Why a cyber-risk oversight handbook for European corporate boards?

Cybersecurity is the fastest growing, and perhaps most dangerous, threat facing organisations today. Boards are increasingly focused on addressing these threats.

The ISA’s cyber-risk handbooks (also available for US, UK, Germany) are an attempt to provide Board members with a simple and coherent framework to understand cyber risk, as well as a series of straight-forward questions for Boards to ask management to assure that their organization is properly addressing its unique cyber-risk posture.

The handbook - developed in partnership between ISA and ecoDa - will promote continued adoption of uniform cybersecurity principles for corporate Boards not only in Europe but across the globe. A summary of the 5 principles for managing cyber risk is below, along with key recommendations and links to practical toolkits.

One of the risks with this approach is that there’s been a real increase in the number of claims for compensation being brought by individual data subjects who have been affected by data breaches.

GDPR gives people the toolkit to bring those complaints and then it entitles them to compensation if they have suffered what’s called material or non-material damage as a result of a breach of the regulation. You can bring a claim if you felt distressed or anxious or had any kind of negative emotional reaction. You don’t have to have suffered financial loss. So what we tend to see now is whenever there is a large data breach that happens, it’s notified to the affected population. In a way it is a good thing and it is one of the aims of the regulation that individuals can take advantage of their rights in this way. Partly though, I would comment that this is to some degree, the result of the emergence of a number of independent law firms that are looking to bring these claims and encourage people to bring them on a sort of quasi collective basis.

Mark Camillo:
We have now released our 2018 claims report on what we’re seeing with respect to cyber notifications. It’s interesting because in Ireland, over 40% of incidents are being reported to the regulator. Whereas in places like Spain, less than 10% are being reported, so there is this big divide.

Q. Typhaine, what do you hear are the risks that the risk managers are most worried about when looking at this topic?

Typhaine Beaupérin, Chief Executive Officer, FERMA:
So first of all for the GDPR, I think it is fair to say that it’s been a real challenge for companies to get through the implementation. It has involved a lot of resources and time. It has been costly. But one of the good things that we can see, and the feedback that we hear, is that it has been a catalyst to raise awareness about those issues. And we see once more that the corporate value of companies is based on intangible assets and data. The data protection that is security has definitely entered into the risk categories of many risk mapping exercises. And it has prompted discussions at the Board level. In addition, the GDPR has had a significant impact on data protection policy and enforcement beyond the EU. So we can see that there is really now a trigger towards normalisation of data protection globally thanks to the GDPR. In terms of managing cyber risk in general, of the two challenges that the risk managers are facing, the first one is about quantification. It’s how you translate cyber risk impacts into business figures. And the second one is a governance issue.

We’re seeing that it’s a cross disciplinary risk and it needs a holistic approach. However this is not always the reality and the risk manager can sometimes feel that they are alone.

IT measures can take the larger parts of the discussion, whereas it should be a more rounded discussion on the overall exposure of the company led by the risk manager.

Mark Camillo:
So Nic obviously you’re seeing a lot of these incidents as they happen and you’re seeing them in the news.

Q. Can you spend a little bit of time talking about some of the breaches that you’ve seen and those handled well and maybe those that have not been handled so well and some of the lessons learned?

Nic Daley, Senior Consultant, Hill + Knowlton Strategies:
So cyber-attacks and data breaches are similar to other organisational crises in that yes, you will be judged on the fact that it happened, but you’ll also be judged on how you respond. Considering all the different audiences and stakeholders that an organisation needs to think about and communicate with, it is really critical.

Where we have good case studies, I’ll use the likes of British Airways last year and their speed of response, a highly visible CEO, and leadership was on display in terms of a strong voice. It was the same with Norsk Hydro, where there was speedy decision making and good communication from leadership.

What we have also seen post GDPR is that there can be a real freneticism within organisations to communicate very, very quickly after a breach. And the risk is that at any time you usually don’t have all the information that you would like to have in order to communicate.

So there is an ongoing judgement to be made with the forensic data investigators, with a legal team, with a reputation management/PR side of things, to say okay, at what point do we need to be communicating and with whom?’

The way that we consider it is when we think about communicating with the different stakeholders - what do we want them to know and to think, and to feel and then to do?

If we just rush to notify and say this has happened, and move onto the next thing, we could actually escalate the initial breach by bringing clients a wave of additional enquiries and queries that actually we’re not in a position to answer.

And so we’ve worked on a number of breaches where there’s an ongoing period of engagement. You might do your initial notification within a week. It could take a couple of months, depending on the data investigation, for an ongoing dialogue with their different audiences and stakeholders, depending on what the forensic data investigation is unveiling.

Coupled with that, some of the other risks and pitfalls that we’ve seen are where you’re not communicating internally in terms of your wider communications piece.

So you might be launching a new product or you might be engaging with your customers about another particular issue and those internal communications teams aren’t talking to one another. The last thing you want is to post something very positive on social media without realising actually there’s a storm that’s developing on Twitter or LinkedIn or wherever it might be, that’s highly critical of the organisation.

The crafting of the messaging and the engagement that we have with customers, with the shareholders, with staff and other partners, is critical to demonstrate that you are being genuinely transparent, that you are being authentic and that you are taking this seriously. It’s an opportunity through your communication to demonstrate all of the things that your business or organisation has done, in order to bolster yourselves and protect, to the best of your ability. And then what you are going to do in the long term to try and ensure that
this doesn’t happen again.

Mark Camillo:
Thanks to our panellists. Our cyber claims intelligence series report can be found here.