Why is Bob from IT Managing Your Cyber Strategy?
The financial cost of cybercrime is expected to reach $2 trillion by 2019, yet many European organisations are failing in their measures to mitigate this growing risk. The high-profile hacks of businesses such as TalkTalk in the UK and the North Korean-backed Sony attack in the US serve as constant reminders of the damage large-scale cyber breaches can inflict upon an organisation. Nonetheless, European business leaders seem unable to shake the outdated notion that cyber risks are primarily a technological threat.
Unlike in the US, where the threat of a cyber breach is seen as an enterprise-wide risk, many European companies are guilty of hiding the management of cyber risks in the IT department, often ignoring the risk management function altogether. The latest UK Cyber Risk Survey from Marsh found that some 55.7% of UK businesses believe the IT department has primary responsibility for managing cyber risks, while only 5.1% believe the risk management function should take responsibility.
More concerning is that less than a third (30.3%) of UK businesses currently have Board-level oversight of cyber risk, and three-quarters said they did not have a full understanding of the cyber risks facing their organisation.
EmergIn Risk CEO, Jamie Bouloux, says US firms often have greater engagement than their European counterparts with their risk management function regarding cyber threats, leaving European organisations more exposed to cyber breaches.
“For large European-based operations, the view is if they maintain a strict cyber infrastructure and it is secure, then they are bypassing their cyber exposure,” Bouloux says. “Other organisations believe cyber is about protecting critical cyber assets – predominantly a US view – which is why privacy liability insurance has always been at the forefront there; ultimately cyber in the US is all about how do you respond in the event of a privacy breach.”
“The US has a much heavier engagement with the risk management function, which ultimately drives the strategy for dealing with a privacy breach resulting in cyber becoming an issue not just for the IT department but all the way through the organisation.”
Bouloux says this failure to take into account a cyber breach’s wider impact on an organisation often results in European CEOs handing over bigger and bigger budgets to IT departments to put in place preventative measures, with little or no thought given to the aftermath of the ultimate breach.
“In the US, your duty as a director is to the shareholder so when you have a cyber event, it is all about stopping shareholder depreciation,” Bouloux argues. “A lot of this comes down to limiting shareholder liability. You want to have the best risk management procedures in place so you aren’t seen to be negligent as an organisation – which would result in higher damages being paid out.”
This approach means that US organisations focus a lot more on protecting the consumer and, if they do suffer a breach, will offer services such as identify theft insurance to their affected customers, and other forms of support, to minimise the threat to the organisation’s brand and bottom line.
“In Europe, however,” Bouloux continues, “directors have a duty of care to the company, not to the shareholders. So, the director needs to be able to show that they took the proper measures to protect the organisation, given the information available at the time, to show that the duty of care was met and that they weren’t negligent.”
“This often leads to a box ticking exercise that simply results in larger budgets for the IT department and little real strategy for handling a crisis in the aftermath of a cyber breach,” he adds.
Change is on the horizon
All of this could be about to change, however, with the introduction of the General Data Protection Regulation (GDPR) in Europe.
This regulation will see organisations facing fines of as much as £20m or 4% of global turnover, whichever is higher, in the event of a cyber breach, in addition to the other financial costs and reputational damage that follow such a crisis.
Bouloux says GDPR will mean that European CEOs can no longer brush cyber risks under the carpet and rely on the IT department to clean up.
“It will no longer be a question of ‘was the IT department doing everything it could?’, but a question of ‘was the data being managed appropriately to ensure what happened didn’t actually occur?’” he says. “When decisions are made by the IT department, you don’t have the expertise to determine the ultimate liability exposure to the organisation and what the best route to recovery is.
“If cyber is focused in the IT department, it leads to decisions being made at the coalface, and sometimes you need to take a step back into a larger war room to work out what all the different threats are. If you leave it just with the IT department, you will never create the optimal plan for addressing the situation by having the best people from the different areas of the organisation.”
But what does this mean for European organisations?
Ultimately, organisations as a whole need to show more interest in, and take more control of, cyber risks. It is no longer adequate for risk management functions to be overlooked. Cyber risks threatening European companies come from many angles and can affect organisations in a multitude of ways – from business interruption to reputational damage, and from loss of critical and sensitive information to regulatory fines.
Perpetrators of cyber attacks are increasingly one-step ahead of those they are trying to breach, making it difficult for a single department to keep an organisation safe from hackers. And with the GDPR looming on the horizon, CEOs now have more incentive than ever to show a direct interest in cyber risk, and not just leave it to Bob from IT.