Use dollars and sense to protect against cyber threats

CHICAGO — Cyber threats and breaches have become an everyday reality for companies, but leaders still often fail to use “dollars and sense” to prepare for a cyber security breach, said a panel of experts Monday at the Chicagoland Risk Forum at the Marriott Magnificent Mile in Chicago.

A cyber event can be one of the biggest challenges an organization can face, and the usual response from companies is, “We never expected it, we never saw it coming or we thought we had the right insurance,” said Scott Kannry, CEO of Axio Global Inc., a New York-based cyber risk engineering firm. “Companies spend money on controls and capabilities that oftentimes are protecting the wrong things. When you’ve got different people handling different things in different budget silos, decisions aren’t made most effectively in terms of where to invest next.”

And the consequences today extend far beyond that breach, and can result in shareholder lawsuits, financial outlook downgrades, C-suite firings and directors and officers liability insurance settlements, he said.

“As risk managers, we all need to go through that enterprise risk management analysis and look at what are those events that could actually bring down the company,” said Karen Golden, director of risk management at Lisle, Illinois-based Navistar Inc.

Walking through a potential cyber scenario with leadership and the aftermath can help make a compelling case to boards to take cyber protection seriously, particularly because “showing ROI from a security perspective” is a “pretty significant challenge,” said Chicago-based Luke Tenery, senior managing director at Ankura Consulting Group LLC.

To help corporate leaders understand the importance of cyber security and putting dollars behind it, Mr. Tenery suggests laying out the first- and third-party impacts of a cyber security breach, as well as the tangible and financial impacts. For instance, in a scenario where a company suffers a ransomware attack, the company may consider paying the ransom, or if the company has good backups, attempting a widespread recovery, but the implications to the business don’t end there, he said.

“Forever, people have been saying that the best protection on ransomware is good backups, but some are so expansive that the time it may take to go through that recovery” may be worse than paying, said Mr. Tenery. “When you think about these costs, the aspects of the reputation (costs) or the broader opportunity costs, these hit a material level pretty quickly for a lot of organizations … and affects the fundamental value of the organization.”

While some industries and companies may not believe cyber threats are a big risk, industries such as manufacturing have been increasingly targeted, said Ms. Golden. 

We need to take a good look at what coverages and potential exclusions exist in insurance policies in the event of a cyber incident, she said. For instance, will a products liability policy cover an issue that arose out of a cyber event, “or is there a specific exclusion … about cyber events or ransomware that would change how that policy might respond,” she said.  

“You need to look at the broad-based overall picture of what does all of your coverage look like,” said Ms. Golden. “If you only have that dollar to spend, where do you spend it … what sort of technological controls might be available, or would that dollar be better spent buying more insurance coverage to close those gaps.”

Through that type of analysis, achieving “integrated decision-making” and “presenting a unified front,” an organization will be much better situated to weather an event, noted Mr. Kannry.

“Cyber events are going to happen,” he said. “No one is impenetrable.”