Imagine you’re the CFO at a firm involved in sensitive merger or acquisition discussions with your bankers and you receive an email asking for a small bit of nonpublic information on your company, the kind you’ve passed on before. You send the information—and later find you were the victim of a sophisticated cyber-attack.
Now imagine you’re in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It’s impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber attack.
These events underscore the new reality in cyber risk management: It’s no longer just an IT issue. Everyone—from individual employees to risk managers to your board of directors—now has a stake in managing cyber risk comprehensively, across the enterprise.
Read on to learn about the seven key stakeholders other than the IT professionals to consider as you look at your cyber risk management strategy.
1. Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing, and responding to cyber threats. They also have the best understanding of how the evolving cyber insurance market and overall risk finance options also is important. Even if they’re not technology experts, they understand risk, so they’re usually the best-positioned to coordinate cyber risk management across the company.
2. CEO/Board of Directors: The CEO and the company’s board of directors may have a fiduciary duty to assess and manage cyber risk. Increasingly regulators, including both the Securities and Exchange Commission and the Federal Trade Commission, have made clear their expectation that top leadership to be engaged on the issue. And shareholders may be starting to demonstrate similar expectations.
3. CFO: From a financial perspective, concerns may range from the potential costs of a cyber event to the impact could be on the bottom line to the security of the company’s sensitive financial information.
CFOs should also critically evaluate the cost/benefits of growing investment in cyber security to drive the most efficient improvements to overall cyber risk profile.
4. Legal/Compliance: As regulations around cyber develop, legal and compliance roles become increasingly important to evaluate regulations and inform corporate policy.
If a cyber incident occurs, lawsuits often follow within hours. Legal and compliance teams may help drive the appropriate breach response.
(Photo: National Underwriter Property & Casualty)
5. Operations: Key managers often are a first line of defense against cyber events. Should an event occur, they are critical to supporting the response and helping maintaining daily operations, business processes, and workplace stability.
(Photo: Shutterstock/Filipe Frazao)
6. Human Resources/Employees: The human element of cyber risk cannot be overlooked. Simple errors—or deliberate actions—by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear phishing” attacks targeting specific employees.
And in an era of Bring-Your-Own-Device, employers should have a plan for dealing with personal devices used by employees who leave the company.
(Photo: Shutterstock/kidsana maimeetoo)
7. Customers/Suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don’t become the weak point in your cyber defenses.
You should clarify in your contracts how to collectively respond to cyber events, as cyber risk can develop anywhere along the supply chain.
Protecting your organization’s data and individuals’ privacy is becoming more difficult by the day. Successful cyber defense strategies are comprehensive and multi-pronged. A critical component requires understanding and defining the roles and responsibilities of all key stakeholders.
Tom Reagan is the Cyber Practice leader within Marsh’s Financial and Professional Products (FINPRO) Specialty Practice. Located in Marsh’s New York office, Tom oversees client advisory and placement services for cyber risk throughout the country. In addition to his management responsibilities, Tom also serves as the senior cyber advisor for some of Marsh’s largest clients. This article was first published on Marsh’s website.