How to: three steps to achieve cyber resilience
The technological revolution of the 21st century has transformed every industry. The level of connectedness is unprecedented and growing as digital automation expands and with it the amount of information stored and shared electronically.
This increased connectivity and automation has driven productivity growth through the speed and ease of sharing and analysing data and the electronic distribution of products.
Data Holder companies have had to adapt to an environment of increased regulation, and to technological advances that have impacted significantly on how they interact with their customers and also on how they identify their competitors. The potential for data breaches and for extended periods of downtime are obvious. Traditional operating models are increasingly being challenged and maintaining reputational integrity is fundamentally important to organizations, as customer loyalty is hard won and easily lost.
While data protection risks are well understood they continue to evolve through an increased scale and complexity of attacks, this and the new European legislative control drives the interest in Cyber resilience.
1. Understand the issue
The modern workplace is transforming as disruptive innovation continues to evolve, and regulatory and legal frameworks make the necessary adaptations.
The main assets of organizations nowadays are more intangible than tangible and doing business today means dealing with data in a continuously shifting landscape and the ever-growing threats of digital innovation and cyber risk. Despite of this, organizations are still mistakenly managing Cyber risk as an IT issue; do not understand the implications of the evolving laws and regulations and are not budgeting properly for related losses.
According to the 2017 report jointly released by Aon and Ponemon Institute in 2017 “2017 Global Cyber Risk Transfer Comparison Report”, Chief information officer and Chief information security officer are the ones that are most responsible for cyber risk management; only 29% of organization’s are fully aware of the economic and legal consequences resulting from a data breach or security exploit in other countries in which their organizations operates, such as the EU’s General Data Protection Regulation (EUR GDPR), and 51% are somewhat aware.
The EU GDPR on handling third party data will become in force in 2018*. These can impose significant fines on non-complying organizations.
2. Why does this matter?
Consumer data is tied into a universe of functions and businesses. With the growing threat of large-scale cyber risk, establishing the legal obligations of companies who handle this data is increasingly important if businesses are to grow without compromising both their own and others’ digital assets.
Recent cyber-attacks reveal that even established companies and governments can be vulnerable. Legislation provides clarification on difficult issues regarding legal liability, potentially opening the way for more wide-ranging implementation of data tools in commercial enterprises and workplaces.
However, regulations like EU GDPR are so wide-reaching in scope that moving immediately to ensure compliance is essential. EU GDPR in particular affects not only EU firms, but any firm processing personal data about EU data subjects as per the regulation.
3. The need of Integrating Silos
There is a need to start shifting to approach and manage cyber as an enterprise-wide risk, working collaboratively across various stakeholders (i.e., technology, risk management, operations, legal, finance, HR) to implement good governance and frameworks, execute a resilience strategy and create a culture of risk, compliance and cyber security.
CEOs want to satisfy their fiduciary duty, understand any legal, regulatory and financial implications of the risk and ensure a return on investment.
The CISOs think about security improvements, transformation and remediation. Risk Managers, CFOs, and Treasury focus on the risk, align strategy and buy-in from stakeholders on necessary investments including the transfer of cyber risk exposure through cyber insurance.
HR stresses protecting HR sensitive data, contra productive behaviour, training to mitigate cyber threats and creating a culture of awareness.
Legal and Compliance focus on privacy data and managing the various regulatory position.
CROs want to mitigate increased cyber risk that mass connectivity means for operations and supply chains.
Each silo is focused on one element of the overall digital profile and cyber risk. Digital transformation is rapidly and radically changing business models and as such the risk profile of organizations and the regulatory landscape. So it is imperative to cascade this change through the organization at the same pace and hand-in- hand with a robust Cyber Resilience framework that allows the different stakeholders to take informed and make decisions jointly to optimize their strategies, manage and mitigate the risks of the organization and this also means to be in compliance with new regulations.
“The EU GDPR provides the biggest shake up of European privacy laws for 20 years. Organizations need to act now to navigate this significant regulatory risk” Adam Peckman, Aon Global Practice Leader, Cyber Risk Consulting.
Find out more about AON
About the company
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
About the author
Andrea Garcia Beltran is a EMEA Cyber Sales Leader, for Aon Global Broking Centre in London. A Cyber and Financial Lines Specialist, with a BA in Law (Colombia), a Master’s degree in Insurance and Risk Management, Personal insurance; knowledge and experience of EMEA and LatAm insurance landscape. Andrea joined Aon in 2008 and has had various roles mainly placing and managing large, multinational and complex risk and Clients within Financial Lines (i.e D&O, Crime, Specie, PI , Cyber). Most recently has been working with Aon’s leadership teams and Cyber Champions to support Aon growth, initiatives and approach to deliver cyber risk management solutions to support the risk and insurance strategy of Clients.
*The EU General Data Protection Regulation, which comes into effect in May 2018, is changing the landscape in which organisations operate and exposes them to fines and penalties to as much as EUR20m or if higher, 4% of annual worldwide turnover. Other significant changes include compulsory notification of personal data breaches within 72 hours, increased duties and responsibility for data processors in respect of personal data, and heightened rights for data subjects including the right of deletion, data portability and the prohibition on certain types of profiling.
This blog is one of a series of articles from our commercial partners.
The views expressed are those of the author and not necessarily those of ICAS.