Interview with Maya Bundt

swissVR Monitor: What can you tell us about the latest trends in cyber attacks on companies?

Maya Bundt: Figures from Switzerland’s National Cyber Security Centre (NCSC) show that fraud is by far the largest type of attack; that’s fraud against both individuals and companies, and it’s been a major issue for many years. The media, though, tend to focus on other types of attack, particularly ransomware attacks, which have become more frequent over the last few years, both with and without the theft of data.

In a ransomware attack, criminals use a kind of malware to encrypt a company’s data and then demand payment of a ransom for its return. Recent ransomware attacks have also seen data being stolen and the fraudsters threatening to make it public unless the company pays the ransom. This puts companies under pressure to pay up. And there has also been a lot of coverage recently of ‘distributed denial-of-service’ (DDoS) attacks; these involve criminals flooding websites with requests for data, overloading systems and resulting in legitimate users being unable to access the site. This happened very recently, in June, when a number of federal agencies and the Swiss rail network (SBB) were offline for a few hours following a DDoS attack.

swissVR Monitor: So what is the role of the Board of Directors in cyber resilience?

Maya Bundt: In general terms, the Board lays the foundations for sustainably managing the company in relation to its shareholders, and that includes cyber resilience. So the Board’s role is to assess the opportunities and risks that digitalisation represents for the company and its business. But crucially, data is never 100% secure! So alongside traditional measures to protect their systems, companies also need to ensure that they can detect unauthorised individuals on their website. And Boards need to be prepared for the worst-case scenario so that they can resolve a crisis as quickly as possible and without lasting damage.

This means that the Board is responsible for ensuring that risk management, organisation and budgets are in place to enable the company to protect itself and its business model against cyber risk and is equipped to survive a cyber attack

swissVR Monitor: What measures do you advise Boards to take to ensure their cyber resilience?

Maya Bundt: It’s important that managing cyber risk or digital risk isn’t seen as just an IT problem but is recognised as a company-wide issue to be tackled as part of the company’s corporate strategy. Major strategic decisions almost always have an impact on the company’s cyber footprint, whether that’s expanding into a new market, M&A activities, creating a digital ecosystem or ongoing digital transformation more generally.

The Board also needs to be aware of the areas where the company is most at risk of a cyber attack, how much of a threat these risks pose, and how they can be avoided, minimised or transferred. It’s also important to assess the company’s appetite for risk, so that decisions on things like cyber security or cyber insurance can be based on fact.

I always urge Boards to be aware of who in the company is responsible for data security, usually the Chief Information Security Officer (CISO). There are a number of good reasons for this. Having a CISO means there is a permanent member of staff looking after data security for the company. Having the CISO regularly in attendance at Board meetings also means a greater focus on the strategic and operational aspects of cyber security. And finally, the Board can build a relationship with this key individual, something that I think is as important as its relationship with senior risk and HR management more generally.

The Board should also be thinking about how to boost its own cyber expertise, for example by appointing members with specialist knowledge or providing existing members with ongoing training in this area. I think a certain level of cyber expertise is part of any Director’s basic toolkit these days. In-depth knowledge and, in particular, an interest in this area will also help ensure that the issue doesn’t get lost in the welter of things the Board has to think about and that there is always someone who is asking the relevant questions

swissVR Monitor: How would you define appropriate reporting to the Board on the issue of cyber resilience?

Maya Bundt: Many companies have a committee – usually the Risk Committee – that is responsible for cyber risk, though some also have a Technology and Cyber Committee. Having a committee is important, because it usually has more time for discussion than the full Board, and its members can consider issues in greater depth.

Generally speaking, reporting must be relevant, clear and appropriate for the Board. It can often be useful for the CISO to keep their contribution fairly general, setting out risks and how to tackle them rather than going into technical detail. Alongside company-specific information and KPIs, it can be interesting and useful to assess the overall picture and benchmark the company with others

swissVR Monitor: And what is your view of cyber risk insurance? Are there circumstances in which such policies can be useful?

Maya Bundt: I’d start by saying that cyber insurance is part of a company’s broader cyber risk management strategy but can never replace that strategy. It sends shivers down my spine when I hear people say things like “Well, we don’t need to worry about cyber security. We’ll just take out insurance against cyber attacks”. I don’t think that’s the right way to see it. I’d also argue that no insurance provider can offer a company cover if the company itself hasn’t already taken certain basic measures.

Risk management includes avoiding, reducing, transferring and finally accepting risk, so taking out cyber risk insurance requires the company to understand and quantify its risk properly before deciding whether to transfer part of the residual risk to an insurance company. In other words, companies assess their appetite for risk and then transfer those aspects that their own risk mitigation measures cannot tackle. Other companies, though, may weigh up these factors and ultimately decide against taking out cyber insurance.

Many cyber insurance policies also include services that can provide practical help in a crisis. If, for example, a company has been the victim of a ransomware attack, its insurance policy provides an emergency telephone number to ring for immediate support. For some companies, that sort of support alone is a convincing reason for taking out cyber insurance.