informa
/
4 MIN READ
Commentary

Cybersecurity Just Became a Board Issue for Real

Several market trends are beginning to converge that will force companies to prioritize cybersecurity with greater urgency than before. Insurance and regulatory costs are going through the roof.

Cybersecurity has been a “hot potato” issue for years. Companies know significant risks exist but don't have any method to calculate their budgetary priority. The media continues to report massive cybercrime statistics, and board members scratch their heads, wondering what they should focus on concerning cybersecurity. However, the industry hasn't figured out how strategically frame that conversation.

Changes in the insurance market, skyrocketing criminal activity, and an expanded regulatory environment will soon clarify the business value of cybersecurity because it will start costing real money. Companies protect themselves from regulatory compliance and business continuity risk by outsourcing it through insurance. Unfortunately, insurers have found that the loss ratio in cyber insurance has been nearly 110% in many cases. In addition, since hackers are targeting the country’s intellectual property and infrastructure, regulators and lawmakers are proposing new requirements to address the US’s risk exposure in public markets and critical infrastructure. As a result, companies will directly shoulder the burden of increasing regulatory fines from expanding compliance requirements.

Market and Political Trends Forcing Choices in Security Infrastructures

Cyber insurance is a $14.5 billion market today. Unfortunately, there is scant data on cyber risk, and actuaries have been unable to quantify its value successfully. Insurance carriers have been making their best guesses unsuccessfully and have assumed significant losses. As a result, carriers are raising their rates this year by 174%, tightening terms, and expanding exclusions. For example, Lloyds of London just announced that they will exclude from their cyber insurance all acts of war from Nation-state activity and that war does not have to be declared to qualify. The timing of this change couldn't be worse because the FBI and MI5 jointly warned about Chinese hacking targeting US intellectual property in 2022. As a result, the cost of cyber insurance is rapidly rising, the coverage is becoming more limited, and cyber risks are rapidly increasing.

FBI statistics show that cybercrime has increased by over 300% since the pandemic's beginning. Cybercriminals are becoming more sophisticated and are using stolen data to create target lists for future cascading attacks. This punctuates the risks to businesses, their customers, and suppliers. For example, hackers stole about 26 million user login credentials between 2018 and 2020, expanding their trail of crime. Additionally, 34% of all businesses suffered from security incidents involving malware in 2021, so these are no longer isolated incidents. The average data breach cost for publicly traded companies in the US in 2020 was $116 million, and the impact on smaller businesses is much more severe. For example, 60% of small businesses that are victims of cyberattacks go out of business within six months.

We think of our companies as being in a safe, friendly place, but once connected to the internet, it's like those businesses are located in a blighted neighborhood with thugs around every corner. The fact that we can’t see these risks makes it difficult for non-technical leaders to internalize the fact that they exist.

Government agencies and Congress are starting to focus on digital risks that impact the public. For instance, the Colonial Pipeline, a major source of gasoline and jet fuel for the Southeastern United States, suffered a ransomware attack that shut down operations for six days, causing gas shortages across its supply region and impacting millions of registered voters. Shortly after this incident, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring regulations for incident reporting in broadly defined categories of “critical infrastructure.”

In addition, the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) are getting into the act by proposing sweeping requirements for risk and incident disclosures, proper use of personal information, and data use limitations. Expansive government requirements will force businesses to understand their digital environment better and expand their visibility into online activity within their organizations. Compliance will include not only how data is used and how environments are monitored but will also require public disclosers of related policies and procedures and require almost real-time incident reporting.

Regulation and Decreased Insurance Coverage Force the Board

Cybersecurity costs are about to go up for all businesses in the United States. Companies will have to pay closer attention to their security infrastructure, monitor and manage it, and establish reporting mechanisms to regulatory bodies. Instead of relying on insurance to defer risk, they'll have to expand their internal capabilities to manage and mitigate risk, and there will be financial consequences when these processes fail. With regulatory momentum, government oversight of the digital economy will become more engaged. Hopefully, broader risk and security awareness will provide less opportunity for cybercriminals, and the internet will become a safer environment for businesses. What this means to companies, however, is that risk management and cybersecurity will have to be better understood by the C-suite and a business-impacting priority for Boards.

Editor's Choice
John Edwards, Technology Journalist & Author
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing