Achieving Cyber Resilience
Article from Risk Management No. 55.
No. 55 , February 2015 Achieving Cyber Resilience By Garin Pace, Anthony Shapella and Gr eg Vernaci+ Cyber security has become the single most important risk to company boards of directors around the world. This is not a surprise : the global economy has become highly networked and depends on continuous, secure and uninterrupted data flow. The highly networked environment presents tremendous opportunities for enterprising firms, but this opportunity brings its risks. For example, recent high -profile attacks have targeted point -of- sale terminals at Target, Home Depot and Staples, server software at J .P . Morgan and employee databases at Sony. In the face of such complex risks, what can a company do to protect itself? The first, and most important step, is to carry out standard systems hygiene proactively. The Center for Internet Security 1 suggests that five simple steps can prevent up to 80 per cent of cyber attacks. The steps include: maintaining an inventory of authorise d and unauthorised devices ; maintaining an inventory of authorise d and unauthor ised software ; developing and managing secure configurations for all devices ; conducting continuous (automated) vulnerability assessment and remediation ; actively managing and controlling the use of administrative privileges . 2 Recogn ising this, the National Institute of Standards and Technology (NIST), working under an executive order of the President of the United States, developed a common cybersecurity framework that provides a roadmap for companies to implement standard security practices. 3 The U.K. has also implemented a similar framework that it calls Cyber Essentials.4 Clearly, standard practices will help companies improve their defences and prevent the bulk of cyber security events. Cyber resilience planning While standard hygiene is a start, it simply cannot prevent all attacks. As such, leading firms are moving beyond prevention and focusing on resilience .5 This can be achieved by developing a “cyber resilience” action plan for responding when an attack occurs. A plan is best developed by a cross -functional working group of senior managers (sales/marketing, operations, IT , finance, legal, risk, HR) that meets regularly to discuss cyber security, monitor evolving internal and external threats , and model and analyse hypothet ical attacks. A good resilience plan will detail roles and responsibilities, external parties + Garin Pace is Head of Underwriting Excellence, Cyber for the US & Canada at AIG; Anthony Shapella is Director of Risk Aggrega tion, AIG; Greg Vernaci is Head of Cyber for US & Canada, AIG. 1 http://www.cisecurity.org/ 2 http://www.nationaldefensemagazine.org/archive/2014/May/Pages/NewCyberHy... Attacks.aspx 3 The framework can be accessed here: http://www.nist.gov/cyberframework/upload/cybersecurity -framework -021214.pdf 4 The scheme can be accessed here: https://www.gov.uk/ government/uploads/system/ uploads/attachment_data/file/317481/Cyber_Essentials_Requirements.pdf 5 For a more in -depth read on cyber risk resilience refer to the CRO Forum’s recently published paper Cyber Resilience—The Cyber Risk Challenge and the Role of Insurance