an attack.

Since 2020, cyber-attacks and especially ransomware have seen triple digit increases year over year. In 2021, the US White House issued a memorandum to corporate leadership warning of the potential threat of ransomware and the destructive nature of it. 

On April 12, 2021, Federal Reserve Chairman Jerome Powell state in an interview on CBS 60 Minutes that cyber is the #1 threat to the economy. An attack on a major payment processor could devastate the economy. Soon after, the US White House issued several memorandums addressed to corporate executives and critical infrastructure. Advising US companies on what to do to minimize these risks.

“Due to this constant cyber threat, many experts, investors, security professionals and government agencies are calling for cyber risk as a new pillar of business.”

The likelihood of a full-scalecyber-attack increased dramatically during the weeks leading up to the February 20th, 2022, Russian evasion of Ukraine. Since that time, multiple warnings from the FBI and US Division of Homeland Security have occurred on the potential of Russian cyber-attacks.

If the US Government or Russia officially declares that we are in a cyber war, many cyber-victims may not be able to be reimbursed by their cyber insurance carrier for damages. Most carriers have a war clause that excludes any sort of reimbursement. The proof will be on the victim to prove that the breach or ransomware attack is not an act of war. Even without the declaration of war, the carriers are reluctant to pay during these times if an attack is determined to be from Russia or Russian sympathizer.

Multiple US agencies and other government agencies have begun requiring organizations to report cyber incidents. Breach notifications have been around for some time. GDPR was one of the first to do so, and many US State governments followed suit. 

Executive management and boards need to take notice of these rules and regulations. Shareholders and investors are requesting and requiring information on a company’s cyber posture and if there are any incidents. This is not just a publicly traded company issue. Private companies should closely monitor their environments and both types of organizations should seek experts in cyber. However, this will be a challenge if the company’s board or regulations requires the organization to have a board director with cyber expertise. There is already a shortage of cyber professionals. The pool for experienced CISOs and ISOs is now even smaller. 

Organizations are having more and more rules and compliance factors to be aware of. These items are crucial for the company to be considering at all times and to have a plan for. CEOs and boards are being held liable for cyber incidents. In some cases, they have been questioned by Congressional panels or faced suits from investors or customers.

All of these items build a good case on why cyber risk is now a pillar for modern business. The risks of financial loss, legal liability, and regulatory compliance is too high to not consider it seriously. Future expectations will continue to grow to protect the organization from the numerous cyber threats and requiring the proper board governance.

Weekly Brief

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee