Cyber Risk Management no Longer Just an IT Issue

Imagine you are the general counsel at a retailer involved in sensitive M&A discussions. You receive an email from one of the deal’s outside advisers. He says he needs some information about your company the kind you’ve passed on before. You send it along, and later find that you were victimized in a sophisticated cyber attack aimed at stealing sensitive information.



Or imagine you are the operations manager at a distribution center for an expanding restaurant chain. Shortly after a new contractor did some work in your facility to modify an automated system, you noticed a glitch in how your orders were processing. Turns out the contractor had poor cyber-security controls, and their equipment infected your operation with malware.



The events described above underscore the new realities in cyber risk management: It’s not just an IT issue, and not all attacks are aimed at a company’s POS system. Everyone — from individual employees to store managers to the board — has a stake in managing cyber risk comprehensively across the enterprise.



That’s not to say that cyber risk from POS systems is not significant: It remains a prime avenue for hackers and the main platform for retailers’ customer transactions. And retailers remain lucrative targets for cyber attacks due to the amount of customer financial information they hold via the credit card transactions process.



But other exposure areas exist, from personal health data in drug stores to trade secrets to potentially market-moving information on new products, acquisitions and management decisions.



It’s safe to say that awareness is increasing, and cyber risk needs to be addressed comprehensively across organizations. And yet, less than one-third of companies believe they have identified their key stakeholders, according to a poll of risk professionals taken during a recent Marsh webcast on cyber security.



When asked if they were “confident that the organization has identified all of the key stakeholders to our cyber risk management strategy and that they understand their roles,” more than 250 risk professionals responded, with:

• 
  31% saying yes;


• 
  33% saying no; and


• 
  36% saying they weren’t sure.

If your company is not sure that all of the key stakeholders have been identified — risk manager, CEO, CFO, HR, IT, operations, the board and beyond — then your organization could be in for an unwanted and costly surprise.

A CYBER RISK MANAGEMENT FRAMEWORK



In addition to recognizing the importance of key stakeholders, a three-pronged risk management approach to cyber security is advised:

1. Assess: A thorough understanding of your risk profile is critical, and that means more than the typical compliance audit. You need to inventory cyber-vulnerable assets, identify new and emerging threats — internal and external — and model an event’s potential impact.

2. Manage: Cyber risk management typically requires a balance of three things:

• 
  Prevention — to stop cyber attacks from succeeding;


• 
  Preparation — to make sure you are ready when an event happens; and


• 
  Risk transfer — to transfer the exposure off your balance sheet.

3. Respond: A quick, effective reaction to an attack is essential, and the decisions you make after an event can have lasting implications.



Within that framework, there is a place for all stakeholders to play their part.

CYBER INSURANCE



Cyber insurance is a key part of managing the financial consequences of cyber risk. The cyber insurance market is growing across all sectors and shows no signs of abating. For retailers, the drumbeat of costly cyber events has meant a steady increase in pricing over the past year.



According to a recent Marsh report, retail clients paid, on average, 32% more for stand-alone cyber insurance in the first half of 2015 than they did in the same period in the prior year.



Thus, it’s important to be able to quantify, as much as possible, the potential costs that a cyber event may have across all business units. Analysis and assessment tools are available to help quantify the financial impacts by business, sector and other areas. Such analysis is a key to understanding what type of coverage and limits are right for your company.



Consequences of a cyber attack can be damaging to an organization and range from far-reaching financial costs to reputational risks. Retailers should ensure they are adequately prepared to manage the impacts of a cyber attack.



Mac Nadel is U.S. retail/wholesale food and beverage practice leader for Marsh, a global leader in insurance broking and risk management.



(The information in this article is not intended to be taken as advice regarding any individual situation or as legal, tax or accounting advice and should not be relied upon as such. Contact your legal and other advisers regarding specific risk issues.)