Cyber Threats and Risk Amplification
It’s no secret that cyber risk has come to rule security strategies, business continuity planning, and incident management alike. In today’s interconnected business climate, organizations must approach cybersecurity holistically to protect critical data and demonstrate resilience to investors. However, unlike other risks, cyber has the unique ability to impact other risks and accumulate consequences which reach far beyond the digital realm.
As organizations operationalize the latest SEC cyber event reporting obligations, the time is ripe to discuss not only how cyber events are reported, but who owns cyber risk, and how collaboration can reduce organizational risk.
Cyber Escalations and Obligations
A report from the Wall Street Journal explores how Lockheed Martin may pave the way for organizations reporting to the SEC.
Among the first to submit cyber incident disclosures to the SEC, Lockheed Martin described how they manage cyber risks, but shared little about how they conclude that a cyberattack may be of material harm to their business, a crucial concept in the SEC’s push for investor transparency.
Lockheed said its board of directors are informed of all cybersecurity incidents believed to have a moderate or higher business impact, even if immaterial to the business. However, he did not explain the process for how materiality is determined, including sharing information and collaborating to identify and mitigate risks.
In this article, we will explore the importance of collaboration in cybersecurity, the role of the risk register owner in facilitating collaboration, and effective strategies for raising awareness and promoting risk mitigation beyond silos.
But first… why is cyber risk uniquely devious?
Amplification and Shared Risks
The AON 2024 Risk Register places cyberattacks and data breaches as the number one issue that risk managers are currently preparing for. Given that cyberattacks are becoming more frequent and sophisticated, they can cause significant disruption and financial loss to organizations of all sizes. This means it’s essential to consider how cyber risk amplifies all other organizational risks.
For instance, a cyberattack could lead to the theft of sensitive customer information, which could then be used for identity theft or fraud. This could damage the organization’s reputation, leading to a loss of customers and revenue. Additionally, a cyberattack could disrupt the organization’s operations, preventing it from delivering its products or services, leading to lost productivity and additional costs.
“I’ve found that when you look at cyber risk, you almost have to think of it as a standalone threat as well as the fallouts of that risk.” – Ria Thomas, Senior Vice President, Head of Cyber Organizational Resilience, Truist Bank
The interconnectedness of the modern world means that a security incident in one part of the world can quickly spread to others, causing widespread damage. For example, the WannaCry ransomware attack in 2017 infected more than 200,000 computers in over 150 countries, causing significant disruption to businesses and organizations around the world.
In an appearance on The Privacy & Compliance Collective, Ria Thomas, Senior Vice President, Head of Cyber Organizational Resilience at Truist Bank posited, “I’ve found that when you look at cyber risk, you almost have to think of it as a standalone threat as well as the fallouts of that risk.”
Who Owns the Risk Register?
A risk register is a document that identifies and assesses the risks that an organization faces. It plays a critical role in making sure that risks are managed effectively and that the organization can achieve its objectives.
Every organization has a unique risk register based on their unique needs and appetites for risk. However, the benefits of maintaining a risk register are shared. They include:
- Improved risk management: A risk register helps organizations to identify and assess risks in a systematic way, ensuring that no risks are overlooked. This enables organizations to prioritize risks and develop appropriate mitigation strategies.
- Enhanced decision-making: A risk register provides decision-makers with the information they need to make informed decisions about the risks that the organization faces. This can help organizations avoid making decisions that could increase their exposure to risk.
- Improved compliance: A risk register can help organizations to comply with regulatory requirements and industry standards. Many regulations and standards require organizations to have a risk management process in place, and a risk register is an essential part of this process.
- Increased stakeholder confidence: A risk register can help to build confidence among stakeholders that the organization is managing risks effectively. This can be important for attracting investors, customers, and other stakeholders.
The question of who owns the risk register at an organization can be a complex one. In some cases, the risk management department may own the risk register. In other cases, it may be owned by the internal audit department or the compliance department. Ultimately, the best approach will depend on the size and structure of the organization. Lockheed identified its chief information security officer as the individual responsible for the overall security strategy.
Regardless of who owns the register, making a determination of materiality through a singular lens will lead to under-evaluating the threat. To meet compliance with SEC disclosure rule, you need to understand the company rule’s relationship with organizational risk – an answer found only through collaboration.
How Can a Risk Register Owner Facilitate Collaboration?
The risk register owner plays a critical role in facilitating collaboration by ensuring that all stakeholders have access to the risk register and can easily contribute to it. This can be achieved by using a centralized platform that allows stakeholders to view and update the risk register in real time.
The risk register owner should also facilitate regular meetings and discussions to review and update the risk register, ensuring that all stakeholders are on the same page and that any changes to the risk landscape are captured.
“Resilience to me is being able to survive and thrive as a business. Risk owners should ask, what risks do we need to see as amplified? How are we coming together to mitigate, transfer, or even accept the risks that exist? How have we collected the entirety of the risk to understand as a business what we need to do about it?” – Ria Thomas
Furthermore, the risk register owner should provide training and support to stakeholders on how to use the risk register effectively. This will ensure that stakeholders understand their roles and responsibilities in risk management and can effectively contribute to the risk register. This will demonstrate the importance of risk management and ensure that threats to the organization are given the attention they deserve.
Finally, the risk register owner should use the risk register to inform decision-making and resource allocation. By understanding the risks that the organization faces, the risk register owner can help management make informed decisions about where to allocate resources and how to mitigate risks. This will help the organization to achieve its objectives and protect its stakeholders from potential harm.
How can CISO’s Raise Awareness?
“The risk register is a great place to start sharing how one type of issue impacts what you own and how the organization, together, will be held accountable for the fallout. CISO’s aren’t the only titles being held responsible in recent court filings. Awareness really needs to be the language of the business. When you speak with general counsel, you use a different language than you do with your CEO. It’s all about describing the impacts to them to help them see methods to resolving risk together.” – Ria Thomas
CISOs play a critical role in raising awareness of cybersecurity risks within their organizations. By taking a proactive approach and implementing effective strategies, they can ensure that employees are well-informed and equipped to protect sensitive data and systems. One crucial step is to establish a centralized risk management program that outlines the organization’s cybersecurity policies, procedures, and best practices. This program should be easily accessible to all employees and regularly updated to reflect evolving threats.
Regular communication with the board and senior management is essential for keeping cybersecurity risks on the forefront of decision-making. CISOs should provide regular reports on the current risk landscape, highlighting potential vulnerabilities and the impact of security incidents. By keeping leadership informed, CISOs can secure the necessary resources and support to implement effective cybersecurity measures.
Encouraging employees to report security incidents is vital for early detection and response. CISOs should create a culture of open communication where employees feel comfortable reporting any suspicious activities or breaches of security protocols. This can be achieved by establishing clear reporting channels, ensuring confidentiality, and providing incentives for reporting.
Providing comprehensive training and education on cybersecurity risks is crucial for empowering employees to protect themselves and the organization. Training programs should cover topics such as identifying phishing emails, using strong passwords, and securing devices. Regular awareness campaigns and workshops can reinforce these learnings and keep cybersecurity top-of-mind for employees.
Regular risk assessments and audits are essential for identifying vulnerabilities and gaps in an organization’s cybersecurity defenses. CISOs should conduct these assessments periodically and use the findings to prioritize remediation efforts. By proactively addressing risks, organizations can minimize the likelihood and impact of security incidents.