December 16, 2021
December 16, 2021
A little over a year ago, I wrote a piece discussing how the pandemic was affecting those managing cyber risk. I had three big conclusions: The first was that a pandemic was not an unforeseeable occurrence, although obviously the details were unpredictable. The second was on the need to build resilient organizations that could withstand work from home, including the crucial need to communicate, manage, recruit, and onboard staff from anywhere. Third, I made the point that digital transformation really is resiliency. For some time prior to 2020, many organizations treated digital transformation like a special project instead of making it the core of the business model. The pandemic made everyone think differently about how the Internet and mobile apps make their businesses work.
Those three points still hold true today, and importantly, it hasn’t just been boards and their executive teams that have experienced changes. Hackers have likewise shifted their focus to those very same businesses that rely heavily on their digital infrastructure to deliver on their mission and vision. This shift in tactics by digital assailants is at least part of why a Gartner survey revealed that 88 percent of boards are seeing cyber risk as business risk. This maturation of perspective from cybersecurity as a technical issue to cybersecurity as a business risk relates directly to how connected organizations have become to their digital business models, and, frankly, to customer expectations.
Credit rating agencies have also recognized this digital shift and have adjusted their rating models and research to account for this. After all, cyber risk is business risk. In its latest report on cyber risk, Moody’s Investors Service identified that organizations failing to adapt their cybersecurity practices to the new remote and hybrid work patterns will be most at risk, especially during transition periods. This is further shown by the increase in the cybersecurity talent gap, which makes proper security practices difficult to staff.
Further complicating matters will be the increase in regulatory oversight that Moody’s predicts will emerge as governments increasingly see supply chain problems as a challenge to national security. Moody’s also indicates that cyber-risk quantification will be increasingly adopted to help organizations translate technology to business language and to provide a common benchmark for organizations to evaluate their cyber risk. Ratings agencies will broadly adopt cyber-risk quantification to help understand the relative differences between an organization’s cyber-loss exposure and control posture.
Those are the same factors that are affecting the scoring components used to build global cyber ratings. Credit rating companies are looking to understand how often and to what degree companies are going to experience cyber losses and not just data breaches. Since the pandemic began, there has been a huge swing away from attackers focusing on monetizing personal identifiable information and toward them using ransomware attacks. Such attacks can involve “triple extortion,” in which the attackers demand a ransom three times: first, to allow for the recovery of information; second, to not publish sensitive information online (doxing); and third, to not contact customers demanding they also pay to not have their data disclosed. This triple threat has placed many on notice, including cyber insurers.
As a result, cyber insurers are increasingly limiting coverage to limit their exposure. They are also looking to gather more information to better inform their underwriting models on potential payouts. Underwriting departments are looking to cyber rating firms to assist with this. In addition to projecting loss potential for organizations, rating firms are looking to better understand what series of risk triggers and kill chains an organization has and which they defend against well. In much the same way that high liability limits for a life insurance policy require a biometric screening, so, too, will organizations looking for cyber-insurance policies be subject to more invasive examinations. This includes internal assessments of system configurations and processes.
As cybersecurity, credit ratings, and cyber insurance continue to converge, the impacts of 2021 will continue. As a result, the future of cyber ratings will include more quantification, and eventually, more public disclosure about security performance and loss exposure, similar to the way corporate and sovereign credit ratings are handled today. This will benefit everyone, as it creates more clarity around how cybersecurity should be managed and gives boards better direction about how their executive teams are performing.
As vice president and head of cyber-risk methodology for BitSight, Jack Freund, NACD.DC, has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Freund was director of risk science and board advisor at quantitative risk management start-up RiskLens. He has spent his career consulting, building, and leading technology and risk management programs for Fortune 100 organizations, including TIAA, Nationwide Mutual Insurance Co., and Lucent Technologies.
NACD: Tools and resources to help guide you in unpredictable times.