Cybersecurity is about risk assessment

A computer attack or security incident can have serious financial consequences (fines, damages and interest paid, legal proceedings, emergency investments to enhance IT security, system recovery costs), consequences on the image of the company (loss of confidence of the public and business partners) and on its functioning (denial of service, paralysis of the activity).

NotPetya, WannaCry, data theft at a large scale: the world news has been marked in recent years by the proliferation of incidents security and computer attacks. No one is spared, and the economic consequences can potentially be very heavy.

In view of these risks, cybersecurity is now a major concern for all businesses, regardless of their field of activity or size.


Cyberattacks and business risks

The French law 2017-399 of 27 March 2017 relating to the duty of vigilance of parent companies and companies giving order imposes on large companies the obligation to establish and to implement a code of vigilance.

This plan should aim to identify the risks and prevent serious harm to human rights and fundamental freedoms, health and safety of the people as well as the environment that would be caused by the activity of the company. Such risks and harms can be increased and caused by cyberattacks. For example, critical business infrastructures can be decommissioned by ransomware. The consequences of this blockage may, depending on the activity of the company, cause serious injury to the health or safety of people. Taking cyber-risk into account is therefore essential in the context of a safety due diligence.

The question is also unavoidable when it comes to the processing of personal data. The European Data Protection Regulation (GDPR) applicable since 25 May 2018 reinforces the obligation of corporates and their subcontractors to ensure the security and confidentiality of personal data processed. If data are stolen by third parties, the controller will be forced to remedy the data breach, incur sanctions from the supervisory authority, taking the risk of a class action, etc.


Is cyber-risk insurable?

Although significant cybersecurity measures are in place, zero risk does not exist, and a security incident can occur. Its financial consequences may be impossible to overcome for a company that is not prepared. The subscription of an appropriate insurance policy must therefore be part of the risk prevention policy.

For insurers, assessing cyber-risk presents difficulties and remains at its early stage.

The insurance mechanism is based on the insurer's ability to reliably estimate and predict the financial risk associated with the covered loss by studying past claims. But IT threats evolve rapidly and constantly. The operating methods of hackers, typologies of attacks and security breaches are changing constantly. As a result, insurers find only limited predictive value in the study of past incidents, making it difficult to establish balanced insurance premiums.

Today, cyber-risk is partially covered by traditional insurance policies. These contracts cover certain foreseeable consequences of computer threats. For example:

  • Insurance contracts covering damage to property may be applicable if the operative event is a computer attack that has permanently or temporarily rendered unusable an infrastructure of the enterprise;
  • Third party liability contracts can cover civil liability claims caused by a computer attack: liability of a controller in the event of personal data breach, contractual default following a computer attack crippling.

Now, both supply and demand for cyber-insurance in Europe are low but rising.

However, it seems necessary that cyber-specific insurance contracts develop in order to cover all the risks for companies.


How can I better manage cyber-risks?

Ensuring cyber-risk is part of a necessary approach to risk prevention and regulatory compliance. It follows a classic risk management cycle and is supported by various open source tools [1].

In order to do so, it will be necessary to take inventory of the vulnerabilities of the company known as the crown jewels, for example through risk mapping, vulnerability analysis and evaluation of the issues for the company. The mapping should be done by using a multi-disciplinary team from within the organisation. This is the only way to reach to important goals: one creates awareness by having ambassadors within the organisation; and second gets a full mapping of the risks within the organisation.

This will lead to a greater awareness of cyber-risk exposure and will also allow for an arbitration between prevention and protection spending.

Effective monitoring of the risks is also crucial to build a sustainable and resilient approach and to adjust in real time the organisation’s risk posture.

The four key actions are:

  • Determine your cyber perimeter by understanding and considering the full ecosystem including internal employees or external partners;
  • Improve your cyber threat intelligence by building a common strategy across the organisation and sharing intelligence, data and research from internal and external sources;
  • Train (and test the understanding of) your work force: cybersecurity e-learning is key to help your team understand how hackers build their social engineering hacks;
  • Report and act: using a strong governing team is key to advance cybersecurity, respond to cyber threat and further empower management.

Hajar Diouri
Member of the EACT Cybersecurity Working group

Articles


Treasury First – 20 Years of the EACT

As the European Association of Corporate Treasurers (EACT) celebrates its 20th anniversary during 2022, it is an appropriate moment to reflect upon its journey from being a group of professionals largely concerned with their own national concerns, to the visionary, receptive, and respected organisation it is today.

Read
Photo from Live Events are Back at the ACT

Live Events are Back at the ACT

Hear details of the ACT's latest live events, which have continued to facilitate professional development and networking with friends and peers.

Read
Photo from ACTA Celebrates Fourth Anniversary in the Eastern Alps

ACTA Celebrates Fourth Anniversary in the Eastern Alps

On 21 October 2021, the fourth ACTA AGM was held ‘live’ at the Andaz Hotel, Vienna.

Read
Photo from Putting Principles Before Profit – ESG Shifts the Baselines

Putting Principles Before Profit – ESG Shifts the Baselines

Have we reached a breaking point – or a tipping point on this emotive subject?

Read
Photo from Review of EMIR thresholds by ESMA

Review of EMIR thresholds by ESMA

ESMA has recently decided to review the thresholds fixed for each asset class for EMIR obligations of collateralization.

Read