Nothing makes headlines like stolen credit card information, yet a potential breach of customer information is just one of many cyber risks companies need to manage.
Cyber risks can target financially relevant data, and in this world of predictive analytics, almost any data is an asset of considerable value. As a result, cybersecurity can have serious implications for a company’s revenue, market share, reputation, shareholder value and overall business performance.
As Emily Mossburg of Deloitte & Touche writes, “While CFOs are rarely appointed to lead a cybersecurity program, finance leaders may be best-positioned to establish executive awareness of the connection between cyber risk and business performance, thereby acting as important agents of change.”
Admittedly, cybersecurity is a vexing new field, and some financial executives are struggling to get their arms around the fundamental financial risks and their options for managing them.
Here are three basic ways to manage the business risk of a cyber attack:
- Security technology
- Computing practices
- Insurance
As CFO, it’s simply not your job to get into the weeds of the technology. Assuming your company has hired well, IT is doing its best to detect and deflect cyber attacks. And hopefully, they’re working with the right operations people to ensure all employees are complying with best practices – strong passwords, safe computing, etc. – to resist cyber attacks.
Nor are you an insurance specialist. But given the fluid nature of the immature cyber insurance industry, cybersecurity could turn out to be your company’s financial Achilles’ heel. If there’s one area of insurance you might want to probe, this could be it.
So from the big-picture perspective, what coverage do you need to endure the unexpected? Getting the coverage right is like baking a cake you’ve never tasted from a recipe no one wrote down with ingredients that have no price tags.
There’s no industry-standard cyber insurance policy, no assurance you’ll be covered for every event, and no telling how much a breach could cost. New threats arise every day, and the insurance products are still evolving, leaving gray areas and hidden gaps in coverage.
Let’s assume you’ve read more than you need to about stolen credit cards. Rather than rehash that, let’s take a quick look at some risks that receive less media attention – ones that primarily affect you as a “first party” business operator – and some common sense measures for managing them.
Industrial/infrastructure risks – Physical property can be at stake when a hacker or cyber terrorist gains hold of the industrial controls of a plant, utility, rail system or traffic signal network.
A December cyberattack on Ukraine’s power grid caused a blackout for tens of thousands of people. The U.S. grid is said to possess similar vulnerabilities to Ukraine’s, and certainly any single utility has to accept the fact that it could be a victim. A recently fired Georgia-Pacific paper company employee in 2014 accessed computers at the company’s Port Hudson, La., mill from home, affecting the distributed control system and quality control system for machinery used to produce paper towels. Prosecutors say the damage was significant.
Industrial attacks like these are increasing, and the target is bigger than ever. In this age of the Internet of Things, a hacker could shut down a plant’s freezers, causing tons of food to spoil, or disable the air filtration systems that keep clean rooms sterile, destroying thousands of dollars’ worth of medicine or silicon wafers. Any of these would constitute far-reaching business problems for a CFO.
Denial of Service attacks – These are concerted, automated efforts to flood your website or other systems with digital requests until they wilt under the burden. Distributed denial of service (DDoS) attacks are a rapidly growing risk: In Q3 2015, California security vendor Imperva reported a 116 percent increase in number of DDoS attacks over the previous quarter. Too often, DDoS attacks, which are not exactly a “breach,” are left unmentioned in insurance policies, making your company and its digital assets vulnerable.
Cloud risk – No matter how well you protect your systems and data, you likely rely to some degree on the practices of cloud providers and other third parties. Cyberattacks aimed at cloud deployments grew by 27 percent to 45 percent in 2014 depending on the method, according to AlertLogic.
Let’s say a U.S.-based apparel maker uses a cloud provider in India to process online purchases. That cloud provider is hacked, purchases can’t be processed for a week, and the apparel maker loses hundreds of thousands of dollars. Would the apparel maker be covered?
Surprisingly, few insurers are offering coverage that explicitly covers losses resulting from interruptions in cloud service, ISPs, third party data centers, email and telephone exchanges. It would be desirable to have coverage both for business interruption – whether caused by a cybercrime, hurricane, fire or other cause – and the cost to replace lost, stolen or corrupted data.
Property Damage a Hot Potato
Too many “cyber” policies focus only or mainly on the liability side, and not the property and business disruption sides of the insurance equation.
“Cyber-related property damage is something of a hot potato in the insurance industry, with both cyber and property lines saying the risk is not within their wheelhouse,” writes Kate Smith in Best’s Review. “And both, arguably, are correct.”
Complicating matters is the fact that property loss in a cyber attack is potentially unbounded. That is, one breach and subsequent Trojan horse infection can trigger a seemingly endless falling of dominoes throughout a supply chain or other business community
Our Advice
Stay calm – Although headlines stoke fear, devastating cyber attacks are still relatively rare. Be methodical, strategic and deliberate.
Apply what you know. If you’re a CFO, treasurer or risk manager with experience managing financial risk, you already have much of the savvy required to manage cyber risk.
Get your IT and insurance people together. Your IT group knows all about the technology side of security, but they have little experience with insurance. That’s finance’s area, and they should guide discussions to account for financial blind spots.
Make cybersecurity a board-level concern. Cybersecurity should be an integral part of strategic planning and a consideration, both as a cost and risk in every new initiative.
Make sure someone’s doing the common sense stuff. Don’t let your redundant data center be on the same earthquake fault line as your primary one. Make sure the customers and vendors accessing your systems follow the same security practices your employees do. Be certain critical systems are separate from the Internet. “I am very dismayed at the accessibility of some of these networks…they are just hanging right off the tubes,” Homeland Security official Marty Edwards has been quoted as saying.
Finally, don’t outthink yourself. Cyber threats are just one more risk among many you manage. You know how to think about risks like recession, market volatility, interest rates, talent retention, currency fluctuations and global business conditions. Just add cyber to the list. And as always, prepare for the worst, and hold on tight if the unexpected happens. Or rather, when.
Jeff Burchill is CFO of FM Global, one of the world’s largest commercial and industrial property insurers.