Cyber threats have undoubtedly become one of the greatest risks facing companies today. Exemplifying this, Marriott International has been dominating the headlines since the end of November when it revealed the details of more than 500 million customers had been stolen. And yet despite the scale of the incident, it is only the latest in a long line of high-profile episodes in recent years, with Uber, British Airways and Facebook among other breaches in 2018 that have resulted in hundreds of millions of dollars in financial losses. Such enormous security crises have become routine in part because leadership in many organisations are still struggling to understand how to manage cyber risk. While other factors such as financial risk have long been routinely incorporated into the standard risk management processes, including board-level reporting, senior leadership all-too-often manage cybersecurity like a micro issue, assigned to the CIO, CISO or confined to the IT department.
However, the truth is that cyber risk is a macro issue that impacts every aspect of a business’s operations just as, if not more than, financial and commercial risks. This is true because an increasing amount of any company’s value is derived from digital assets — data. Few established companies would dream of taking on a new supplier or partner without undertaking a thorough audit of their financial stability and credit rating, for example. Very few, however, will undertake the same audit of a partner or acquisition target’s IT controls and cyber management. This is now negligent considering some of the most serious breaches in recent years have been the result of a third party’s network vulnerabilities taken advantage of by hackers. The Marriott breach was a result of the poorly managed, highly complex legacy IT systems of Starwood, acquired as part of the USD $13.6 billion takeover in 2016. These risks could have been identified by Marriott pre-acquisition.
The language barrier
Just as the businesses of old were forced to invest in protection for their shipping and railroad consignments to ward off pirates and robbers, the businesses of today must prioritise how data — their most valuable asset — is managed and protected from cybercriminals.
It has always taken some time for new risks to be discussed and measured in familiar terms, and cyber is undergoing the same issue today. Businesses are accustomed to talking about financial and commercial risk, but discussion of cyber risk is often still fixated on the breaches themselves — what kind of malware was used, what defences were breached, how many files were stolen, and so on.
This ‘after the event’ audit of risk is a fruitless exercise in hand-wringing. As with the other challenges facing an organisation, proactive risk assessment and internal reporting before any such event delivers real financial benefit that goes far beyond the avoidance of fines.
How does financial exposure come into the equation? Focus is usually almost entirely in terms of the operational, legal and regulatory costs in the wake of a breach. Similarly, regulatory costs have become a more prominent concern with the introduction of the GDPR and its ability to require prompt disclosures when breaches occur and levy much greater fines.
However, focusing on fines is a short-sighted approach. In the digital age, the primary source of revenue for so many companies is its technology infrastructure. To use Marriott as an example, its value does not chiefly lie in its property, but in its loyalty cards, franchise agreements, booking systems and other technology designed to drive efficiency and monetise data. Air BnB, the second most valuable hotel chain in the world, derives none of its value from owning property. The ability to govern and protect these essential digital systems has become one of the key tenants of most organisations, whether or not their leadership understand it that way.
Changing the cyber mindset
Corporations generally only change their behaviour when presented with strong incentives, and big changes normally require both the carrot and the stick. For cyber risks, the stick comes in the form of the regulators, particularly with the new punitive powers of the GDPR.
Stocks markets and the insurance industry meanwhile provide a couple of carrots to counterbalance the stick. The stock markets reward companies that exhibit higher quality of management over time, so companies that are seen as correctly and proactively addressing security can expect to see their value increase. Likewise, insurers also reward lower premiums over time if a company demonstrates responsible behaviour around risk.
Management quality is one of the primary drivers in determining share value. If shareholders are entrusting money to a company where the primary asset is data, and that company is mismanaging it, results from that poor operational governance will flow from the income statement to the share price, as it always does with any risk. The unfortunate companies that must publicly disclose significant breaches such as TalkTalk, Maersk and Equifax, suffer tens and in some cases hundreds of millions in financial losses. But this is only Part One of the story. In Part Two, these companies lose far more in shareholder value relative to peers. Maersk disclosed a financial loss of approximately USD $300 million stemming from its breach, yet the shareholder value loss was close to USD $7 billion, and it can take six-to-nine months to recoup the market losses relative to peers.
Most of the significant changes in businesses behaviour over the years are the result of the combined efforts of regulators and insurers. A prime example is the use of seatbelts, which were once seen as something of an optional extra. Within months of the release of Ralph Nader’s book Unsafe At Any Speed in 1965, President Lyndon Johnson signed the National Traffic and Motor Vehicle Safety Act, requiring the adoption of new or upgraded vehicle safety standards, and created an agency to enforce them and supervise safety recalls — radically transforming vehicle safety standards forever. Systemic change can come rapidly, and the same change is needed now for cyber.
Proactively addressing cyber risk
Rather than waiting for the market to force a change, it is in the interests of all companies and their shareholders to proactively work on changing how they approach cyber risk. One of the most important priorities is to put cyber in the same category as other macro risks such as finance, health, safety and asset protection.
Crucially, this means demanding two things: an independent audit or stress test of their network security controls and translation of the identified cyber risks into financial terms. The CFO demands this from other divisions of the business and cyber should be no different. A prospective business partner or regulator would never settle for an internal memo about health and safety saying “everything is fine”, and the same is now true for cyber. Likewise, organisations must ensure that any prospective suppliers, partners, and other third parties have undergone thorough independent audits in the same manner as they would for other financial risks.
Cyber risk reports will also improve C-suite and board level decision-making if they are presented in commercial terms. Rather than fixating on specific technical details, cyber audits should use financial metrics, such as value-at-risk, as they would for any other macro risk. Likewise, instead of jumping to the costs of a data breach, there should be an emphasis on the active benefits of good security such as improved productivity, stock value, and insurance premiums. This should be an integral part of all major decisions, for example weighing up the profit gained form outsourcing against the supplier’s resources to adequately protect the firm’s digital assets and intellectual property.
While history has shown us that new concepts always take some time to bed in, organisations that are able to fully assess their level of risk and allocate the appropriate resources to manage it will find themselves ahead of the curve. Merging the rapidly evolving world of cybersecurity with the familiar and well understood world of finance will help to change perceptions and establish cyber as the macro risk that it is.