• Cyber crimes are set to cost governments and organizations $10 trillion by 2025.
  • As new cyber threats emerge, boards of directors must develop cyber risk plans to ensure their organizations have greater cyber resilience.
  • Cyber risk strategies should align to financial analysis using clear and understandable language.

American industrialist Henry Ford II once said that “The best we can do is to size up the chances, calculate the risks involved, estimate our ability to deal with them, and make our plans with confidence.” While Ford and others in the American Industrial Revolution faced vastly different risks compared to today’s modern digital business landscape, the uncertainties of risk and how to best manage these remain a critical advantage in business success.

In their 2020 Board of Directors Survey, Gartner, Inc. found that directors see cybersecurity as the second-greatest threat to their businesses, right after regulatory compliance risks. Cyber crime already cost the world at least $6 trillion in 2021 and could lead to over $10 trillion worth of annual damages by 2025. Jerome Powell, US Federal Reserve Chair, recently emphasized that “the risk that we keep our eyes on now most is cyber risk.”

Cyber crime will continue to disrupt and bring uncertainty to the global economy. To curb these threats, boards must implement effective strategies to manage their financial exposure and mitigate business impacts. The digital transformation strategies organizations develop must keep pace with today’s cyber security threats and proactively guard against severe disruptions.

Board members should work alongside management to develop cyber resilience plans
Image: Benjamin Child

A path to cyber resiliency

As cyber threats escalate and evolve, businesses are bolstering their cyber-security budgets. For them to see proper returns on these hefty investments, it's important that clear and effective strategies are in place to counterattack cyber crime are crucial. Clarifying the cyber crime conversation in the boardroom is the first step. Effective communication is a cornerstone of positive outcomes in business. Developing a common language for discussing the complex issues of cyber risk is essential to achieving cyber-risk resilience. This requires simplifying confusing, technical discussions loaded with nuanced security terms into precise economic analysis, which shows how cyber-attacks endanger organizations financially in the short and long term.

Building cyber resiliency in an organization requires proper oversight from the boardroom based on a clear plan built on economic analysis. Industries, like insurance, are basing cyber risk evaluations in their underwriting standards on established and understandable financial exposure analyses. In doing so, insurance industry players are shifting the cyber conversation from a highly technical ambiguous security one to one where businesses can understand and effectively manage their financial exposure in relatable business terms. If financial exposures from cyber threats are clear, boards will find it easier to align cyber security strategies with economic cyber risk metrics.

When formulating their cyber resiliency plans, boards would do well to ask management questions like:

“What is our financial exposure to cyber threats?”

“What cyber threats are most likely to have a major financial impact on our business?”

“How much financial exposure are we willing to accept across our enterprise and digital supplier ecosystem?”

“How can we align our budget, implement controls, and optimise risk transfers to address our cyber risk exposure?”

“Are our digital initiatives being developed in a cyber-resilient way?”

Developing the organization’s cyber risk appetite levels in financial terms, based on their unique risk profile, and defining effective remediation and mitigation steps to reduce financial exposure, are important initial steps when planning for cyber resiliency. Boards should keep certain items on the cyber resiliency agenda in their discussions with management. On an ongoing basis, the board should keep abreast of how management uses return-on-investment analysis to align the cybersecurity budget to financial exposure reduction. So too, they should oversee the steps that are taken to practically implement the cybersecurity strategy.

It’s important to remember that the success of a financial approach to cyber risk oversight will vary based on personnel experience and an organization’s cyber security maturity level. Nevertheless, working alongside management in this manner can be an effective way for organizations to address the financial impact of cyber threats.

The evolving regulatory environment

In 2018, the US Securities and Exchange Commission issued guidance on public company cybersecurity disclosures to assist businesses in preparing disclosures related to cyber risks and incidents. This guidance points to several recommended disclosure areas, including the probability of a cyber occurrence and the potential magnitude of cyber incidents. It also pays attention to which aspects of the company’s business and operations have material cyber risks and the potential costs and consequences of these risks. So too, it seeks clarity on the adequacy of preventative actions taken to reduce cyber risks and their associated costs (including the company’s ability to prevent or mitigate certain cyber risks).

Existing regulations and emerging policies pressure public companies to address cyber challenges head-on. Ever-growing systemic cyber risk exposures lead to a growing number of legislative hoops to jump through. Effective cybersecurity programs will allow companies to stay ahead of the curve and in line with current legislation. A cyber resiliency plan built on financial exposure analysis will set the groundwork for trustworthy corporate disclosures aligned to regulatory requirements.

The US Securities and Exchange Commission (SEC) is developing a cybersecurity risk governance proposal to tighten the screws on incident reporting and cyber hygiene. More robust enforcement action from the SEC will encourage organizations to develop their policies and procedures to manage and minimise cyber-risk exposure. Organizations will be motivated to write internal guidelines and proactively set up defences in line with emerging cybersecurity technologies.