Cybersecurity is about risk assessment

A computer attack or security incident can have serious financial consequences (fines, damages and interest paid, legal proceedings, emergency investments to enhance IT security, system recovery costs), consequences on the image of the company (loss of confidence of the public and business partners) and on its functioning (denial of service, paralysis of the activity).

NotPetya, WannaCry, data theft at a large scale: the world news has been marked in recent years by the proliferation of incidents security and computer attacks. No one is spared, and the economic consequences can potentially be very heavy.

In view of these risks, cybersecurity is now a major concern for all businesses, regardless of their field of activity or size.


Cyberattacks and business risks

The French law 2017-399 of 27 March 2017 relating to the duty of vigilance of parent companies and companies giving order imposes on large companies the obligation to establish and to implement a code of vigilance.

This plan should aim to identify the risks and prevent serious harm to human rights and fundamental freedoms, health and safety of the people as well as the environment that would be caused by the activity of the company. Such risks and harms can be increased and caused by cyberattacks. For example, critical business infrastructures can be decommissioned by ransomware. The consequences of this blockage may, depending on the activity of the company, cause serious injury to the health or safety of people. Taking cyber-risk into account is therefore essential in the context of a safety due diligence.

The question is also unavoidable when it comes to the processing of personal data. The European Data Protection Regulation (GDPR) applicable since 25 May 2018 reinforces the obligation of corporates and their subcontractors to ensure the security and confidentiality of personal data processed. If data are stolen by third parties, the controller will be forced to remedy the data breach, incur sanctions from the supervisory authority, taking the risk of a class action, etc.


Is cyber-risk insurable?

Although significant cybersecurity measures are in place, zero risk does not exist, and a security incident can occur. Its financial consequences may be impossible to overcome for a company that is not prepared. The subscription of an appropriate insurance policy must therefore be part of the risk prevention policy.

For insurers, assessing cyber-risk presents difficulties and remains at its early stage.

The insurance mechanism is based on the insurer's ability to reliably estimate and predict the financial risk associated with the covered loss by studying past claims. But IT threats evolve rapidly and constantly. The operating methods of hackers, typologies of attacks and security breaches are changing constantly. As a result, insurers find only limited predictive value in the study of past incidents, making it difficult to establish balanced insurance premiums.

Today, cyber-risk is partially covered by traditional insurance policies. These contracts cover certain foreseeable consequences of computer threats. For example:

  • Insurance contracts covering damage to property may be applicable if the operative event is a computer attack that has permanently or temporarily rendered unusable an infrastructure of the enterprise;
  • Third party liability contracts can cover civil liability claims caused by a computer attack: liability of a controller in the event of personal data breach, contractual default following a computer attack crippling.

Now, both supply and demand for cyber-insurance in Europe are low but rising.

However, it seems necessary that cyber-specific insurance contracts develop in order to cover all the risks for companies.


How can I better manage cyber-risks?

Ensuring cyber-risk is part of a necessary approach to risk prevention and regulatory compliance. It follows a classic risk management cycle and is supported by various open source tools [1].

In order to do so, it will be necessary to take inventory of the vulnerabilities of the company known as the crown jewels, for example through risk mapping, vulnerability analysis and evaluation of the issues for the company. The mapping should be done by using a multi-disciplinary team from within the organisation. This is the only way to reach to important goals: one creates awareness by having ambassadors within the organisation; and second gets a full mapping of the risks within the organisation.

This will lead to a greater awareness of cyber-risk exposure and will also allow for an arbitration between prevention and protection spending.

Effective monitoring of the risks is also crucial to build a sustainable and resilient approach and to adjust in real time the organisation’s risk posture.

The four key actions are:

  • Determine your cyber perimeter by understanding and considering the full ecosystem including internal employees or external partners;
  • Improve your cyber threat intelligence by building a common strategy across the organisation and sharing intelligence, data and research from internal and external sources;
  • Train (and test the understanding of) your work force: cybersecurity e-learning is key to help your team understand how hackers build their social engineering hacks;
  • Report and act: using a strong governing team is key to advance cybersecurity, respond to cyber threat and further empower management.

Hajar Diouri
Member of the EACT Cybersecurity Working group

Articles


Photo from Flying Start: Taming SITA’s Vast and Complex Payments Set-up

Flying Start: Taming SITA’s Vast and Complex Payments Set-up

Determined to bring order to its payments infrastructure, SITA called upon Unifiedpost, and its cloud-based PowertoPay corporate payments hub, for help.

Read
Photo from EACT Treasury Roundtable with Global Legal Entity Identifier Foundation (GLEIF) on use of the LEI in Treasury

EACT Treasury Roundtable with Global Legal Entity Identifier Foundation (GLEIF) on use of the LEI in Treasury

On 4 February the EACT and the Global Legal Entity Identifier Foundation (GLEIF) hosted a roundtable with a number of senior corporate treasury representatives to discuss how the LEI and the global system it is embedded in can simplify, secure, and digitise processes across treasury departments.

Read
Photo from Does a Health Crisis Have an Impact on Treasury Technology?

Does a Health Crisis Have an Impact on Treasury Technology?

The fundamental changes businesses are facing have inevitably impacted the way treasury is managed. Has the current health crisis had an impact on treasury technologies and the digital transformation of organisations?

Read
Photo from Regulatory Round-up with the EACT

Regulatory Round-up with the EACT

With the current European Parliament’s term running from 2019 to 2024, now is a good time to cast an eye over what is and what will be in terms of financial market regulations.

Read
Photo from From Bitcoin to Central Bank Digital Currency (CBDC)

From Bitcoin to Central Bank Digital Currency (CBDC)

In recent months, we have seen the first steps of concerted moves towards CBDCs. This change of attitude is welcome as it complements other private and public initiatives in the world of payments which is innovating at a greater pace than ever.

Read