Risks related to cybersecurity are often treated as one risk factor. However, the nature and effects of cyber risks are multidimensional. The risk analysis should distinguish between, for example, cyber espionage, hacking, denial-of-service attack, and malware damage. In addition, the effects can be manifold, such as interrupting operations, leakage of product development information to a competitor, financial losses due to, for example, fraud or loss of service capacity, and the loss of reputation. The communication of risks and their effects to the management team must include all relevant information so that the management team can decide on appropriate measures to combat the risks.
The World Economic Forum’s global risk forecast for 2020 indicates that cybersecurity risks remain in the highest quarter of all risks in terms of both probability and impact. In recent years, risks related to climate change have established themselves at the top of these forecasts, but cyber risks have ranked in the top five almost every year for the past decade. The World Economic Forum’s perspective on risk analysis is, of course, broader than what individual companies and organizations should be prepared for. Global risks affect companies in different sectors in different ways. For some companies, climate change can be a potential risk and for others, change can even create new opportunities. However, due to the increasingly rapid internationalization and digitalization of business, cyber risks will affect almost all companies, which should also be taken into account by the management team. Management teams should have a holistic view of the various components of cybersecurity and their impact on their own business.
After large-scale cyber-attacks and hacking, management teams often realize that they are at risk of being a target. Fear of the negative publicity after/associated with a cyber-attack is enough to trigger management to introduce measures to reduce the risk. New cybersecurity standards and legislative initiatives will have the same effect, especially if there are significant sanctions for non-compliance. A good example of the latter is a data protection reform, that took place a couple years ago, that prompted several companies to increase investment not only in the development of actual data protection processes, but also in improving cybersecurity. The recent Act on Information Management in Public Administration has also generated some activity, although direct sanctions are not as severe as in the area of data protection.
Cybersecurity on the management agenda
In recent years, according to latest international research, cybersecurity has gained a more important position on the management agenda. This year, it has also gained momentum due to the corona pandemic, as digitalization has taken a giant leap in the operations of most companies. According to research done this autumn, the significance of risks related to cybersecurity rose to the top in management assessments leaving behind, for example, financial and business-risks. However, the significant position that cybersecurity has in the agenda has proved to be a temporary achievement. Driven by new legislation or a major hack, the management team will commission an assessment of the current state of cybersecurity and launch measures to “get things right”. According to domestic observations, it often happens that after a momentary activity, the matter gradually disappears from the agenda and does not reappear unless something new and significant happens. The management team must ensure that the state and the areas of development of cybersecurity are regularly assessed and the development of the operating environment and performance is constantly monitored.
Management teams should receive regular information on cyber risks and the company’s ability to respond to them. According to a recent American study, the top three priorities of company management teams for cyber reviews are:
- Understandable, non-technical language use.
- Quantitative analysis of cyber risks and their impacts.
- Measurable development of a firm’s ability to combat cyber risks.
The performance of cyber and risk management directors has improved in recent years as three out of five members of the management team feel that they understand almost everything presented in the cyber review. Simultaneously, however, reviews and reports are said to be too technical. Creating a link between cyber issues and quantitative values is difficult. From an economic point of view, possible threats and their effects cannot be assessed, and no proper metrics have been developed to monitor performance developments. These areas need to be improved so that management teams can guide cybersecurity work within their own roles. The goal should be to create good “cyber risk literacy” for management teams so that they can make the right decisions and guide the company’s actions for improvement by anticipating risks.
The role and responsibilities of management teams
The role and responsibilities of management teams do not end with preparedness and by minimizing cyber risks. The true operational capability of a management team is tested when a serious cyber risk materializes. Smaller risks materialize on a daily basis in large organizations and are handled by cybersecurity managers and experts. The Management Team is informed of the materialization and impact of minor cyber risks and of the corrective measures taken through routine reports, and there is no need for the Management Team to intervene in the details of such events. It is therefore important to create a clear division of labor for managing different levels of cyber risks and to give operational cyber professionals peace of mind at work. Management is responsible for practicing crisis management and initiating measures quickly.
The realization of a cyber risk can trigger the security breach notification obligation defined in various regulations and legislation, in which case the issue quickly becomes a management level issue. The notification required by the regulation itself is simple to make, but ultimately it is the responsibility of the company’s top management. Failure to notify is a serious breach of current data protection legislation and cybersecurity directives. An important task of the management team is therefore to ensure that the notification process works sufficiently.
Even in a serious case, it is a good idea to leave the operational defence against cyber violations to experts. The involvement of authorities is again the task and decision of the management team.
- According to a four-square analysis by the World Economic Forum, cybersecurity risks remain among the highest in probability and impact amidst all global risks.The spectrum of cyber risks is wide and management teams need to consider them from different perspectives as part of risk management and business strategy. The development of personnel’s cybersecurity competencies should also be the responsibility of a management team.
- The biggest mistake of management is to treat cybersecurity as a one-time effort. Cybersecurity must be taken care of at an executive level as an ongoing process. Cyber risks and their impact need to be quantified and the level of cybersecurity should be measured regularly.
- In addition to risk management and preparedness, the management team also has an important role to play when a cyber risk materializes. Management must have an action plan to manage the situation and restore operations. Communication also plays an important role in the company’s public image.
Featured in Sectra Newsletter, January 2021
Internet Security Alliance, Cyber Risk Oversight 2020 – Key Principles and Practical Guidance for Corporate Boards in Europe, 2020.
PwC, Global Digital Trust Insights Survey 2021 – Cybersecurity Comes of Age, 2020.
World Economic Forum, The Global Risks Report 2020, 2020.