The Washington D.C.-based Center for Strategic and International Studies estimates that cybercrime costs the global economy $45 billion a year. The 2015 AFP Risk Survey, produced in partnership with Oliver Wyman, part of Marsh & McLennan Companies, found that 34 percent of companies had been subjected to a cyberattack in the last 18 months. For most corporate leaders, the well-publicized cybersecurity breach at Sony that took place in late 2014 was simply the latest instance of a type of crime that has risen to the top of their agendas.
In the new CTC Guide to Cybersecurity: Setting a Cyberrisk Management Strategy, supported by Marsh & McLennan Companies, organizations are presented with the means to establish a cybersecurity management strategy and policy, both at corporate level and within the treasury department. By taking a three-step approach to developing this strategy, companies can be highly effective:
Understand the nature of data that is at risk. Before setting any strategy, the treasurer (together with other appropriate colleagues) has to have a clear knowledge and understanding of the scope of data, information and activities which are potentially at risk.
Value the data at risk. Once the scope is understood, the treasurer will help to place a value on all data. Both assets at risk (such as the long-term value of intellectual property) and potential liabilities (for example, likely compensation payments) will need to be quantified.
Take action to manage the data at risk. With a clear value of the data, the treasurer can then help the group to prioritize the use of resources to manage cyberrisk effectively. Within this process, there are essentially three tasks:
- Protect the most valuable data. Companies should dedicate their scarce resources to protecting the most valuable data. This is likely to include data that is central to the financial viability of the organization, and will include core intellectual property. Protection is likely to be achieved via a series of measures and controls.
- Manage the remaining risk through insurance and self-insurance. Irrespective of how much is spent protecting the most valuable data, there is still a chance that security will be breached. It may be possible to use insurance to cover this remaining risk. For example, insurance is often appropriate as a protection against any requirement to pay financial compensation as a result of a data breach. However, it may not be possible, or financially appropriate, to insure against every potential loss.
- Adopt a plan should a data breach occur. Finally, all organizations should expect a data breach to occur at some point. The challenge then becomes how best to respond to ensure any risk to reputation and any financial losses are minimized.
Ultimately a corporation needs to be able to determine who should have access to each piece of its data, and have a process in place to protect it or a solution to be able to recover in the event of loss.
Treasurers need to manage cyberrisks associated with most of their core activities: payments processing, liquidity management (including the operation of in-house banks), supply chain management and the use of any outsourced services including treasury management systems and other solutions offered as a software as a service (SaaS).
As discussed, it remains likely that all companies will experience a cybersecurity breach at some point in the future, although the costs to affected companies will vary significantly. Despite this, the 2015 AFP Risk Survey found that 60 percent of companies do not have a clear, documented mechanism to respond to a cyberbreach. Every company should:
Adopt a crisis plan. Having even a rudimentary crisis response plan will help the company adopt a more coordinated approach. Where companies have crisis response plans, they are often integrated into their disaster recovery and business continuity plans.
Manage communications. Once a cybersecurity breach has been discovered, the company needs to manage its communications, both internally and externally (including with law enforcement agencies and regulators).
Analyze the breach. Companies need to determine:
- How was the event uncovered?
- Who and what caused the breach?
- How long has it been operational?
- How has data been affected? Has data been corrupted, stolen or lost? If so, whose data has been affected?
- How does the data breach affect the ongoing operations of the business?
- Can business operations continue as normal?
Manage the immediate consequences. Relationships with affected customers, suppliers and other parties need to be managed.
Regulatory requirements must be met. This may involve the payment of compensation. The company may also need to manage public relations, if the breach is high-profile.
Improve. The company must have a process which allows it to learn from its mistakes. This may involve implementing additional training.
Review. Finally, the company should regularly review and test its crisis response plan.
The crisis response strategy needs to sit within a broader business continuity plan. This will deal with the longer-term consequences: lawsuits, fines, reputational impact and loss of income. Enterprise risk management requires the company to understand its risk appetite and to take appropriate action to either accept or transfer the risk, or to change behavior. Business continuity plans should be designed to help the company plan for, and respond to, incidents and business disruptions, so that the company can continue to operate at a predetermined level.
Download the new CTC Guide, Cybersecurity: Setting a Cyberrisk Management Strategy, here.