When a scheduled flight of a wide-body airliner is cancelled, it can cost the airline up to ,000. So you can imagine what kind of day executives at LOT, the Polish national airline, were having last year when 20 flights were cancelled after computers that issue its flight plans were breached.
“The aviation industry’s growing reliance on data networks, and onboard computer and navigation networks, is rendering it increasingly vulnerable to cyber risks,” says Erlend Munthe-Kaas of Bloomberg Intelligence. “Airlines rely on computers for almost every aspect of operations. As a result, cyber incidents can have devastating consequences, including business interruption and loss of reputation.”
“There’s beginning to be a shift to educate businesses to see the wider, deeper cyber risks picture that in many cases has gone unacknowledged.” -- Lori Bailey, Global Head of Special Lines, Zurich Insurance Group
Think of it as cyber creep. The risks aren’t just about protecting your customer’s data, although that remains important. They are insinuating themselves into every nook of your business, creating the possibility of mass disruption to operations and critical infrastructure. As the world becomes more connected and businesses rely more on machine-to-machine communication and automated manufacturing, the cyber risks pile up. One day, production might grind to a halt. Critical transactions might not take place. Shipments could be steered to incorrect destinations. Planes might not take off.
Cumulative effects of cyber risks
Businesses in eight countries—including Japan, Germany and the U.S.—consider cyber risks the top concern to doing business, according to the World Economic Forum’s (WEF) Executive Opinion Survey of business leaders in 140 economies. The report also notes that cyber dependency is the third most important trend in shaping global development over the next 10 years. A bit of extrapolation supports a view that the cumulative effects of cyber risks are not being sufficiently taken into account.
“Cyber security and information privacy have historically been looked at as separate risks by businesses—in some cases, even isolated from other risks,” says Lori Bailey, Global Head of Special Lines, Zurich Insurance Group. “However, there’s beginning to be a shift to educate businesses to see the wider, deeper cyber risks picture that, in many cases, has gone unacknowledged. The goal should be to develop resilience and protection, because as cyber risks accumulate it becomes more difficult to anticipate them all.”
“The main reason that boards of directors are interested in this challenge is that part of their responsibility is protecting the company’s assets, and an increasing number of those assets have cyber connections.” -- Gus Coldebella, former Acting General Counsel, U.S. Department of Homeland Security
The Internet of Everything (IoE), where the cyber and physical worlds collide, is fueling the accumulation of cyber risks. (The IoE, cloud computing and bring-your-own-device trends also contribute to serious systemic vulnerabilities that are difficult to quantify, and can only be managed and mitigated by public/private partnerships.) The automotive industry, for example, relies heavily on complex and highly interconnected technologies that are tightly coupled with design, assembly and distribution. Disruptions in one system puts all systems at risk, and a faulty vehicle—heavy with potential liability—might be the end result. “Unless you start thinking about cyber risks at the very beginning of the development process and perform quality assurance along the way to make sure that security is working from the beginning of design all the way through production and release to market, the marketplace will be filled with vulnerable products,” says Gerry Kane, Cybersecurity Segment Director, Zurich North America.
Who’s in charge?
As businesses transfer more and more of what they value onto digital networks, they should be thoroughly evaluating assets they are putting at risk and putting in measures to protect those. This extends beyond personally identifiable information, to areas such as intellectual property, confidential internal communication and, increasingly, physical objects and infrastructure. How are these assets guarded? How would the company respond if they were attacked? And where does the responsibility for these and all other cyber risks sit within the business?
“What’s important in the board room is having a translation between what’s happening on the IT security side and what the board needs to do to understand the risks.” -- Gus Coldebella
Businesses are becoming increasingly aware that cyber risks must be managed at the board room level. Gus Coldebella, former Acting General Counsel, U.S. Department of Homeland Security, and Principal, Fish & Richardson, a global patent and intellectual property law firm, says, “This is partly due to the attention paid to cyber incidents in the media and greater scrutiny on companies that may have experienced cybersecurity incidents. The main reason that boards of directors are interested in this challenge is that part of their responsibility is protecting the company’s assets, and an increasing number of those assets have cyber connections.”
In Coldebella’s view, it’s a mistake to assume that boards don’t have the interest or capability to take part in the management of cyber risks. “What’s important in the board room is having a translation between what’s happening on the IT security side and what the board needs to do to understand the risks, to mitigate the risks, to assume the risks and to insure against the risks,” he says. “Part of that is making the circle bigger. If you just have the directors and IT security people in the room, you’re going to end up talking about which box we just bought to solve this problem. If you have the legal department, HR and finance in the room at the same time, you can tilt that conversation to types of questions that boards have been effectively answering since time immemorial.”
“Public company directors can grapple with these questions and should, whether or not there is someone with an IT background on the board.” -- Gus Coldebella
Many boards today are considering adding a director with an information security background, and some regulatory bodies are considering making such an appointment mandatory. Such a requirement, however, could unintentionally imply that boards should not or cannot oversee the management of cyber risks.
“Public company directors can grapple with these questions and should, whether or not there is someone with an IT background on the board,” says Coldebella. “Requiring such a seat at the board table would almost send a message to all of the other public company directors that they should just let the tech guy worry about cyber risks. And that is not the right way to address this growing challenge.”
- Cyber risks aren’t isolated breaches. They accumulate with the potential to disrupt every aspect of business operations and infrastructure.
- The cumulative effects of cyber risks are not being taken into account by most businesses.
- The Internet of Everything fuels cyber risks accumulation to a level that requires consistent board-level attention.
- As businesses transfer valuable assets onto digital networks, they should consider what they are trying to protect, and how to protect it.
- “Translating” technology risks appropriately will help boards take the lead in managing and mitigating cyber risks.