The Convergence of Cybersecurity, Compliance, and Enterprise Risk Management
When you survey business leaders on significant risks, they invariably cite cybersecurity as number one and anti-corruption as number two. For global businesses, this makes total sense. Cyber-crime damage is estimated to hit $6 trillion annually by 2021, according to a study by Cybersecurity Ventures (here). Information security and prevention are now required to protect a company from serious financial and operational harm.
We are in the midst of a real transformation in ownership and responsibility for cybersecurity as an emerging enterprise risk. It does not take a rocket scientist to figure out that cybersecurity attacks can devastate a global business, cause serious harm to a company’s reputation, and damage large numbers of consumers. Last year’s cyber hack and data breach against Equifax is an important reminder of how much harm a company can suffer for failing to protect its sensitive information.
A global company has to develop a comprehensive strategy across various functions to protect the company from any cybersecurity harm. The natural internal leaders for this effort include chief compliance officers, information technology security officers (CISOs), and the chief legal officer. A strategy has to include proactive and reactive tasks and functions.
At the outset, the company has to identify and measure its cybersecurity risks, taking into account external and internal threats and vulnerabilities. In this respect, the evolving nature of external cybersecurity threats has to be updated and monitored on an ongoing basis. In addition, the company has to examine carefully its internal cybersecurity vulnerabilities and implement risk mitigation strategies.
Based on the nature of these risks and vulnerabilities, an annual cybersecurity compliance plan has to identify the potential threats and risks based on information technology risks and specific vulnerabilities.
For example, based on an external threat assessment, a company may determine that it is vulnerable to malware attacks from phishing scams either directly to its employees or even its third parties. As a result, a company may devote a significant effort to training its employees to avoid and reject phishing scams. If the company may have a vulnerability to such an attack from a third party who has inadequate security technology or protocols in place may have to seek remediation by the third party as well as conduct training to avoid common phishing techniques.
Aside from proactive measures, including security technology and measures to prevent attacks and training of employees to avoid potential malware attacks, companies have to develop a crisis management strategy to respond to any significant breach or loss of confidential information. Depending on the type of information or harm from a cyber-attack, the company has to coordinate compliance, legal, information technology, public relations, business, senior executives and board members to implement a coordinated response to a cyber-attack. Such an attack, if harmful, will require key players to remediate the problem, communicate with key stakeholders in an effective manner, and then stabilize the company’s business operations. As part of this response strategy, a company has to maintain significant insurance against a cyber-attack.
Chief compliance officers have to forge a close working relationship with information technology departments and bring in required expertise to asses a company’s vulnerabilities. CCOs have a natural role to play in this area, like any other significant risk to the business, and can employ professional skills to adopt creative proactive and reactive strategies.