Assessing cyber risk
Critical questions for the Board and the C-Suite
The evolving threat landscape means organisations today must worry about far more than fraud and theft. As attackers become highly organised and also focus their attention on disrupting services, destroying data, and holding systems to ransom, the risk challenges grow more complex—with regulatory fines, legal damages, loss of trust, and reputation damage becoming part of the equation. The piece presents an in-depth look at 10 must-answer questions that can help top leaders better comprehend where they stand when it comes to “secure, vigilant, resilient.”
Risk powers performance
Amid this landscape, the connection between risk and performance grows stronger, with responsibility for overseeing cyber risk increasingly resting with the Board and the C-Suite. These top leaders increasingly want to confirm that their businesses remain secure, vigilant, and resilient, but they are sometimes far removed from the day-to-day challenges of monitoring, detecting, and responding to evolving cyber risks.
Ten critical questions can help Board members and the C-Suite get started by unlocking insights about their cyber maturity. Explore them here, and discover guidance that can help you develop focused answers and build new cyber risk understanding.
- Do we demonstrate due diligence, ownership, and effective management of cyber risk?
- Do we have the right leader and organisational talent?
- Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
- Are we focused on, and investing in, the right things? And, if so, how do we evaluate and measure the results of our decisions?
- How do our cyber risk program and capabilities align to industry standards and peer organisations?
- Do we have a cyber-focused mindset and cyber-conscious culture organisation wide?
- What have we done to protect the organisation against third-party cyber risks?
- Can we rapidly contain damages and mobilise response resources when a cyber incident occurs?
- How do we evaluate the effectiveness of our organisation’s cyber risk program?
- Are we a strong and secure link in the highly connected ecosystems in which we operate?
Boards and C-Suite play a critical role in cyber risk
Cyber threats and attacks continue to grow in number and complexity, all while the business world grows increasingly connected and digital. Amid this new landscape, managing cyber threats becomes a business and strategic imperative, with the stakes higher than ever. These days, cyber crime involves more than fraud and theft. As the domain of vast criminal networks, foreign government-sponsored hackers, and cyber terrorists, cyber crime extends across the risk spectrum—to involve disruption of services, corruption or destruction of data, and even “ransomware” activities that seek to extort money, access, or corporate secrets from victims.
Today, cyber risk and performance are more tightly intertwined. Tangible costs from cyber crime range from stolen funds and damaged systems to regulatory fines, legal damages, and financial compensation for affected parties. Intangible costs could include loss of competitive advantage due to stolen intellectual property, loss of customer or business partner trust, and overall damage to an organisation’s reputation and brand. Beyond the damage to individual organisations, the sheer scope of cyber attacks now has the potential to cause mass-scale infrastructure outages and potentially affect the reliability of entire national financial systems and the well-being of economies.