What do the SEC, ABA, NACD and EU GDPR Authorities all agree you need to do now about Cybersecurity Risk?
Cyber risk - Warren Buffett says it’s the number one threat in our world. In your business it’s crucial - the risk is real, and it’s all around us and growing. But how much do we know? Can I say what my total cyber risk is, in financial terms? Where would I start, to really attack my greatest sources of cyber risk?
Knowing Cybersecurity Risk
Is it important, or even valuable, to understand cybersecurity risk? It may be difficult to succeed
against the many challenges of attempting to understand cybersecurity risk. Is there anything we can do with a better understanding of cybersecurity risk that we could not do otherwise? Many regulators have weighed in with requirements for gaining an understanding of cybersecurity risk, and boards of directors, shareholders, senior management, auditors and trading partners want to know. But how do we go about gaining a realistic understanding of cybersecurity risk? We discuss the challenges, available methods, and present a way forward to attain cybersecurity risk knowledge.
“Risk should be evaluated on the basis of an objective assessment,
by which it is established whether data processing operations involve
a risk or a high risk.”
- Recital 76, General Data Protection
Regulation (GDPR), European Union
Understanding the Enterprise Cybersecurity Program: Four Key Questions
According to a 2015 survey by EY, only 7% of senior management reported satisfaction with their own organization’s cybersecurity policy. Similar levels of discomfort persist in terms of cybersecurity strategy. In a recent cybersecurity conference for board members, sessions focused on starting cyber-risk oversight efforts from the basis of strategy, helping directors take a more holistic approach to building a cyber-risk aware culture, and examining the board’s ability to gain transparent communication and understanding of both triumphs and failures in the cybersecurity program.
How do we know that we are making progress in these pressing areas? Based on the dynamics in these areas that we experience with clients, we identify four key questions that can help clients get a grasp on how progress may be proceeding toward getting a more fully informed oversight of cybersecurity for the board and senior management.