Why is cyber risk managed differently from other major risks companies face? Energy companies don’t spend outsized budgets on hedging risk from swings in energy prices. Well managed energy companies spend their money to extract more value of their existing assets, ensuring profitability in any price environment. Likewise, shareholders of manufacturing companies expect a larger percent of annual budgets to be spent improving process and profits, not insuring and protecting the factory grounds.
Yet with cyber risk, companies don’t focus on how to improve management of their existing digital or ‘cyber’ assets. Instead, spending decisions are based on fear of hypothetical threats.
By thinking less about what can’t be managed (the attacks) vs. what can be (the cost to ensure proper function of technology systems, i. e. ‘digital assets’), companies can begin to manage cyber risk in a similar fashion to their other strategic risks. A subtle shift in focus is an opportunity for companies to gain firm footing in what has been so far a losing fight.
Companies have been boasting for the last decade about the increased value created from their “Digital Transformation” programs. Enjoying the profits of scale from ‘going digital’, it should make sense then that most c-suites now agree that cyber and technology risk is a macro risk that should be overseen at the Board level. The issue is often #1 on the agenda:38 percent of public company directorssurveyed by the National Association of Corporate Directors think cybersecurity is the top threat their companies face in 2018.
Yet that same survey also indicates that cyber still remains the least understoodof all the risks directors face. In other words, companies know this risk is an issue of fast-rising importance and value destroying potential, but they don’t quite know what to do about it.
Initially, this new macro risk created an opportunity for an emerging cyber security industry. Fear can be a strong driver of sales, especially when the threat is imminent and invisible. The accepted strategy for managing cyber risk was: the more money you throw at it, the better you will sleep at night.
Even though losses from cyber continue to outpace cyber spending by 3 to 1, most BoDs continue to hope that if they spend more money to fight the threat, they will avoid the dreaded public disclosures about embarrassing breaches.
What is so bad about a negative disclosure? Evidence shows it impacts shareholder value—mainly due to loss of reputation—significantly more than the actual cost of regulatory fines. When company stocks fall relative to peers, directors and c-suite executives get fired, lawsuits are initiated and the shareholders have to endure several months of losses until new leadership proves to the market that they are worthy corporate stewards.
Unfortunately for corporations, they are running out of time with this current fear-based approach to avoiding disclosures. A strong shift in public attitudes favoring more technology regulation will bring heightened scrutiny and more forced disclosures on how they manage their cyber risk (e. g. GDPR and California data privacy laws).
An opportunity exists for corporations to separate themselves from their peers and exhibit leadership in risk management of their increasingly valuable digital assets. Better management starts with better measurement of what the asset at risk is and what is it worth. New companies will emerge—like ours—that are able to help the BoD, c-Suite and shareholders assess the actual value of those digital assets at risk, therefore allowing for better allocation of financial resources to manage and protect them.
In other words, future leaders in corporate governance will end up spending less money on fearing the threat and more time on managing the value of their ‘cyber’ assets. Shareholders who invest with these leaders will find that being ahead of the curve on this new risk actually comes from doing something the ‘old way’: risk management in financial terms.