Cybersecurity is about risk assessment

A computer attack or security incident can have serious financial consequences (fines, damages and interest paid, legal proceedings, emergency investments to enhance IT security, system recovery costs), consequences on the image of the company (loss of confidence of the public and business partners) and on its functioning (denial of service, paralysis of the activity).

NotPetya, WannaCry, data theft at a large scale: the world news has been marked in recent years by the proliferation of incidents security and computer attacks. No one is spared, and the economic consequences can potentially be very heavy.

In view of these risks, cybersecurity is now a major concern for all businesses, regardless of their field of activity or size.

Cyberattacks and business risks

The French law 2017-399 of 27 March 2017 relating to the duty of vigilance of parent companies and companies giving order imposes on large companies the obligation to establish and to implement a code of vigilance.

This plan should aim to identify the risks and prevent serious harm to human rights and fundamental freedoms, health and safety of the people as well as the environment that would be caused by the activity of the company. Such risks and harms can be increased and caused by cyberattacks. For example, critical business infrastructures can be decommissioned by ransomware. The consequences of this blockage may, depending on the activity of the company, cause serious injury to the health or safety of people. Taking cyber-risk into account is therefore essential in the context of a safety due diligence.

The question is also unavoidable when it comes to the processing of personal data. The European Data Protection Regulation (GDPR) applicable since 25 May 2018 reinforces the obligation of corporates and their subcontractors to ensure the security and confidentiality of personal data processed. If data are stolen by third parties, the controller will be forced to remedy the data breach, incur sanctions from the supervisory authority, taking the risk of a class action, etc.

Is cyber-risk insurable?

Although significant cybersecurity measures are in place, zero risk does not exist, and a security incident can occur. Its financial consequences may be impossible to overcome for a company that is not prepared. The subscription of an appropriate insurance policy must therefore be part of the risk prevention policy.

For insurers, assessing cyber-risk presents difficulties and remains at its early stage.

The insurance mechanism is based on the insurer's ability to reliably estimate and predict the financial risk associated with the covered loss by studying past claims. But IT threats evolve rapidly and constantly. The operating methods of hackers, typologies of attacks and security breaches are changing constantly. As a result, insurers find only limited predictive value in the study of past incidents, making it difficult to establish balanced insurance premiums.

Today, cyber-risk is partially covered by traditional insurance policies. These contracts cover certain foreseeable consequences of computer threats. For example:

• Insurance contracts covering damage to property may be applicable if the operative event is a computer attack that has permanently or temporarily rendered unusable an infrastructure of the enterprise;
• Third party liability contracts can cover civil liability claims caused by a computer attack: liability of a controller in the event of personal data breach, contractual default following a computer attack crippling.
  
  

Now, both supply and demand for cyber-insurance in Europe are low but rising.

However, it seems necessary that cyber-specific insurance contracts develop in order to cover all the risks for companies.

How can I better manage cyber-risks?

Ensuring cyber-risk is part of a necessary approach to risk prevention and regulatory compliance. It follows a classic risk management cycle and is supported by various open source tools [1].

In order to do so, it will be necessary to take inventory of the vulnerabilities of the company known as the crown jewels, for example through risk mapping, vulnerability analysis and evaluation of the issues for the company. The mapping should be done by using a multi-disciplinary team from within the organisation. This is the only way to reach to important goals: one creates awareness by having ambassadors within the organisation; and second gets a full mapping of the risks within the organisation.

This will lead to a greater awareness of cyber-risk exposure and will also allow for an arbitration between prevention and protection spending.

Effective monitoring of the risks is also crucial to build a sustainable and resilient approach and to adjust in real time the organisation’s risk posture.

The four key actions are:

• Determine your cyber perimeter by understanding and considering the full ecosystem including internal employees or external partners;
• Improve your cyber threat intelligence by building a common strategy across the organisation and sharing intelligence, data and research from internal and external sources;
• Train (and test the understanding of) your work force: cybersecurity e-learning is key to help your team understand how hackers build their social engineering hacks;
• Report and act: using a strong governing team is key to advance cybersecurity, respond to cyber threat and further empower management.
  
  

Hajar Diouri
Member of the EACT Cybersecurity Working group