Cybersecurity is about risk assessment

A computer attack or security incident can have serious financial consequences (fines, damages and interest paid, legal proceedings, emergency investments to enhance IT security, system recovery costs), consequences on the image of the company (loss of confidence of the public and business partners) and on its functioning (denial of service, paralysis of the activity).

NotPetya, WannaCry, data theft at a large scale: the world news has been marked in recent years by the proliferation of incidents security and computer attacks. No one is spared, and the economic consequences can potentially be very heavy.

In view of these risks, cybersecurity is now a major concern for all businesses, regardless of their field of activity or size.


Cyberattacks and business risks

The French law 2017-399 of 27 March 2017 relating to the duty of vigilance of parent companies and companies giving order imposes on large companies the obligation to establish and to implement a code of vigilance.

This plan should aim to identify the risks and prevent serious harm to human rights and fundamental freedoms, health and safety of the people as well as the environment that would be caused by the activity of the company. Such risks and harms can be increased and caused by cyberattacks. For example, critical business infrastructures can be decommissioned by ransomware. The consequences of this blockage may, depending on the activity of the company, cause serious injury to the health or safety of people. Taking cyber-risk into account is therefore essential in the context of a safety due diligence.

The question is also unavoidable when it comes to the processing of personal data. The European Data Protection Regulation (GDPR) applicable since 25 May 2018 reinforces the obligation of corporates and their subcontractors to ensure the security and confidentiality of personal data processed. If data are stolen by third parties, the controller will be forced to remedy the data breach, incur sanctions from the supervisory authority, taking the risk of a class action, etc.


Is cyber-risk insurable?

Although significant cybersecurity measures are in place, zero risk does not exist, and a security incident can occur. Its financial consequences may be impossible to overcome for a company that is not prepared. The subscription of an appropriate insurance policy must therefore be part of the risk prevention policy.

For insurers, assessing cyber-risk presents difficulties and remains at its early stage.

The insurance mechanism is based on the insurer's ability to reliably estimate and predict the financial risk associated with the covered loss by studying past claims. But IT threats evolve rapidly and constantly. The operating methods of hackers, typologies of attacks and security breaches are changing constantly. As a result, insurers find only limited predictive value in the study of past incidents, making it difficult to establish balanced insurance premiums.

Today, cyber-risk is partially covered by traditional insurance policies. These contracts cover certain foreseeable consequences of computer threats. For example:

  • Insurance contracts covering damage to property may be applicable if the operative event is a computer attack that has permanently or temporarily rendered unusable an infrastructure of the enterprise;
  • Third party liability contracts can cover civil liability claims caused by a computer attack: liability of a controller in the event of personal data breach, contractual default following a computer attack crippling.

Now, both supply and demand for cyber-insurance in Europe are low but rising.

However, it seems necessary that cyber-specific insurance contracts develop in order to cover all the risks for companies.


How can I better manage cyber-risks?

Ensuring cyber-risk is part of a necessary approach to risk prevention and regulatory compliance. It follows a classic risk management cycle and is supported by various open source tools [1].

In order to do so, it will be necessary to take inventory of the vulnerabilities of the company known as the crown jewels, for example through risk mapping, vulnerability analysis and evaluation of the issues for the company. The mapping should be done by using a multi-disciplinary team from within the organisation. This is the only way to reach to important goals: one creates awareness by having ambassadors within the organisation; and second gets a full mapping of the risks within the organisation.

This will lead to a greater awareness of cyber-risk exposure and will also allow for an arbitration between prevention and protection spending.

Effective monitoring of the risks is also crucial to build a sustainable and resilient approach and to adjust in real time the organisation’s risk posture.

The four key actions are:

  • Determine your cyber perimeter by understanding and considering the full ecosystem including internal employees or external partners;
  • Improve your cyber threat intelligence by building a common strategy across the organisation and sharing intelligence, data and research from internal and external sources;
  • Train (and test the understanding of) your work force: cybersecurity e-learning is key to help your team understand how hackers build their social engineering hacks;
  • Report and act: using a strong governing team is key to advance cybersecurity, respond to cyber threat and further empower management.

Hajar Diouri
Member of the EACT Cybersecurity Working group

Articles


Photo from EMIR or the Echternach procession

EMIR or the Echternach procession

To change EMIR refit would be to take three steps backwards after having taken three steps forwards. Let's not be fooled by good idea at first sight.

Read
Photo from Instant Payments EU Proposal – What Should we Recommend?

Instant Payments EU Proposal – What Should we Recommend?

European treasurers are concerned by the PSD2 review, as well as by the regulations on instant payments. We believe that it is necessary to promote any means to verify that the holder of a beneficiary account is the one to whom this account belongs.

Read
Photo from ACT Annual Dinner 2023

ACT Annual Dinner 2023

1300 people from across the treasury community gathered to enjoy an evening of community and fundraising.

Read
Photo from 25th Anniversary of the Association of German Corporate Treasurers

25th Anniversary of the Association of German Corporate Treasurers

At the end of October around 260 members and guests joined in the Palmengarten in Frankfurt to celebrate the 25th anniversary of the VDT.

Read
Photo from AFTE – 2022 Annual Conference: The Expanding World of Treasurers

AFTE – 2022 Annual Conference: The Expanding World of Treasurers

AFTE held its annual conference on 15-16 November 2022 at the Palais Brongniart, the former stock exchange building in the heart of Paris.

Read