This post is contributed by guest blogger Michael Duffy, a member of Bitsight's Board of Directors.
With the growth in the number and sophistication of cyber threats and the daily reports of security breaches, cyber risk is high on the list of the most significant risks that organizations face. In fact, according to Lloyds Risk Index 2013, cyber risk is now the third biggest concern of CEOs and their senior executives, following high taxation and loss of customers. These threats and the potential risks call for a rethinking of the right way to approach managing cyber risk in the context of enterprise risk management (ERM).
Organizations have traditionally included cyber risk in the context of the IT risk management pillar under the domain of the CIO. IT risk management has always focused on security risk but also is responsible for the risks associated with the key areas of internal operations such as IT controls, availability, disaster recovery and performance.
But due to the dramatic increase in sophisticated corporate cyber attacks, including the emergence of state sponsored cyber terrorism, companies need to step back and think about cyber risks in terms of not just IT risk but also the broader context of ERM. Cyber risks, which are based on threats and attacks outside of the enterprise, now need to be measured, monitored and reported on separately as they can have serious implications for the business across ERM categories like strategic risk or reputational risk. By elevating the reporting of cyber risk in the context of ERM, senior business leaders will have better visibility into the true risks faced by the business.
Further, with many businesses adopting cloud-based services, managing cyber risk has become even more important as organizations extend their networks to connect with business partners, such as suppliers and service providers, and these organizations are looking for new ways to manage this risk. What’s missing is reliable data on their cyber risk posture across their ecosystem.
Credit risk managers have historically enjoyed the benefit of relying on ratings from third-party firms that provide a reliable assessment of credit based on market and product analysis. IT risk managers need a similar system for cyber risk. These independent ratings empower IT risk management to understand the state of cyber risk arising from both the corporate and extended partner network. Qualified cyber risk rating firms have emerged providing risk managers a valuable tool in understanding the state of cyber risk to extended corporate networks.
Cyber risk still should be included in the IT “uber” category for ERM to identify IT risk’s potential impact on the business. But moving forward, given the level of threat and pervasiveness of the risk, cyber risk should be measured, monitored and reported on separately in the context of ratings from qualified cyber risk rating firms.