Companies must understand how their digital systems work in tandem with those of their suppliers and devise protection strategies for combined networks
At Advisen’s Cyber Risk Insights Conference, former US Secretary of Homeland Security Tom Ridge urged major corporations to build organizations that are less vulnerable to and can rebound quickly from cyber-attacks in order to deal with increasing intrusions from hackers, jihadists, organized crime, rogue governments and disgruntled employees.
During his conference keynote address, Ridge cited the world’s heavy reliance on the internet and digital devices and warned that having a more technologically advanced existence makes everyone more vulnerable to cyber intrusions. Companies need to do more to protect corporate intellectual property, consumer data, and shareholder value, he added. The conference was held in New York City on October 28.
‘If the White House, the Department of Defense, the NSA and Congress can’t completely secure their networks, what can be expected of individual businesses?’ he asked. ‘The challenge to all organizations that are built on a digital foundation is to build a cyber-resilient organization.’
Ridge suggested companies use a combination of new technology and shared intelligence to create multiple layers of defenses to manage the risk of a digital attack. This includes adapting the most effective anti-hacking software available and talking to other companies and the government about the types of attacks that have previously been used and learning from those mistakes.
‘Businesses that proactively manage cyber risk and are prepared to at least fix the inevitable attack or breach to keep the disruption to a minimum and bounce back to protect their brand, shareholders, employees, and more importantly, their customers [are] going to have a competitive advantage in the marketplace,’ he said.
Companies should start by collecting real cyber-intelligence and using it to their advantage, Ridge said. Learning from previous digital incursions against their peers in the same industry, companies need to create strategies to respond to threats to the company and its clients. He also said companies must find new ways of assessing cyber-risk because the threats are constantly changing. That requires companies to anticipate how they might be violated, how their suppliers’ networks might be compromised and then figure out how they can create fixes to meet client needs if a breach occurs. Companies that adapt by developing risk-informed processes for optimal preparedness and by regularly evaluating those systems as part of a culture of resiliency will survive, because ‘next year, the cyber risk we are dealing with today will not be the same,’ he said.
The conference also featured Erica Davis, vice president and assistant national manager for specialty E&O for Zurich North America, who presented results from the Advisen & Zurich annual risk management survey. The survey found that data security is considered at least a moderate threat for 88 percent of businesses polled and that in spite of the increasing number of cyber-security incidents, roughly half of all businesses are purchasing cyber-liability policies. Another finding is that the number of respondents whose companies have a data-breach response plan in place has decreased by 10 percent since last year.
Throughout the conference, many presenters repeated Ridge’s theme of resilience in the face of cyber-threats. A panel on cyber-operational risks examined several recent data breaches and other types of cyber-incidents to demonstrate how companies dealt with the problems and were resilient enough to recover. Supply chain vulnerabilities were one focus of the discussion and panelists emphasized that companies must understand how their digital systems work in tandem with their suppliers, create protections for the combined networks and then devise strategies to work around any disruptions that may happen.
Laurie Kamaiko, partner at law firm Edwards Wildman Palmer, led a session analyzing litigation trends tied to cyber incidents, Pointing out that Target’s data breach sparked more than 100 lawsuits, she said companies must be resilient enough to come up with defenses for the many different plaintiffs that may attempt to sue when such incidents occur. Cyber-related litigation can come from customers, suppliers, regulators and shareholders.
The afternoon keynote speaker, Tom Finan, senior cyber-security strategist and counsel for the US Department of Homeland Security, focused on the importance of protecting and enhancing the resilience of the nation’s cyber infrastructure. He emphasized this is relevant to every company because some industries play a major role in securing the nation as a whole.
Finan encouraged companies to emphasize cyber-security throughout their organizations and offered four pillars of effective cyber-risk culture that urged all companies to adopt:
• Executive leadership – Boards of directors must become more proactive in helping to build a corporate culture that handles cyber-disruptions effectively.
• Education and awareness – Education, training and accountability systems must be put in place internally, at partnering companies and nationally to create a culture of cyber-security.
• Technology – New technologies must be developed to combat cyber-threats.
• Information sharing – Details about different cyber-disruptions and hacker tactics must be shared so that companies can protect themselves from known threats and a national strategy for cyber-security can be developed.
Finan said while companies are concerned about cyber-security, there isn’t enough hard data to quantify the risks posed by cyber-threats. However, there is some evidence that developing a cyber-security culture can help deter breaches.