High-Impact Vulnerabilities should not require High-Cost protections
When companies experience significant change such as M&A, Reorganization or Litigation, they become attractive targets for cyberattacks from domestic and nation-state adversaries. Moreover, management often finds itself under new scrutiny from their Boards, Shareholders, Regulators and Strategic Partners. When international elements are in play, multiple jurisdictions’ privacy and security concerns may exacerbate oversight.
At such times, management should take special care to observe prudent Enterprise Risk Management (ERM) protocols to assure stakeholders that financial & reputation risks are identified, quantified and protected.
Cyber Risk is particularly important in this regard, as companies are more vulnerable to incidental and adversarial breaches with serious consequences to stakeholder interests.
Informed by well-executed threat and vulnerability analyses, capable Cyber Security professionals apply tools, frameworks and expertise to protect against most significant attacks and accidents, ensuring Cyber Hygiene with responsible regulatory compliance management programs. They optimize the allocation of their cyber budgets to detect the most dangerous attacks and mitigate the most serious vulnerabilities.
Yet the impact on enterprise-level consequences, including EPS, Capital (Risk Weighted Assets), Free Cash Flow, Reputation, Valuation and Volatility, including Geopolitical Risk, have not been part of the normal cyber analysis protocol – without which resource allocation policies cannot always distinguish between critical or non-essential expenditures, reserves and disclosure strategies. Integrating consequence-driven ERM with vulnerability-driven Cyber Security programs provides a more complete, secure and economical enterprise risk outcome.
What can be done?
An effort to overlay an ERM perspective of Cyber Risk can demonstrate that earnings per share, cash, capital, valuation and reputation are protected, and that expenditures and reserves are set commensurate with Enterprise Exposure – reflecting the best interests of the new and expanded stakeholder community:
- Analyze your Cyber Risk Landscape from adversary to wiring closet to balance sheet to identify Sources and Quantify Consequences, with emphasis on high-value Information Assets
- Determine cyber risk appetite and tolerance
- Allocate expenditures commensurate with earnings exposure
- Determine capital reserves pursuant to risk-weighted assets
- Adopt a prudent disclosure policy for periodic (10-Q) and incidental (breach) events
Compliments of New World Technology Partners , a member of the EACCNY