Concerns around heightened cyber risks and data privacy took a serious turn this year as governments implemented regulations with the aim of protecting consumer information, from the General Data Protection Regulation (GDPR) in the European Union, which every company with EU customers needs to be wary of, to Canada’s mandatory breach notification regulations and California’s Consumer Privacy Act 2018. These new laws have been important in helping companies recognize and mitigate their risks, though they haven’t addressed all the potential pitfalls facing businesses in the digital age.
“Anything that is looking to raise the awareness or get more people involved in managing cyber risk within an organization is positive,” said Jeff Tilley, vice president and manager of cyber hazards at FM Global, though he added that most regulations are focused on the privacy of consumer data and not necessarily business resilience, “so while they’re very positive, we still have to continue to push forward.”
Better risk management around cyber exposures is critical today for each and every business, particularly when this past year’s incidents proved that everyone is vulnerable to hacking.
“There’s really no vulnerability that’s too small to exploit and there’s no company too big or too sophisticated to be a target. I think Facebook is a fantastic example of that,” said Tilley. “The bigger you are and the bigger your footprint, the bigger target you’re going to be and the harder it’s going to be to defend yourself against the attack. At the same time, the way attacks are developing all the way down to an IoT device in your home, which can be utilized as a jumping-off point for illicit attacks, the trends just continue to confirm what we’ve seen, [which is that attacks] are global in nature and no-one’s immune.”
Risk managers are taking cybersecurity more seriously now than ever before in response to the increasing cyber threat, yet there continue to be holes in their defenses.
“I don’t think it’s a matter of complacency or anyone not being aware of the potential risk – it’s just not knowing exactly where to start,” explained Tilley. “Traditionally, you didn’t see cyber risk being managed as an enterprise risk – it was relegated to an IT concern. However, with the visibility at the board level, it’s really extended to the point where it has to be managed as an enterprise risk, but those gaps between the traditional risk management function and the folks that are responsible for cybersecurity still exist.”
When engaging with their clients, the FM Global team is trying to bridge that gap, and show businesses that cyber isn’t that much different from other perils.
“People look at cyber risk through the lens of the traditional peril they think that they’re familiar with, and in many ways it really does align – understanding your risk, connecting that to your business priorities, looking at potential business outcomes, and then being able to prioritize the type of investments you make in your cybersecurity,” Tilley told Corporate Risk & Insurance, and added that clients are recognizing that they can’t work in siloes to be effective against cyber threats. “Having the conversation and bringing people to the table is the first step.”
For 2019, Tilley sees industrial control systems and the link between the physical and digital worlds as an important area where cyber risk will continue to develop, and where there’s a real possibility of cyber criminals significantly impacting a business’s processes. The other activity that should be on risk managers’ radars is the potential of data manipulation by hackers.
“Right now, we’ve looked at the access to data, theft of data, destruction of data, but the manipulation of data and the potential impact on the trust of that organization, which relies on the reliability and integrity of it, is going to be an interesting threat,” said Tilley.