Cyber crisis: A silver lining for CROs

Boards and executives are taking cyber risk seriously now – and they’re looking to CROs to lead the charge. In 2017, C-suite executives resigned over cyber events that brought storms of investigations, litigation, scrutiny, and massive profit losses. In 2018, CEOs will empower risk managers to take centre stage in confronting cyber threat, says Stroz Friedberg, an Aon company.

Cyber risks are getting more dangerous by the day and senior stakeholders are only just beginning to understand the sheer magnitude of the threats. “Once the C-suite, the directors, and the officers realised that their positions could be at risk because of a breach, cyber risk suddenly got a lot more attention,” says Shannan Fort, cyber product development leader at Aon. “When they read about how their peers are having to resign from positions or when there are investigations into organisations around their cyber preparedness that’s requiring [their] input, then it becomes a much more tangible and real issue from the top-down.”

Key factors driving the current cyber crisis:

[2018 Cybersecurity Predictions]
 

• Regulatory burden intensifies
  • The EU’s Global Data Protection Regulation (GDPR) is expected to be strictly enforced on companies in 2018. Businesses will need to put more resources into compliance or face a maximum fine of US$23.8m.
• IoT is targeted
  • 3.1 billion Internet of Things devices were used by businesses in 2017, but they’re notoriously vulnerable and overlooked. A survey by Ponemon reported that only 25% of boards make IoT security inquiries.
• Passwords are failing
  • 81% of hacking-related breaches involved stolen or weak passwords, says a recent study. Attackers are circumventing traditional technologies like facial recognition and fingerprints, but these single-factor authentication tools are still vulnerable.
• Criminals target points rewards
  • Hackers are focusing on things like gift cards and rewards points in place of tangible currencies. Airlines, retailers, and hospitality businesses are beginning to adopt bug bounty platforms to protect against the threat. Large enterprises (with over 5,000 employees) were early adopters in the past year.
• Ransomware attacks flourish
  • Companies hit by the attacks in 2017 are estimated to have lost US$5 billion globally – a 400% increase from the previous year. Tactics are only expected to evolve and proliferate, particularly in the form of DDoS attacks.
• Insiders pose cyber risks
  • Employees who are negligent, ill-informed, malicious, or otherwise a threat to cyber security are an ever-present threat, but a difficult one to quantify, meaning that businesses continually underinvest.

Cyber security spending in 2017 was up 7% from previous years, totalling US$86.4bn, yet the area of cyber risk was still largely relegated to the IT department. Stroz Friedberg predicts a turnaround in 2018 as businesses react to the enterprise-wide, impacts of cyber attacks.

Acting as the primary point of coordination between stakeholders, CROs find themselves at the perfect location within an organisation to take on the challenges. They will increasingly move out of the risk management silo and into the C-suite. “Because [CROs] are touching so many different elements of the business, they’re able to see [cyber risk] from an enterprise perspective,” says Fort. “They’re well-positioned to understand the level of risk the company can take on in any particular [department] and every level by talking to the stakeholders in IT, HR, or the finance department."