How Companies Shelter Themselves from Cyber Risk
THERE ARE THREE ELEMENTS TO CONSIDER WHEN EVALUATING CYBER RISK MANAGEMENT: EXTERNAL REGULATION, DIGITAL DEPENDENCY, AND THE INTERNAL RESOURCES THAT CAN BE DEPLOYED. THIS IS WHY EVERY COMPANY HAS ITS OWN CYBERSECURITY STRATEGYby Gianluca Salviotti, SDA Bocconi School of Management
Translated by Alex Foti
Cyber risk is one of the main financial risks in the current economic scenario. In its annual Global Risk Report, the World Economic Forum puts the risk of cyber-attacks at the third place in terms of probability of occurrence for the current year, a very marked increase compared to 2017. And in the fourth place, we find the risk of data theft/ massive data loss, which is linked to the previous one and also rising in importance.
Furthermore, from an analysis of the main operational risks for the financial industry found on Risk.net, the risks of «IT disruption» and «Data compromise» are ranked first and second, respectively. Regarding Italy, cyber risk is becoming an issue of national debate and government attention, to the point of receiving a dedicated section in the country’s Report on Information Security Policy. The document highlights a substantial effort, fruit of the collaboration between public and private institutions, aimed at protecting Italy’s critical infrastructures and technological know-how.
National intelligence has detected the presence of vulnerabilities in the information systems of major organizations, which expose them to the threat of espionage or sabotage. However, the number cyber security incidents detected has increased in 2017 compared to 2016, banking being the only exception (-11%). One of the industries that has most suffered from the increase in cyber-attacks is pharma (+ 10%), a recurrent target of activist hackers. Utilities (+ 4%) and the defense industry (+ 1%) follow. It’s also worth noting that telecommunication, transportation and large-scale retail industries have become victims of cyber-security breaches (+3%).
Today governments, institutions and individual companies have to deal with cyber risk in a concrete and pragmatic way. The concept of concreteness is associated to that of coherence. In other words, the intensity of the cyber risk management effort must be evaluated along three dimensions: first of all, compliance with regulations, either national or at the industry-level, which require certain cyber risk management procedures and tools; secondly, how much the organization depends on digital resources; thirdly, the resources that are actually available within the firm to warrant a level of protection that is line with the risk propensity of those who hold the reins of corporate governance.
A joint analysis of these three dimensions can be a useful exercise for the choice of the optimal approach to cyber-security risk management. Let’s carry out the reasoning by considering two extreme cases.
On the one hand, consider a business reality operating in a context subject to strong regulation with respect to IT risk management, heavily dependent on digital processes, and with significant resources to match the exposure to cyber risk with the risk profile desired by top management. For example, think of a bank. In this case, without a doubt, an advisable approach (which in this case is also mandatory) is drafting a risk management manual. However, even in cases like this, there are still open issues, such as corporate governance bodies generally neglecting the importance of cyber-security, as demonstrated by a recent Harvard research study.
On the other hand, imagine the case of company that operates in a context not subject to industry-specific regulations, not very dependent on information technology, and with scarce resources at its disposal to give stakeholders an adequate level of protection from cyber risk. Think of a small, family-run manufacturing firm. How to deal with the threat coming from cyberspace? Help comes today in the form of insurance policy; insurance companies have designed products that mitigate the economic impact of downtime on a given company for a number of days, as well as insurance policies that compensate for any damages of an administrative or legal nature caused by cyber-attacks.
Outside these extreme cases, however, there is no single recommendable approach to cybersecurity. At an academic conference, someone once said: "Risk, like beauty, is in the eye of the beholder", meaning that each company must develop its own approach to risk management, linked to the level of risk that entrepreneurs or boards of administration are willing to tolerate in their pursuit of business goals.
