I attended a Cyber Security presentation this morning organized by a leading insurance and benefits provider with offices in St. Louis. They brought together speakers representing brokers, wholesale as well as accounting and audit to discuss cyber security with business owners.
As they build momentum around cyber-liability offerings, it’s becoming clear to everyone where the insurance industry stands. As a known partner for most businesses, cyber liability may be new, but insuring against risk is not a new idea. There’s a consistently present hurdle to convince someone that risk is real, but opening the news on a daily basis seems to at least start the conversation. Overall we’re making progress in the right direction.
Four ways to mitigate Cyber Risk
What’s less clear are the four primary mitigation approaches to cyber risk. After conducting a cyber risk assessment that includes ‘people’, ‘process’, and ‘technology’, organizations should select a mitigation approach for each identified item. Those differ based on the nature of the risk and the value of the asset at risk, but always fall into these categories.
It’s worth noting that “Choosing an individual cyber risk mitigation approach does NOT mean executing on that decision immediately, but it does mean you’ve chosen a path.”
Eliminate the Risk – If you can live without the asset that’s causing you risk, ditch it. The great news is that often a thorough vulnerability assessment will quickly identify risky assets, systems, or processes that can be eliminated immediately. We all have systems that are “just there” year after year because it was never anyone’s job to replace them. Sometimes their usefulness is long gone, but they present a risk that can be easily removed.
Implement Controls – If you have to keep the asset and it presents risks, there are many ways to decrease or manage that risk. This is where responsible firms learn to identify threats and vulnerabilities, prioritize and right-size their response, to mitigate as much of the risk as possible. It might involve changing a process to include an extra verification step, it might be dropping in a simple policy document for staff, or include a change to the technology used for your business. Even for technology risks, changes are usually small updates and occasional upgrades or replacements. For most firms these are 12 month plans with the highest priorities tackled immediately and others feathered into normal business cycles.
Transfer the Risk – Both through cyber liability insurance and in some cases outsourcing. Moving assets to the cloud might appear to transfer risk, but cloud agreements are usually detailed and don’t eliminate your responsibility for sensitive data. Buyer beware. The insurance industry as a whole is getting much better about tackling these risks and providing a solution for very specific parts of the problem businesses face, but insurance never addresses all the risk.
Accept the Risk – Far from pulling the covers over our heads and hiding, there is a place for risk acceptance. When the item can’t be eliminated, the controls are far more expensive than the risk, and when no one will insure against the risk, firms have to accept risks. When it’s a business decision and considered carefully, it is an acceptable (pun intended) and defendable choice.
Are we there yet?
These days it looks like Risk Assessment and Risk Management are now (finally!) embedded in almost every cyber security standard and I/T process at some level. Given the foundational nature of this potentially simple process, this is a fantastic improvement. Even better news is that people are beginning to understand that risk assessment should be thorough, but that does not mean complex or impossible.
When we get risk assessment done well, everything else we do to mitigate cyber risk becomes considerably easier. We make better decisions about which processes and technology to keep, update, or change. We spend less money on solutions with questionable return. We decrease real risk to the business faster and with less cost.