Too easy to steal: blame management, not hackers, when cyber events lead to losses.
By Ryan Dodd, Founder and CEO of Cyberhedge
Consider this; in 2018 over a billion people were affected by data breaches. Similarly, just a few days into 2019 and major organisations suffering data breaches were hitting headlines. From Singapore Airlines to the German Parliament, these most recent breaches continue to show that no sector is immune from cyber risk, which is undoubtedly one of the greatest risks facing companies today.
When such cyber incidents occur, headlines tend to focus on the technical how’s and why’s of the breaches themselves, rather than the long-term financial fallout. Despite much improved education on cyber threats, there is still a startling lack of understanding on how the day to day management of cyber hygiene affects an organisation’s long-term value.
For cyber risk, governance matters more than deploying the latest technology.
Considering the research showing that the value of corporations’ assets is increasingly digital, the lack of emphasis onon-going cyber risk assessment—as a starting point for proper cyber management– should be considered unconscionable by businesses leaders,regulators and investors.
For example, few established companies would consider taking on a new supplier or partner without undertaking a thorough audit of its financial stability and credit rating—it is often a legal or compliance requirement considered basic “best practice”. Very few, however, will undertake the same audit of a partner or acquisition target’s IT controls and cyber management practices.
Despite most serious breaches in recent years have been the result of a third party’s network vulnerabilities, there is an argument that cyber audit is still a new service and not all companies have on-boarded this new technology. However, considering the size of digital assets’ value at risk, corporate leadership’s negligence at not managing this risk is swiftly punished by the market losses and firings.
If we look at the well-publicised 2018 Marriott hotels breach,this was the result of the challenge of managing cyber risks in highly complex legacy IT systems due to its acquisition of Starwood, part of the USD $13.6 billion takeover in 2016.
These risks could and should have been identified by Marriott pre-acquisition.In fact, they probably were aware but there was no way a threat of a cyber breach was going to stop the momentum of a mega-deal, especially considering a weak regulatory and oversight environment for cyber.
Now however, instead of increased profits post-merger, Marriott is facing several shareholder lawsuits and is undergoing a rebranding exercise starting with their loyalty programs.
The more important issue is that even a company of Marriott’s size doesn’t have the cyber risk management procedures in place to adequately understand where all the unlocked doors and open windows are on an IT network that spans multiple properties around the globe.
Marriott is certainly not alone in this challenge. Most major global companies, especially a corporation built via multiple acquisitions does not have the capability of pinpointing what part of its network specifically is at risk and how much money that risk represents. Think about that. There is no way we would find that acceptable for a physical safety issue or critical infrastructure like electricity, gas, transport or water. Yet with cyber, lack of managing the valuable assets at risk is the norm, not the exception.
Companies are undervaluing their most important asset
With cyber risk impacting every aspect of modern organisations, it is high time that shareholders, investors and advisors treat cyber risk as a macro risk as essential as financial and commercial risks.
When a new risk emerges it always takes time to understand, measure and discuss it in familiar terms, and cyber risk is no exception. While organisations are accustomed to talking about financial and commercial risk, for now discussion of cyber risk is often fixated on the attack itself; what kind of malware was used, what defences were breached, how many files were stolen, and so on.
Similarly, the financial fall out is usually only expressed in terms of the immediate operational, legal and regulatory costs in the wake of a breach.
However, given that most business’ primary revenue lies within its IT and data infrastructure, focusing on fines as the primary financial concern of a breach is a highly unsophisticated approach.
But is that also true in the case of Marriott, a hotel chain with real estate assets spread around the world? Yes. It is perhaps surprising that a major driver of Marriott’s future value as a hotel chain is less based on its property values, but rather in its proprietary technology applied to loyalty programs, franchise operating agreements, booking systems and other technology designed to drive efficiency and monetise data. Consider Air BnB, the second most valuable hotel chain in the world, that derives none of its value from owning property. The ability to govern and protect digital systems has become the key revenue driver of most organisations.
A basic issue of governance and management quality
What happens when a company fails to understand its level of cyber risk, and what are the value benefits of a widening of standard risk assessments? We know that the stock markets reward companies that exhibit higher quality of management over time, so companies that are seen as correctly and proactively managing risk of their digital assets can expect to see their value increase in the future.
Indeed, in the last decade alone, digital companies (e.g. Google, Netflix, Amazon, etc.) have replaced oil, finance and manufacturing companies as the top 10 most valuable companies in the world.
Contrast the digital assets winners with a sampling of the losers – the unfortunate companies that must publicly disclose significant breaches due to regulations (TalkTalk, Maersk and Equifax).
These companies suffer tens to hundreds of millions of dollars in financial losses. But this is only part of the value picture.The wider scene sees these companies lose far more in shareholder value relative to peers. For example, Maersk disclosed a financial loss of approximately USD $300 million stemming from its breach, yet the relative shareholder value loss 6 months on was close to USD $7 billion, and it can take six-to-nine months to recoup the market losses relative to peers.
Rather than waiting for the market to force a change, it is in the interests of all well managed companies and their shareholders to proactively change the approach to cyber risk. It must now be apriority to put cyber in the same category as other macro risks such as finance, health, safety and asset protection.
Crucially, this means demanding two things that are required with other risks: an on-going independent audit or stress test of network security controls, and translation of the identified cyber risks into financial terms.
Choose between hollow promises or independent assessment
The CFO demands this from other divisions of the business and cyber should be no different. A prospective business partner or regulator would never settle for an internal memo about health and safety saying “everything is fine”, and the same is now true for cyber. Likewise, organisations must ensure that any prospective suppliers, partners, and other third parties have undergone thorough independent audits in the same manner as they would for other financial risks.
Independent cyber risk audits will also improve C-suite and board level decision-making if they are presented in commercial terms, like all other risks. Rather than fixating on specific technical details, cyber audits should use financial metrics, such as value-at-risk, as they would for any other macro risk. There should be an emphasis on the active benefits of good security such as improved productivity, stock value, and insurance premiums. This should be an integral part of all major decisions. In short, merging the rapidly evolving world of cybersecurity with the well understood world of finance will help companies better manage this growing macro risk.