Compliance is not resilience

Compliance is not resilience | Insurance Business

Compliance is not resilience

In dealing with risks, especially something new and uncharted such as cyber, complacence is one of the worst mistakes businesses can commit.

According to Pankaj Thareja, cyber security consultant at FM Global, some business leaders do not realise how huge their digital footprint is, even when their business is heavily reliant on technology, which may lead them to becoming complacent.

Also, some leaders think that merely complying with regulations is enough to prevent being victimised by cybercrime. However, Thareja said that is not the case.

“Some business leaders think, ‘we are compliant to regulatory bodies, so we are safe’, but compliance doesn’t necessarily mean the business is safe,” Thareja told Corporate Risk and Insurance. “Being compliant only means that the business has met regulatory standards. Some also think ‘we have never been hacked before and our firewalls will protect us from outside world’, but this is also being complacent as that is no longer enough.”

He added that complacent businesses usually think the following measures are enough: outsourcing their cyber security program to third parties; believing their internal IT team can manage threats and secure their business data in isolation; and thinking that they won’t be targeted because they don’t hold confidential customer information, such as credit card details.

Importance of cyber resilience
In the event of a cyberattack, financial recovery can take a long time – from months to even years, depending on the severity of the attack and its impact. Cyberattacks can shake the confidence of clients and damage a business’s reputation, causing loss of market share and missed growth opportunities. According to Thareja, restoring a business back to normal needs extended time and commitment.

“The key factor that determines the length of recovery time is the strength of your cyber resilience programme and commitment from management to have continued business survival,” he said. “Often cyber risk is seen as an ‘IT issue’, though the impact goes beyond specific IT issues as they can potentially derail the entire enterprise. Cyber risk should be treated as a business risk and top management support is necessary in building a resilient enterprise.”

“Cyber insurance is not just hype, but in fact, a necessity as it will have a bearing on recovery. Cyber is a risk that needs to be managed like any other. You always need to insure something that you cannot control and build loss prevention into your business.”

Thareja said that a well-defined, cyber resilience program strengthens a business’ defence against cyberattacks and limits the impact, allowing business operations to carry on.

“From what we see, companies that do not have a good cyber resilience programme are often the ones that also do not understand its importance,” he said. “They think having measures such as patch management, firewalls and encryption are appropriate defence, but this is not enough.

“More clients are ready for cyber risk assessments and, moving ahead, finding out the gaps in their cyber exposure and fixing those. This is a good start towards building a healthy cyber resilience programme.”

Risk assessment to mitigate cyber vulnerabilities
Virtually all businesses today involve technology in one form or another. This, according to Thareja, necessitates a cyber defence strategy. In order to establish one, businesses must undergo a risk assessment to understand the gaps they have.

“FM Global devised a tool to help clients understand their cyber exposure in a structured way. The tool is designed to identify the extent of the exposure and develop clear, actionable steps to mitigate cyber risk and avoid business interruption,” he said.

“Our cyber risk assessment involves fact-based questions, uniquely designed to gather threat intelligence and insights at both the location and enterprise level. Essentially, it attempts to deliver a concise cyber risk report showing the business’s cyber resilience level and provides prioritised, actionable recommendations for improvement. A client will then know precisely where they stand and their cyber risk posture across four key areas – governance, IT security, insider threat management – and the recommended response and recovery plan. Cyber consultants then work with the clients to help mitigate the risk.”