Companies face risks of many shapes and sizes but sometimes struggle to prioritize them. Yet it’s a flat-out certainty that, today, the greatest perceived threat to business health and success is the scourge of bad actors aiming to gain access to corporate information systems.
A recent CFO Research survey, conducted in collaboration with global insurance provider Hiscox, asked 204 senior finance and risk executives to identify the risks that concern them most. Topping the list, chosen by 42% of survey respondents, was “data breach.” (See Figure 1.)
When a major cyber-attack or breach makes headlines, it’s natural for companies to look inward at their own preparedness. However, it’s not enough to elevate cyber-security only in the wake of an attack. Today’s environment demands that companies keep it at the top of their risk-management concerns. Detecting and protecting against an ever-shifting landscape of exposures requires a commitment to staying equipped with the most advanced technologies and other resources available to the company.
For executives responsible for detecting and managing cyber-risks, that means battling an influx of what may look like new and unfamiliar threats, even if they are hackers’ latest strategies for achieving their goals. To be sure, in recent years executives have become far more cognizant of cyber-threats, as reflected in companies’ intensifying efforts to mitigate them. Still, the level of risk continues to rise.
What makes hackers especially difficult to thwart is that they’re continually changing their attack strategies and seeking new vulnerabilities.
So it’s up to companies to keep locating — and sealing — cracks in their protective bubbles. Indeed, the importance and difficulty of managing cyber-risks is such that nearly 7 in 10 companies (68%) represented in the survey have a position dedicated to risk management.
Protect What You Can
It’s crucial for executives to realize that hackers’ perpetual inventiveness shouldn’t discourage companies from addressing the risk, even if they can’t eradicate it. The risk management function, like cyber-attackers, must continually evolve — not only to shield the company from cyber-threats, but also to minimize the potential impact of any such events that do occur. Says one executive who responded to the survey, “Risk elimination is not our goal. Risk reduction is our goal.”
It’s easy to understand why so many senior executives share the same unease. Given the stakes, companies can’t afford to be complacent. Beyond compromising sensitive data about customers or suppliers, cyber-breaches can critically impair relationships with any and all business partners, including investors.
Cyber-attackers have successfully breached brand-name retailers, high-profile financial organizations, and others, including Equifax. In the aftermath of such breaches, the damage can spread in many directions, not only contaminating a company’s reputation but also poisoning its bond with customers by exposing them to identity theft and subsequent financial losses.
Retail giant Target’s 2013 breach sent quarterly profits into a plunging spiral and ultimately cost the CEO his job. An awareness of how far and wide such damage can spread exemplifies why almost 3 in 10 respondents (29%) chose “bad press” as a top concern.
Cyber-attackers typically share a common motivation: money. There’s a liquid market for customer information, including Social Security numbers and credit card data. Companies are clearly aware of their responsibility to protect customers from being compromised. Among respondents, a clear majority (59%) cited customers as their top-most concern in terms of potential litigants. In second place, named by significantly fewer respondents (40%), were regulators, followed by employees at 33%. (See Figure 2, below.)
Cybersecurity has become a hot topic among lawmakers, who have been seeking a definition for “reasonable” security measures. Such a classification could theoretically become part of a law that would hold companies responsible for breaches in which they could legally be deemed “negligent.”
Efforts to require companies to report certain aspects of their business practices that have created potential vulnerabilities have foundered — so far — because such disclosures could also provide a treasure map for hackers.
Ranking second on the list of top risks — and not far behind data breaches — was “regulatory examinations,” cited by 39% of respondents. There is good reason for assigning a high level of risk to such actions, and it relates to cybersecurity.
The two types of insurance that ranked highest on survey-takers’ list of policy purchases under consideration were cyber/network/privacy liability coverage (29%) and cyber-breach expense coverage (25%). Those were selected by about as many respondents as indicated they already hold such policies (31% and 39%, respectively).
What does that have to do with regulation? Companies are all too aware of the large sums they’ve already had to spend to comply with federal and state disclosure requirements — for example, for encryption technology.
This year, the risk posed by cyber-regulation is particularly vivid to companies doing business in Europe. Under the European Union’s new General Data Protection Regulation, slated to take effect May 25, fines for noncompliance range up to a whopping 4% of a company’s worldwide revenues. To suggest that companies will do whatever they must to avoid such an onerous penalty qualifies as a rank understatement.
Just as regulators serve as significant sources of anxiety in the realm of risk management, so too, as noted above, do customers and employees. Almost a quarter (24%) of survey participants ranked “injured employees” as a risk of great concern, and nearly as many (23%) said the same about “injured customers.” Further, 24% of those surveyed cited concern over potential labor disputes.
Such concerns help explain why a vast majority (90%) of companies represented in the survey have internal legal counsel. It underscores the seriousness of the challenge businesses face in identifying concerns even before they mature into full-blown risks.
Another factor fueling the need for legal cousel within the corporate structure is an unprecedented level of organizational complexity, with key emerging risks—in the regulatory arena, for instance—requiring legal guidance specific to a company’s priorities and practices.
Companies need to take a consistent approach toward any litigation, no matter the source, advises one executive. “Fight nuisance lawsuits tooth and nail and get a reputation out there that you will continue to fight these types of lawsuits, which will reduce the propensity of ‘ambulance chasers’ to sue your company,” he says.
Seen through a different lens, regulators, customers, and employees are also crucial sources of corporate stability. But the fact that respondents rank them so highly as potentially damaging risks highlights what makes risk management so challenging. Whether it’s cyber-hackers or other risks, they may be hiding in plain sight. For senior executives, it’s crucial to have the tools necessary to see them clearly.