Despite the increased recognition today by Boards of Directors and C-Suites of the threat posed by cyber actors, too many organizations are underprepared and underappreciate the material risk posed by these threats. Today’s scale and velocity of cyber threats present a strategic business risk – not only an IT risk as many see the issue. The collective failure to identify cyber threats in terms of their resultant business impacts inhibits the ability to respond in any way but from a defensive posture – an approach fraught with risk.
This situation suggests a need to i) re-conceptualize the threats as the velocity of risk continues to increase; ii) derive better means to calibrate the impacts of the risks; and iii) evaluate the volatility of cyber risk against the efficiency of an organization’s risk capital spend.
THREATS OUTPACING OUR ABILITY TO RESPOND
The scale, scope, and velocity of cyber threats continue to strain organization’s ability to defend itself effectively. Recent examples of the WannaCry and nonPetya viruses, large-scale DDOS attacks, and the continuation of state-sponsored activities present a daunting task for even the most sophisticated organizations. Fundamentally, this is a war of attrition whereby companies will remain under assault from a multitude of actors, each with different motivations and each with different aims and skills. Unfortunately, organizations have to succeed every day while attackers only have to succeed once. The asymmetry of the situation is overwhelming.
Two critical dynamics shape this reality.
1) Organizational Complexity. Today’s integrated business models, the drive for big data, increasing specialization, and out-sourcing to third party vendors present a fluid and dynamic attack surface littered with risk. The complexity of this model clouds the ability for leaders to identify strategic vulnerabilities that can create material risk within their organizations.
Too often, leaders assume a linear approach to risk identification where key systems or business processes are identified in a risk register, along with appropriate controls and compliance measures. However important these measures are, they are insufficient to identify points of true value at risk within a company. Indeed it is often the combination of systems, process, and customer activity, and how they intersect, that creates value at risk. It is this very complexity that must be mapped to truly understand the value at risk within a business.
2) Arms Race. The growing sophistication to conduct large-scale network interruption and ransomware attacks suggest an arms race is underfoot. As much as companies are spending on defenses, the economics of the risk are changing.
Large-scale Attacks: The scale of data breaches today range far beyond what was thought possible even a few years ago. The Equifax (144 million records)1, HBO (1.5 TB of data)2, WannaCry / notPetya (over 100 countries), Verizon (14 million records)3, and Emodo (77 million accounts)4 breaches, among others, should give every firm pause as to the data it holds and the implications of its loss. Organizations must evaluate the potential losses from such worst-case events – none of which were forecasted.
New Extortion Models: The HBO and Democratic National Committee breaches are especially instructive.; The question in both is simple but powerful: how much would a corporation pay not to have their data released once stolen? In the case of HBO, it was reported that HBO offered $250,000 to retrieve their data, an offer which was rejected.5 Hackers now understand that the value of the data they steal may not be in selling the stolen records on the darkweb, but rather in being paid to not to release the files publicly. This fundamental shift in the economics of extortion attacks changes the calculus for all involved. For example, imagine a private equity firm whose investment strategy and due diligence reports are stolen or a corporate law firm whose client files are breached. When this threat vector is mapped against the forthcoming European Privacy laws (GDPR, May 2018) where up to 4% of global turnover may be at risk, one can foresee new realities of extortive threats.
Systemic Risks: Recent attacks and human errors have brought systemic risks into sharp relief. The 1TB per second attack on Dyn (21 October 2016) and the Google error that caused nearly 50% of Japan to lose internet services suggest that businesses must take a different approach to cyber risk.6, 7 In each of these cases, and others, large-scale events impacted a large number of businesses. Firms must face the reality that they do not have to be the target to be the victim. Indeed, organizations should adopt a natural catastrophe modeling approach to cyber risks and consider the possibility of ‘roving’ internet outages in the future. This systemic risk points to a level of fragility in our systems not previously imagined.
Nation-State Threats: The lines between legitimate military targets (e.g., armies targeting armies) and the means to attack those targets are blurring. ;We are witnessing the emergence of an era of hybrid warfare whereby nation-states are actively seeking to disrupt, and even destroy, economic capacity through the targeting of a nation’s business sector. The theft of intellectual property (estimated at nearly $600BN annually), disruptive competitive practices to support state-sponsored industries, and desire to trigger broader economic disruption create a hostile environment for organizations today One only needs to examine the Iranian response to the Stuxnet attack on its nuclear facilities. The Iranians did not respond by attacking the Pentagon or the US Congress. Instead, Iran targeted 50 financial institutions – both large and small – in an attempt to create economic havoc. To Iran, the ability to impact the US economy provided a far more attractive target than potential disruption of a government network.However significant the proximate risks to a business in form of data theft or network interruptions are, this new reality demands businesses adopt a larger view of the true risk to their firms. Here again, a business does not have to be the target to be the victim yet the net effect remains the same – reputational harm, risk of fines and penalties, the costs of remediation and restoration of the network.
However, the optimism bias that pervades organizations today – “It won’t happen to me” – may prevent the greatest threat. Instead of stating “It’s not if but when we are attacked”, leaders would benefit by asking themselves “What would we do today if we knew we were breached?” “What would we do today if we knew we were breached?”
CAN WE WIN?
The New Normal is one of perpetual conflict with ever increasing liabilities. The risk itself is global regardless of the nature of the business, be it local, national, or international. Further, as much as artificial intelligence and machine learning are being heralded as a solution to growing cyber threats, it would be naïve to believe that these same techniques will not be deployed by adversaries creating an ever more complex threat environment.
Perhaps not surprisingly, there is much evidence suggesting that, collectively, we are failing to adapt to this new era. Last year, 87% of executives believed that their organizations were not prepared as fully as they should be for an attack8. When you compare this ‘recognition’ of the risk to another question posed in the same survey, one can begin to see a glaring disconnection between threat perception and action: 68% indicated that they would not increase cyber defense spending if a supplier were breached and 58% believed that they would not change cyber spending if a major competitor were attacked9. Equally alarming, a JLT – Harvard Business Review Analytics Service report found that 85% of businesses expected the financial impact of attacks to increase over the next year.10
This data suggests two important considerations. First, executive leaders, and by extension their organizations, do not appreciate the true nature of cyber risk that they face. Second, these leaders seem to suffer from an optimism bias that a Black Swan event ‘can’t happen to me’ even if it happens to my competitor. Unfortunately, cyber Black Swan events are becoming more frequent (and therefore ‘less Black Swan like’) and need to be fully evaluated given the systemic risk effects we have witnessed over the past few months.
Yet even within this context, there is much we can (and must) do to counter today’s threats while preparing for tomorrow’s risks.
1) Define Cyber Threats as a Business Risk
Businesses must re-conceptualize cyber risk as a business risk. In reframing cyber threats, organizations can gain fidelity about the true nature of the risk – i.e., what are the potential financial impacts of different attacks on the firm.
Viewing the risk through the lens of a ‘cyber supply chain’ – identifying the upstream and downstream cyber risks - is of critical importance to identifying: i) critical vulnerabilities / crown jewels; ii) determining assets which assess of value are at the greatest risk; and iii) understanding the interdependent nature that different cyber risks can pose to an organization.
2) Cyber risk is fundamentally a leadership issue
Leaders must engage across the breadth of the organization to address this risk. Otherwise they will be continually challenged to develop a cross-functional approach in addressing cyber risk. This statement is different than saying “boards must pay attention to the issue.” Simply put, cyber threats cannot be viewed solely through the lens of an IT-solution.
Risk Managers, CFOs, General Counsels, Chief Security Officers, and even Chief Innovation Officers must be drawn into the process (among others), both to elevate the importance of the issue but also to ensure the organization can effectively respond to the increasing threats. Indeed, a recent JLT – Harvard Business Review Analytics Service collaboration revealed that only 20% of firms operate an integrated model – CISO, GC, CSO – to address these threats.11 Just as threats operate without regard to boundaries of organizational functions, solutions must take a similar, non-linear approach to cyber threats. Leaders at all levels must be held accountable for cyber security.
3) Develop better metrics must be deployed to measure the risk
Overwhelmingly, organizations lack meaningful metrics to evaluate their cyber risk and, equally important, the ROI from its risk capital spend. To accomplish this, organizations must conduct financial stress tests. This financial stress test approach must accompany the technical / cyber maturity assessments that have become table stakes to create a holistic picture of the risk. In doing so, organizations can ensure that cyber threats must be related in terms that enable a sophisticated risk comparison to efficiently deploy its risk capital. Said differently, organizations must measure the value created by the deployment of its risk capital – both in insurance and other means – against the potential risk.
4) Employ risk transfer mechanisms to hedge the risk.
Cyber insurance solutions play a critical role in mitigating the overall risk. However, the approach cannot start with a discussion of a given insurance instrument but rather it must start with the appropriate measurement of the risk, as described above. In this manner, the solutions available from Cyber, or Technology Errors and Omissions, policies can be fully integrated within a firm’s broader, strategic risk strategy.
Fundamentally, cyber insurance acts as a hedge against the intrinsic risk – a risk that is inexorably tied to an organization’s balance sheet. However, cyber insurance can only function as a compensating control that can compress balance sheet impacts if the business has conducted a financial stress test of its cyber risks. As with any risk transfer solution, the efficacy of cyber insurance depends on the level of sophistication surrounding risk identification and quantification of that risk.
In this era of perpetual cyber war, where organizations will remain challenged to effectively respond to the risks, these solutions will prove even more critical than they are today. As businesses continue to attempt to differentiate themselves around service delivery, product, price, and customer service – the analysis above suggests that the very best performing organizations will be those that differentiate themselves around risk. Cyber risk can no longer be viewed as a technical risk but must instead by viewed, and measured, as a strategic risk that poses material outcomes.
1 Brian Krebs, “Equifax Breach: Setting the Record Straight,” Krebs on Security, 20 September 2017, https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-record-straight/.
2 Brian Barrett, “Hack Brief: HBO Shows and A Game of Thrones Script Land Online,” Wired, 31 July, 2017, https://www.wired.com/story/game-of-thrones-leak-hbo-hack/.
3 Todd Haelton, “Verizon responds to breach that affected millions of customer accounts,” CNBC, 12 July 2017, https://www.cnbc.com/2017/07/12/verizon-responds-to-breach-that-affected-millions-of-customer-accounts.html.
4 Phil Muncaster, “Learning Platform Edmodo Investigates Reports of Major Breach,” Infosecurity Magizine, 12 May 2017, https://www.infosecurity-magazine.com/news/learning-platform-edmodo/.
5 Arjun Kharpal,“HBO email suggesting $250,000 bitcoin payout for hackers who stole 'Game of Thrones' script is a 'delay tactic’”, CNBC Online, 11 August 2017, https://www.cnbc.com/2017/08/11/hbo-hack-game-of-thrones-ransom.html.
6 Tim Greene, “How the Dyn DDoS attack unfolded,” NetworkWorld, 21 October 2016, https://www.networkworld.com/article/3134057/security/how-the-dyn-ddos-attack-unfolded.html.
7 Mallory Locklear, “Google accidentally broke the internet throughout Japan,” engadget, 28 August 2017, https://www.engadget.com/2017/08/28/google-accidentally-broke-internet-japan/.
8 EY Report, 2016 – 2017 Global Information Security Survey, based on responses from 1,735 CIOs, CISOs, and other executives.
10 JLT – Harvard Business Review Analytics Service Survey, September 2017.
11 JLT – Harvard Business Review Analytics Service Survey, September 2017.