The New Realities of Cyber Risk Management: It’s Not Just an IT Issue

Imagine you are the general counsel at a retailer involved in sensitive M&A discussions. You receive an email from one of the deal’s outside advisors. He says he needs some information about your company, the kind you’ve passed on before. You send it along — and later find that you were victimized in a sophisticated cyber-attack aimed at stealing sensitive information.



Or imagine you are the operations manager at a distribution center for an expanding restaurant chain. Shortly after a new contractor did some work in your facility to modify an automated system, you noticed a glitch in how your orders were processing. Turns out the contractor had poor cybersecurity controls, and their equipment infected your operation with malware.



The events described above underscore the new realities in cyber risk management: It’s not just an IT issue, and not all attacks are aimed at a company’s POS system. Everyone — from individual employees to store managers to the board — has a stake in managing cyber risk comprehensively, across the enterprise.

[quote-from-article]



That’s not to say that cyber risk from POS systems is not significant: It remains a prime avenue for hackers and the main platform for retailers’ customer transactions. And retailers remain lucrative targets for cyber-attacks due to the amount of customer financial information they hold via the credit card transactions process.



But other exposure areas exist, from personal health data in drug stores to trade secrets to potentially market-moving information on new products, acquisitions, and management decisions.

It’s safe to say that awareness is increasing that cyber risk needs to be addressed comprehensively across organizations. And yet, less than one-third of companies believe they have identified their key stakeholders, according to a poll of risk professionals taken during a recent Marsh webcast on cybersecurity.



When asked if they were “confident that the organization has identified all of the key stakeholders to our cyber risk management strategy and that they understand their roles,” more than 250 risk professionals responded, with:



• 31% saying yes;

• 33% saying no; and

• 36% saying they weren’t sure.



If your company is not sure that all of the key stakeholders have been identified —risk manager, CEO, CFO, HR, IT, operations, the board, and beyond — then your organization could be in for an unwanted and costly surprise.



A Cyber Risk Management Framework

In addition to recognizing the importance of key stakeholders, a three-pronged risk management approach to cybersecurity is advised:



1. Assess: A thorough understanding of your risk profile is critical, and that means more than the typical compliance audit. You need to inventory cyber-vulnerable assets, identify new and emerging threats —internal and external — and model an event’s potential impact.



2. Manage: Cyber risk management typically requires a balance of three things:



• Prevention — to stop cyber-attacks from succeeding;

• Preparation — to make sure you are ready when an event happens; and

• Risk transfer — to transfer the exposure off your balance sheet.



3. Respond: A quick, effective reaction to an attack is essential, and the decisions you make after an event can have lasting implications.



Within that framework, there is a place for all stakeholders to play their part.



Cyber Insurance

Cyber insurance is a key part of managing the financial consequences of cyber risk. The cyber insurance market is growing across all sectors and shows no signs of abating. For retailers, the drumbeat of costly cyber events has meant a steady increase in pricing over the past year.



According to a recent Marsh report, retail clients paid, on average, 32% more for standalone cyber insurance in the first half of 2015 than they did in the same period in the prior year.



It’s thus important to be able to quantify, as much as possible, the potential costs that a cyber event may have across all business units. Analysis and assessment tools are available to help quantify the financial impacts by business, sector, and other areas. Such analysis is a key to understanding what type of coverage and limits are right for your company.



Consequences of a cyber-attack can be damaging to an organization and range from far reaching financial costs to reputational risks. Retailers should ensure they are adequately prepared to manage the impacts of a cyber-attack.

Mac Nadel is U.S. retail/wholesale food & beverage practice leader for Marsh, a global leader in insurance broking and risk management.

This information is not intended to be taken as advice regarding any individual situation or as legal, tax, or accounting advice and should not be relied upon as such. You should contact your legal and other advisors regarding specific risk issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or of the financial condition or solvency of insurers or reinsurers.