It’s also important to note that by 2020 cyber losses will amount to far more than data – they are sure to include financial, health, safety, and security information. We are rapidly entering the age where free credit reporting as a consumer-facing recovery strategy will do more harm to brands than good.
To be sure, large and publicly traded companies are getting better at recognizing the cybersecurity threat and how to inoculate their data systems from a computer breach. But some boards still are too quick to relegate the issue to the IT department and fail to appreciate that cyber attacks represent a risk that could decimate the entire company.
“Is the CEO and the board committed to cybersecurity or is it just another line item that will get funded, but without the personal leadership that’s required?” asks Jim Trainor, senior VP for Aon Risk Solutions and former assistant director for the cyber division at the Federal Bureau of Investigation (FBI).
When it comes to cyber security, there’s now an onus on boards and C-suite executives to establish accountability and delineate clear lines of communication.
Jamie Barnett, Rear Admiral (Ret.), Co-Chair of Venable's Telecommunications Group and a partner in the firm's Cybersecurity Practice, said, “Our collective mindset has been that cybersecurity is an information technology (IT) thing, but we have to drive it into enterprise-wide risk management. It is part of finance, sales, human resources and every other aspect of the risk of the business—and it must be managed that way.”
Judy Selby, managing director, Technology Advisory for BDO, a global accounting and management consulting firm, points out that the problems associated with cybercrime “need to be communicated in ways that boards will understand. Going into a board room and starting to speak in tech jargon may not be the best approach…You have to use the information you have as an asset.”
She argues that companies should also insist on crisis management planning for cybersecurity, which can help extrapolate a company’s level of risk and its readiness to combat a cyber attack.
“Expect the effect to be the opposite of silos,” Selby says, regarding adequate cyber defenses. “You need a team approach to plan for cyber attacks and fix them once there’s a breach. You also need a readiness for [cybersecurity] regulations.”
Carefully monitoring regulations is especially relevant to corporations doing business in the European Union (EU). New rules in place for next year will increase the EU’s data security penalties to four percent of global annual revenue.