Over the last year, global business sector has reached a new and important turning point in the struggle to manage cyber risk. Marsh & McLennan Companies issued the 2018 edition of the MMC Cyber Risk Handbook, providing insights on the shifting cyber threat environment, emerging global regulatory trends, and best practices in the journey to cyber resiliency.
According to MMC, three characteristics mark this new phase. First, global cyber-crime has reached such a high level of sophistication that it represents a mature, though illicit, global business sector in its own right.
Second, with near-ubiquitous technologies now connecting the digital and physical worlds to an unprecedented degree, new potential exists for individual cyber-attacks to devastate critical business and operational processes.
The third characteristic taking shape today is the rising importance of institutions—governments, regulatory authorities, law enforcement agencies, the insurance industry, and others—as a critical to counter the global cyber threat. Cyber risks can only be effectively dealt with if there is a common understanding of their importance and increased interconnected nature.
When Danish shipping giant A.P. Moller-Maersk’s computer system was attacked on June 27 by hackers, it led to disruption in transport across the planet, including delays at the Port of New York and New Jersey, the Port of Los Angeles, Europe’s largest port in Rotterdam, and India’s largest container port near Mumbai.
For the transportation and logistics (T&L) industry, the June 27 cyberattack is a clarion call to elevate cybersecurity to a top priority, the report notes. Besides Maersk, press reports said other transportation and logistics industry giants were affected including German postal and logistics company Deutsche Post and German railway operator Deutsche Bahn, which was also a victim of the WannaCry ransomware hack in May.
The report highlights that, while up until now hackers have seemed more preoccupied penetrating computer systems at banks, retailers, and government agencies – places where a hacker can find access to lots of money and data and create substantial disruption – the most recent ransomware attacks demonstrate that the transportation and logistics industry is now on hackers’ radars.
As a result, Paul Mee and James Morgan propose five strategic moves in the report to help institutions position themselves well to address existing cyber risk management challenges:
- Seek to quantify cyber risk in terms of capital and earnings at risk : Boards of Directors and all levels of management intuitively relate to risks that are quantified in economic terms. Explaining any type of risk, opportunity, or tradeoff relative to the bottom line brings sharper focus to the debate.
- Anchor all cyber risk governance through risk appetite : Setting a risk appetite enables the Board and senior management to more deeply understand exposure to specific cyber risks, establish clarity on the Cyber imperatives for the organization, work out tradeoffs, and determine priorities. Considering cyber risk in this way also enables it to be brought into a common framework with all other risks and provides a starting point to discuss whether the exposure is affordable (given capital and earnings) and strategically acceptable.
- Ensure effectiveness of independent cyber risk oversight using specialized skills : CROs and risk management functions have traditionally developed specialized skills for many risk types, but often have not evolved as much depth on IT and cyber risks. Organizations have overcome this challenge by weaving risk management into the IT organization as a First Line function.
- Comprehensively map and test controls, especially for third-party interactions : Institutions need to undertake more rigorous and more frequent assessments of cyber risks across operations, technology, and people. These assessments need to test the efficacy of surveillance, the effectiveness of protection and defensive controls, the responsiveness of the organization, and the ability to recover in a manner consistent with expectations of the Board.
- Develop and exercise major incident management playbooks : As part of raising the bar on cyber resilience, companies need to ensure that they have clearly documented and proven cyber incident response plans that include a comprehensive array of attack scenarios, clear identification of accountabilities across the organization, response strategies, and associated internal and external communication scenarios.
“Cyber risk represents a relatively new class of risk which brings with it the need to grasp the often complex technological aspects, social engineering factors, and changing nature of Operational Risk as a consequence of cyber. Leadership has to understand the threat landscape and be fully prepared to address the associated challenges. It would be impractical to have zero tolerance to cyber risk, so institutions will need to determine their risk appetite with regard to cyber, and consequently, make direct governance, investment, and operational design decisions.”
Explore more by reading the full report:
