“Girly, tough ain’t enough.”
– Frankie Dunn (Clint Eastwood) in Million Dollar Baby
A research study by AIG conducted in the UK indicates that 84% of company directors believe that their IT department is able to protect their company from a cyber attack. And they are surely not alone, as most of us probably still associate the task of safeguarding valuable data with the IT function. Commercials for security products often use metaphors and imagery to suggest that their IT product/service’s tough-guy approach will get the job done. But as Clint Eastwood’s Frankie Dunn, the curmudgeonly boxing coach in Academy Award winner Million Dollar Baby tells wannabe fighter Maggie Fitzgerald (Hilary Swank), sometimes “tough ain’t enough.”
While day-to-day responsibility for cyber protection may lie with the IT and security teams, strategy and response need to have ownership across silos and functions. Hence they need board-level engagement.
The changing landscape of cyber risk
Despite the high level of confidence in the (obviously essential) role that the IT department plays in cyber defense, the cyber threat landscape continues to evolve rapidly, prompted by society’s ever growing dependence, socially and economically, on all things digital. Originally viewed as primarily a threat to data breach/loss, the impact of cyber attacks has widened considerably to include business interruption, theft of intellectual property and other issues. This rapid escalation in threat levels has prompted the evolution of cyber risk from being primarily an IT threat to an enterprise wide management issue needing board-level attention.
Four themes emerged from AIG’s research that highlight the need for many large companies to take a closer look at how they are managing cyber risk – and at how they might decrease that risk even further.
Cyber security issues should be more prominent in discussions at the board level
The issue among board members at large companies is not a lack of awareness of cyber threats. More than four out of five (82%) senior business leaders in the UK said they know at least a “fair amount” about their company’s cyber security governance and risk management framework. However, barely a quarter (26%) of UK companies said they discuss cyber security policy on a regular basis in board meetings, and more than half (52%) either rarely or never discussed it. This is potentially a recipe for disaster.
Part of the problem is that companies are split over where responsibility for cyber security lies. Less than one in ten (9%) UK companies maintains overall responsibility for cyber security at the board level. Fortunately, an additional 43% do give ownership of the issue to a key board member. Nevertheless, almost half do not, and more than a third (36%) still designate maintenance of cyber security as an IT department function. However, what we have learned from large breaches is that it takes an enterprise-wide effort to minimize the number of attacks and to mitigate damage from attacks that do occur.
The legal implications of a cyber breach is not well understood among directors
A very high percentage (86%) of the UK executives interviewed felt they had a strong understanding of the financial implications of a digital breach for their companies. However, roughly one-third said they were not very confident about their grasp of the legal ramifications for the company – and themselves – subsequent to a breach. This is problematic since, depending on a country’s regulatory environment, boards and management may potentially be liable for this kind of risk. In the US, for example, shareholder lawsuits have been filed against boards following large scale data breaches.
High levels of stated confidence in company IT departments vis-à-vis data breach protection may be misplaced
As noted earlier, 84% of UK company directors and executives believe that their IT departments alone can protect their company from cyber attack1. Nevertheless, almost half (45%) of the UK companies surveyed have already experienced a cyber security breach. And 62% believe it likely that their company will suffer an attack within the next 12 months. So even on an empirical basis it’s clear that the IT department alone is not providing as much protection as would be desirable from cyber attack. Again, the only way to strengthen security is by implementing a company wide cyber risk management program with top-down ownership at the board level.
Internal company threats cause a significant number of serious breaches
When most of us think of cyber attacks, we have in mind criminals and hackers, and indeed, these groups form the highest cases of perceived threats to data security among those interviewed. Nevertheless, in a recent study by the European Centre for Media, Data and Society2, over half (56%) of European data breaches from 2005-2014 involved company employees or other areas internal to the organization (administrative errors, hardware issues, theft, etc.). Criminal hackers accounted for the remaining 42% of cases.
Of the UK companies surveyed, only 44% had cyber insurance in place. But as the results of the survey suggest, cyber security risk management and associated insurance need to be a central point of discussion at the board level for large companies. It is only at this level that broad policies can be put together that work synergistically to provide protection. And it is only at this level that gaps in insurance coverage can be found and rectified systematically, so that maximum protection is provided.
A tough, robust IT department will always play an important role in the cyber security management matrix. But as threats continue to evolve, tough will no longer be enough: board level involvement in managing cyber risk and related insurance coverage is essential.
1 “Cyber: Joined up?” AIG CyberEdge white paper. The paper was authored by Mark Camillo, Head of Cyber and Professional Indemnity, EMEA at AIG Europe Limited. Results based on more than 100 face-to-face interviews with respondents from very large companies in the UK. Respondents were C-suite members and other executive board directors. Interviews were conducted between September and December 2014.
2 Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014 – Center for Media, Data and Society, 2014.
Date Published: 7/18/2016