Cyber Risk

Cybersecurity by the Numbers

Some corporate boards innovate in cyber risk while some fall behind, according to some new reports.
By: | May 12, 2017 • 4 min read

New reports show how companies can profit from innovative risk strategies and achieve the cyber risk maturity that still eludes most firms.

PwC released its annual Risk in Review report, “Managing risk from the front line” in April. The report highlights companies that shift risk management strategy into their revenue-generating units — and project higher profits as a result.

Advertisement




The study’s “Front Liners” — companies most adept at moving risk decision-making into their front line units — comprise only 13 percent of a wide sample (almost 1600 executives across 30 industries), with 63 percent agreeing that they should take similar measures and 46 percent actively intending to within 36 months.

These Front Liners, as PwC calls them, tend to predict increased profit margin growth and increased revenue growth. They also recover more quickly from business disruptions.

Front Liners also manage all measured risks more efficiently, including cybersecurity risks — but many of these top scorers unexpectedly lag in overall “cyber risk maturity.”

Only 3 percent of all respondents showed “very high maturity” at managing cyber risks, with only 6 percent more at “high maturity.”

“Every company is on a journey,” Grant Waterfall, PwC’s global cybersecurity and privacy assurance co-leader pointed out.

Beyond heavily regulated, data-centric industries like banking and finance, he said, traditional or manufacturing firms are increasingly becoming tech companies, as they do business online, through mobile apps, or embed tech in their products.

Grant Waterfall, PwC’s global cybersecurity and privacy assurance co-leader

They accumulate —  and need to protect — consumer data (or consumers themselves, vulnerable from the use of hack-prone driverless cars or medical devices). Their own proprietary information and systems are also high-value hacker targets.

In the new Internet of Things marketplace, companies also need to be known as safe to do business with, said Waterfall.  Cybersecurity budgets may become part of the brand conversation.

Cyber risk is top-of-mind across all industries. A full 62 percent of firms surveyed expect a breach in the next three years. In PwC’s 20th Annual Global CEO survey, 85 percent of U.S. CEOs were “somewhat or extremely concerned” about cyber threats to fiscal growth.

Despite this concern, companies remain slow to upgrade or implement security measures.  Observers blame poor communication between corporate directors and security executives.

Yong-Gon Chon, CEO of Focal Point Data Risk LLC, a data security company, points to a “disparity in alignment” between the perspectives of board members and security leaders. Many studies have highlighted each side’s different priorities, he said. Data (and data security) are intangible and invisible.

Their value can be hard to quantify. Corporate directors may be slow to perceive the security measures (and expenditures) needed.

Waterfall, a co-sponsor of the PwC 2017 report, agreed that this is a problem.

“There’s no lack of awareness at board-level that this is a very, very important risk. But there is a disconnect between the people who really understand the issues and the boards’ understanding of the issues,” he said.

Many boardroom visitors note this troubled dynamic.

Dena Cusick, Technology, Privacy and Network Risk Practice Leader at Wells Fargo Insurance Services, consults with security leaders, directors and their committees on risk transfer options.

Boards — and security leaders — routinely ask her team to fill knowledge gaps or help with readiness evaluations when in-house communication falls short. Cusick has reviewed numerous proprietary risk assessments, and often finds little clarity.

“If I don’t know what this means,” she says, “how is the board going to know what this means?”

Focal Point Data Risk LLC, located in Tampa, Fla., and Virginia-based research services firm Cyentia Institute, jointly issued an in-depth analysis of this tension between CISOs, their CIO/CTOs, and their boards.

“There’s no lack of awareness at board-level that this is a very, very important risk. But there is a disconnect between the people who really understand the issues and the boards’ understanding of the issues,” — Grant Waterfall, global cybersecurity and privacy assurance co-leader, PwC

The “Cyber Balance Sheet” 2017 Report acknowledges that stakeholders’ different priorities (and vocabularies) can preclude meaningful dialogue.

This study identifies and explores six “balance points” where communication stalls or breaks down between the CISO and the directors — and provides tools to ignite collaboration.

Advertisement




“We as an industry have an opportunity to really change how we measure cyber risk,” said Chon. Common ground, including mutually accepted metrics, must come first.

The report introduces the concept of the cyber balance sheet, which enables security leaders to present data and cyber security concepts as traditional assets and liabilities.

Directors can then view these in the same format used for operational or financial risks. They can accept, mitigate, or transfer risk as needed, directly from the balance sheet. Chon insists true risk management includes all three processes.

When directors are fully educated in their own language, he said, progress begins. Security leaders who can get backing for an organizational “stress test,” such as a breach-readiness assessment, or establish the value of their data (including “crown jewels” vs. other data types), have made important strides.

Board members do lose sleep over possible cyber events, said Cusick. They know the risk is out there, and are not afraid to parse options.

“Someone just needs to distill it for them.”

David Whiteside spent 23 years in the insurance industry, and now works as an insurance and financial journalist. He lives and writes from southwestern Utah. David can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

This senior risk manager values his role in helping Varian Medical Systems support research and technologies in the fight against cancer.
By: | September 12, 2017 • 5 min read

R&I: What was your first job?

When I was 15 years old I had a summer job working for the city of Plentywood, mowing grass in the parks and ballfields, emptying garbage cans, hauling waste to the dump, painting crosswalk lines.  A great job for a teenager but I thought getting a college degree and working in an air-conditioned office would be a good plan long term.

R&I: How did you come to work in risk management?

I was enrolled in the University of Montana as a general business student, and I wanted to declare a more specialized major during my sophomore year. I was working for my dad at his insurance agency over the summer, and taking new agent training coursework on property/casualty risks in my spare time, so I had an appreciation for insurance. My dad suggested I research risk management for a career, and I transferred sight unseen to the University of Georgia to enroll in their risk management program. I did an internship as a senior with the risk management department at Sulzer Medica, and they offered me a full time job.

R&I: What could the risk management community be doing a better job of?

Advertisement




We need to do a better job of saying yes. We tend to want to say no to many risks, but there are upside benefits to some risks. If we initiate a collaborative exercise with the risk owners — people who may have unique knowledge about that particular risk — and include a cross section of people from other corporate functions, you can do an effective job of taking the risk apart to analyze it, figure out a way to manage that exposure, and then reap the upside benefits while reducing the downside exposure. That can be done with new products and new service offerings, when there isn’t coverage available for a risk. It’s asking, is there anything we can do to reduce the risk without transferring it?

R&I: What emerging commercial risk most concerns you?

Cyber liability. There’s so much at stake and the bad guys are getting more resourceful every day. At Varian, our first approach is to try to make our systems and products more resilient, so we’re trying to direct resources to preventing it from happening in the first place. It’s a huge reputation risk if one of our products or systems were compromised, so we want to avoid that at all costs.

We need to do a better job of saying yes. We tend to want to say no to many risks, but there are upside benefits to some risks.

R&I: What insurance carrier do you have the highest opinion of?

I’ve worked with a number of great ones over the years. We’ve enjoyed a great property insurance relationship with Zurich. Their loss control services are very valuable to us. On the umbrella liability side, it’s been great partnering with companies like Swiss Re and Berkley Life Sciences because they’ve put in the time and effort to understand our unique risk exposures.

R&I: How much business do you do direct versus going through a broker?

One hundred percent through a broker. I view our broker as an extension of our risk management team. We benefit from each team member’s respective area of expertise and experience.

R&I: Is the contingent commission controversy overblown?

Advertisement




I think so. The brokers were kind of villainized by Spitzer. I think it’s fair for brokers and insurers to make a reasonable profit, and if a portion of their profit came from contingent commissions, I’m fine with that. But I do appreciate the transparency and disclosure that came out as a result of the fiasco.

R&I: Are you optimistic about the US economy or pessimistic and why?

David Collins, Senior Manager, Risk Management, Varian Medical Systems Inc.

While we might be doing fine here in the U.S. from an economic perspective, the Middle East is a mess, and we’re living with nuclear threat from North Korea. But hope springs eternal, so I’m cautiously optimistic. I’m hoping saner minds prevail and our leaders throughout the world work together to make things better.

R&I: Who is your mentor and why?

My Dad got me started down the insurance and risk path. I’ve also been fortunate to work for or with a number of University of Georgia alumni who’ve been mentors for me. I’ve worked side by side with Karen Epermanis, Michael Rousseau, and Elisha Finney. And I’ve worked with Daniel Dean in his capacity as a broker.

R&I: What have you accomplished that you are proudest of?

Advertisement




Raising my kids. I have a 15-year-old and 12-year-old, and they’re making mom and dad proud of the people they’re turning into.

On a professional level, a recent one would be the creation and implementation of our global travel risk program, which was a combined effort between security, travel and risk functions.

We have a huge team of service personnel around the world, traveling to customer sites to do maintenance and repair. We needed a way to track, monitor and communicate with them. We may need to make security arrangements or vet their lodging in some circumstances.

R&I: What do your friends and family think you do?

My 12-year-old son thought my job responsibilities could be summed up as a “professional worrier.” And that’s not too far off.

R&I: What about this work do you find the most fulfilling or rewarding?

Varian’s mission is to focus energy on saving lives. Proper administration of the risk function puts the company in a better position to financially support research that improves products and capabilities, helps to educate health care providers and support cancer care in general. It means more lives saved from a terrible disease. I’m proud to contribute toward that.

When you meet someone whose cancer has been successfully treated with one of our products, it’s a powerful reward.




Katie Siegel is an associate editor at Risk & Insurance®. She can be reached at [email protected]