“The best we can do is weigh up the chances, analyze the hazards involved, estimate our capacity to cope with them, and make our plans with confidence,” American businessman Henry Ford II famously stated. While the dangers encountered by Ford and others during the American Industrial Revolution were substantially different from those faced by businesses today, the uncertainty of risk and how to effectively manage it remains a crucial edge in corporate success.
According to Gartner, Inc‘s 2020 Board of Directors Survey, directors regard cybersecurity as the second-greatest concern to their companies, immediately behind regulatory compliance threats. Cybercrime cost the globe at least $6 trillion in 2021, and it is expected to cost more than $10 trillion a year by 2025. “The danger that we keep our eyes on currently most is cyber risk,” said Jerome Powell, chairman of the US Federal Reserve.
The global economy will continue to be disrupted and uncertain as a result of cybercrime. Boards must establish effective ways to control their financial risk and reduce business repercussions to counteract these challenges. Organizations must build digital transformation plans that keep up with today’s cyber security challenges and prevent major disruptions.
A strategy for achieving cyber resilience
Businesses are increasing their cyber-security expenses as cyber dangers grow and develop. It’s critical that they have clear and effective plans in place to combat cyber crime if they want to see a decent return on their large expenditures. The first step is to clarify the cyber crime debate in the boardroom. Effective communication is a cornerstone of successful business outcomes. To achieve cyber-risk resilience, it is critical to have a common vocabulary for understanding the complex challenges of cyber risk. This necessitates distilling complex technical conversations replete with complicated security words into accurate economic analysis that demonstrates how cyber-attacks financially threaten firms in the short and long term.
Building cyber resilience in an enterprise necessitates adequate boardroom monitoring based on a well-thought-out plan based on economic research. Cyber risk evaluations in underwriting standards are based on proven and clear financial exposure calculations in industries such as insurance. As a result, insurance industry participants are moving the cyber discourse away from a highly technical, confusing security debate and toward one in which companies can comprehend and efficiently manage their financial risk in terms that are understandable to them. Boards will find it simpler to link cyber security strategy with economic cyber risk measurements if financial exposures from cyber risks are obvious.
Defining effective remediation and mitigation procedures to decrease financial exposure and developing the organization’s cyber risk appetite levels in financial terms, depending on their specific risk profile, are crucial first stages in preparing for cyber resiliency. Certain elements on the cyber resilience agenda should be discussed by boards with management. The board should be aware of how management employs return-on-investment analysis to match the cybersecurity budget with financial risk reduction on a regular basis. They should also supervise the procedures taken to put the cybersecurity plan into practice.
It’s vital to keep in mind that the success of a financial approach to cyber risk supervision may vary depending on people’s expertise and the maturity level of an organization’s cyber security. However, collaborating with management in this way may be an effective approach for businesses to mitigate the financial impact of cyber risks.
The changing regulatory landscape
The Securities and Exchange Commission (SEC) of the United States provided recommendations on public company cybersecurity disclosures in 2018 to help firms in drafting disclosures relating to cyber risks and events. Several suggested disclosure topics are highlighted in this guideline, including the likelihood of a cyber occurrence and the possible size of cyber events. It also considers whether areas of the company’s business and activities are vulnerable to cyber threats, as well as the costs and repercussions of these threats. It also wants to know if the preventative measures adopted to decrease cyber risks and their costs (including the company’s capacity to prevent or mitigate particular cyber risks) are adequate.
Existing legislation and new policies compel public firms to confront cyber threats head-on. The amount of legislative hurdles to go through is increasing as systemic cyber risk exposures expand. Companies that implement effective cybersecurity plans will be able to stay ahead of the curve and in compliance with current regulations. A cyber resilience strategy based on financial exposure analysis will lay the foundation for reliable business disclosures that comply with regulatory standards.
The Securities and Exchange Commission (SEC) of the United States is working on a cybersecurity risk governance plan that will tighten the screws on incident reporting and cybersecurity hygiene. The SEC’s increased enforcement action will drive businesses to create policies and processes to monitor and mitigate cyber-risk exposure. Organizations will be compelled to create internal policies and build up defenses ahead of time in order to keep up with evolving cybersecurity technology.