The Next Board Meeting Agenda Must Include Cyber Risk Management

More sophistication inadvertently makes cyber systems vulnerable. Simple updates on a trusted software installed in a computer or app in a smartphone can expose one to hacks, let alone the threats posed by countless malicious software that we have somewhat learned to sidestep. 

Before the Colonial ransomware attack in May, the SolarWinds cyberattack created a buzz. The modus operandi of hackers involved penetrating the company’s software system and adding malicious code. SolarWinds’ compromised system was used by tens of thousands of clients, including US government agencies and Fortune 500 companies. As a result, everyone was exposed to hackers.

SolarWinds’ system was hacked sometime in early 2020, but it took months for the company to notice a breach in the software. The system is yet to be cleared of malicious code, and companies like Microsoft, Deloitte, and Intel are still under threat of criminal access to data stored in the system. It was the SolarWinds attack that compelled even the US government to rethink its approach to cybersecurity. News reports have it that the federal government’s Cyber Command, presently a part of the National Security Agency, may soon be made an independent agency.

For business leaders across the globe, it is time to reckon with the inevitability of cybersecurity.

The Twitter hack has lessons

Since the beginning of 2020, a large chunk of work has shifted from relatively secure workplace IT infrastructure to employees’ homes. This has made companies’ IT systems more vulnerable to hacks by attackers. Last year’s cyberattack on some influential Twitter users, including Elon Musk, Barack Obama, and President Joe Biden, reportedly occurred as employees shifted to work from the home regime, which led to increased exposure of Twitter’s IT system. The attack also revealed how special security provisions for the former US President Donald Trump’s account thwarted hackers from breaching his account.

Even the elite cybersecurity firm, FireEye, was not spared by hackers who gained access to its systems used for testing clients’ security.

If the Twitter and SolarWinds cyberattacks failed to serve as an eye-opener for business leaders, the recent Colonial pipeline attack has reignited the need for implementing impeccable cyber protections. Many large companies are seeking cyber insurances after the breach brought oil supply in some parts of North America to a screeching halt. Insurance premiums are expected to be hiked by at least 25 per cent given losses incurred by insurers. Previously, average ransoms paid after attacks were in the range of US$2 million, but it has spiked to US$40 million, according to news reports.

Can cyber insurance be the answer?

Buying cyber insurance can come with many security cushions. They not only cover ransom paid to attackers but also costs related to disturbances in business continuity. In addition, cyber insurance firms can provide trained staffers who can negotiate with hackers and speed up processes. Some states also mandate companies to provide information to their customers about any breach in data that can compromise privacy and financial security. Thus, cyber risk management is a capable contender to feature in agendas of board meetings of big and medium businesses.

In this light, the onus is also upon cyber insurers to be more transparent with premiums and quantification of costs during claims. Premiums largely depend on demand and supply forces. Although demand will be high in the coming months, major attacks like the SolarWinds, Twitter, and Colonial will act as deterrents in premiums becoming more affordable. 

Hackers struck again this week, and this time it is the world’s largest meatpacker that saw its system getting breached. JBS was forced to shut down operations in Australia temporarily, and the supply of meat is likely to see disruptions leading to revenue loss to the company.

It is time business leaders add cyber risk management to their next board meeting. The sophisticated IT systems need added protection against breaches.