CHALLENGING THE STATUS QUO – ROADMAP FOR MOVING TO ROI-LED CYBER RISK MANAGEMENT
In an April 2021 interview with CBS’ 60 Minutes, Jerome Powell, Federal Reserve chairman, stated that cyber risk is the current risk deserving his attention “rather than something that looked like the global financial crisis [of 2008]”.
The news regarding cyber assaults on companies around the world has become all too familiar. The threat is well recognised and, as a result, organisations are spending massive amounts of money on cyber security. Yet the attacks and ensuing damages continue.
When a cyber incident occurs, executives and their boards of directors are surprised and shaken. How could this happen given their intense focus on new defensive technologies and active monitoring and analysis?
The primary emphasis of cyber solutions may actually be the problem. The root cause of many cyber risk events is found in the interrelation between technology and other areas of business – people, processes and third parties, which can be a blind spot due to limited control, come into play. Companies attempting to drive better risk management via a three-lines-of-defence (3LoD) model have typically failed because they did not create the necessary collaboration between cyber security, their business units and enterprise risk management (ERM).
Current state of affairs
The statistics are mind-numbing. There were almost 3000 publicly reported breaches in the first three quarters of 2020, a 51 percent increase from the same period in 2019. Through Q3 2020, a record 36 billion records had been exposed, according to Risk Based Security, Inc.
Perhaps capitalising on the increased number of people working from home in 2020, ransomware attacks increased sevenfold over those detected in 2019. The average ransomware payment in Q1 2020 increased 33 percent to $111,000 compared to Q4 2019, according to Coveware.
Oct-Dec 2021 Issue
Vishal Chawla and Mark A. Delong