Traditionally, organizations have managed risk pretty successfully – after all, most of them stayed in business J. Whether the risk was an employee stealing money or a hurricane, organizations had a risk manager, that person brought recommendations to the C-suite and either they or someone from the C-suite talked to the board, if they needed support, recommendations or approval.
Actions included training (very common in the area of safety risk), job aids (such as posters and cheat sheets), process, rules, monitoring, and insurance, among others. This has been working pretty well, for the most part.
For those of you old enough to remember, Bhopal (see Wikipedia http://en.wikipedia.org/wiki/Bhopal_disaster ) was a very unfortunate example of what happens when that process fails. Bhopal is a city in India where Union Carbide had a plant that made pesticides. While there is still argument as to the cause (from sabotage to poor management) somewhere around 8,000 people died within a couple of weeks and half a million people were injured when there was an explosion at the plant in 1984. Many more thousands have died since then as a result of the after effects. There were civil and criminal lawsuits in India and in the U.S. that went on for 30 years and at least a few people when to jail.
What Bhopal did was make companies understand that they need to manage business risk and that the C-suite and Board of Directors have to be involved. Many things changed in the process industry as a result of that explosion and thankfully, things are a lot safer in that industry now.
Many organizations have created a position of Chief Risk Officer (CRO) and even for those that have not given someone that title, that function is filled by someone in the C-suite, often the CFO or COO. Businesses figured out very quickly after Bhopal that there could be serious reputational damage as well as financial damage from industrial accidents and they needed to manage that risk.
Fast forward 30 years to 2014 and we had cyber breaches at places like Target, Home Depot, J.P. Morgan Chase and Sony that caused huge reputational damage and financial cost. Target alone has spent $160 million as a result of the breach that they had in late 2013 but announced in 2014 and that is after their insurance reimbursements. That does not count around 50 lawsuits that are pending.
In most companies, cyber risk management is in about the same state as process risk management was in 1983 prior to Bhopal. In many, if not most companies, there is no one in the C-suite who is responsible for cyber risk and no bright shiny light shining on the problem.
In most companies, the Chief Information Security Officer or CISO is responsible for cyber risk, but even though that person has a C in their title, they are usually not part of the C-suite at all. Most Boards spend very little time on cyber risk at all, claiming instead it is an I.T. problem. That is changing, but very slowly. Possibly, the events of 2014 will be to cyber security like the events at Bhopal were to the process industry, but the jury is still out.
An example of this is an insurance company that I am familiar with. InsCo as I will call it to protect the guilty, is a $250 billion + company. As an insurance company, you would think they would understand risk and they do. They have a chief risk officer who reports to the CEO. Their CRO deals with things like insurance fraud among other risks. Is this person responsible for cyber risk? Cyber risk at InsCo is an IT problem. The head of cyber risk reports to someone who reports to the CIO who reports to the C-suite.
I am suggesting the cyber risk is just another business risk and should be handled as such. For many companies, cyber risk, which includes both damages from the loss of customer personal information like the breach at Anthem – another insurance company – that exposed personal information for about 88 million people – is the biggest risk to the company’s survival that the company is exposed to. Sure, manufacturing companies still need to deal with process problems like the ones at Bhopal, but today, many organizations are information companies and their potential exposure is twofold –
- Loss of customer information such as credit card data, personal information and health information
- Loss of intellectual property such as engineering data
An example of the second one, intellectual property, is the theft, in 2007, of design documents for the U.S. F-35 Joint Strike Fighter. The U.S. has spent almost 20 years and $300 billion dollars designing this family of military airplanes and they won’t be in production mode until 2018, assuming no more delays. In the meantime, the Chinese have built the Chengdu J-20 and J-31. While the Defense Department won’t admit exactly how much the stolen engineering drawings helped the Chinese, they have acknowledged that they are “concerned” about the design of these planes.
Cyber-risk should be integrated into the general business risk management process and needs to report directly to the C-suite and the Board. The potential damage from cyber risk is only going to grow as digital information becomes more critical to businesses and as businesses and their partners become more closely connected – sharing information back and forth. This means, as was the case in the Target breach, that a very small and non-critical business partner (in Target’s case, an air conditioning maintenance vendor) could potentially cost a company $500 million dollars after all of the lawsuits are settled.
Is that something the C-Suite and Board should be concerned about?
Should the company have a cyber-risk management strategy that is integrated with the rest of their business risk management strategy?
Does the C-suite and Board need to get educated about cyber-risk immediately?
Should the C-suite and the Board be intimately involved in the decisions regarding cyber-risk?
I guess that depends on how much of an issue writing a check for $500 million is to your company. I guess.