Cyber Risk Strategy: A New Conversation
They say ignorance is bliss.
Not when it comes to the SEC.
ICYMI, new SEC regulations take effect in September 2022. The Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule (SEC RIN 3235-AM89) requires enhanced cybersecurity disclosures of public companies. It brings duty of care issues against fund managers that fail to conduct proper cyber due diligence on their portfolio companies. It requires periodic disclosures of cybersecurity policies and procedures, board of director cybersecurity expertise and overall oversight into cybersecurity risk. Suffice it to say this will require a significant evolution of strategy to approach cyber risk management.
Concertiv, joined by risk mitigation experts from Kovrr, recently tackled the topic of how the C-suite can quickly quantify the financial impact of their cyber risk exposure in a thought leadership webinar. Over the course of 30 minutes, the panel covered topics including:
- How cyber security is evolving into cyber risk management programs driven by financially quantified insight
- Real-world examples of the rising risks and costs of new cyber attack strategies
- A new tech-enabled approach to quantifying this cyber risk exposure
- What actions you can immediately take and how can you prepare your organization for September’s new mandates
The rise of cyber attacks is causing a growing urgency for professional services enterprises to understand the exposure a future risk could have on its current and future assets. You’ll want to read this entire article and take a half hour to listen to this expert panel if you’re participating in conversations that sound anything like this:
- “We need to get the entire board speaking the same language around cyber risk management”
- “Who can give me an actual number on our cyber risk exposure?”
- “I don’t have six months to quantify my cyber risk exposure - I need something by September 12th!”
- “How can we be sure that insurance policies adequately protect us?”
The Need is Great (listen at minute 19:00)
Gartner reports that in the span of a mere 7 years cybersecurity spend has increased more than 1200%. That’s right, in 2015 cyber security spending was coming in at an annual spend of $12.5B. By the end of 2022, that spend is estimated to be $172B. To say that this is a priority area is, well, an understatement.
While all eyes are on this strategic area, it takes a leadership village to protect the enterprise. Cyber risk and cybersecurity has certainly elevated beyond the purview of one leader. Although the traditional CISO maintains a leadership role, cyber risk management is now a concern that touches the CTO, CFO, CEO to name a few. As market pressures and technological automation lead to everything happening much faster, it becomes imperative that your cyber risk approach have speed and repeatability built in. This is critical when you fully realize that every day new vulnerabilities are found and developed.
One area often overlooked is mergers and acquisitions activity. But believe it or not, these activities present one of the biggest sources of risk. In a contracting market that’s seeing the early signs of recession, this is prime time to buy. As you do your due diligence be prepared for your CISO to take a leadership role in the actual M&A. It makes sense. After all, this leader understands better than most:
- That constant change is itself a risk
- The inherent risks present in different companies that have different security protocols
- The risk that comes with time schedule compression
Why Does it Matter? (listen at minute 22:45)
Clearly there’s a need, but how important is it, really? Critical.
No doubt you’ve heard that it takes years to establish trust and a stellar reputation… and mere minutes to destroy it. Years of trust can be swiftly eroded with malicious ransomware and data breaches. Once lost, that trust is difficult to get back.
In addition to a damaged reputation, cyber risk management matters when you consider:
- The eye-popping dollar signs that inherently come along with a risk exposure. Understanding your potential exposure and having a mitigation plan provides the confidence you’ll need to weather a cybersecurity event
- The speed at which events escalate
- The multiple impacts one event can have: ransomware → easily becomes a data breach → which easily becomes a regulatory fine
When considering exposure and prioritizing a path forward, all of these factors need to be modeled accordingly.
A New Conversation to Have (listen at minute 33:35)
Qualitative considerations are important, but today’s business demands analytic rigor. Leadership teams and boards are being compelled - even if solely by more stringent SEC regulations - to fully understand the business’ exact exposure. Articulating the physical monetary number attached to that exposure is a conversation you can no longer dance around.
To thrive today, you must have a real exposure number supported by market data that is (most importantly) actually communicated to a team.
What’s your plan to make that happen? (Hint: The experts at Concertiv can help)
Having a data-supported plan allows your organization to truly enter a new conversation. Imagine being able to:
- Make strategic decision on the risks you choose to keep on your balance sheet… or transfer to others (like insurance carriers)
- Identify what risks justify limited budget
- Drive KPI achievement (i.e. reduce a specific exposure by 15%)
You need a more holistic approach to cyber risk mitigation, and a way to get your arms around the concrete dollars and cents of your risk. It’s easier than you think to get started. Connect with Concertiv today for a free analysis of your ransomware exposure.
In the words of panelist Tom Boltman, VP of Strategic Initiatives at Kovrr, “Once you understand a potential exposure, you can then set your risk appetite and ultimately make better decisions.”
That’s a conversation the team at Concertiv is eager to have. Are you ready?
Watch the full Cyber Risk Strategy webinar below: