The board does not understand cybersecurity – that’s not so anymore.
Prior to the pandemic, the CISO and cybersecurity team were seen as the geeks in the room down the hall who always said no. Even post-pandemic, while there is appreciation that cybersecurity can be a business enabler, there is typically a lack of understanding, especially at the board level, on how to achieve a robust cybersecurity posture and how it actually enables the business.
The US Securities and Exchange Commission (SEC) has implemented regulations that require companies to disclose if their board has a member with cybersecurity expertise. This is a potential game changer for CISOs seeking budget approval or proposing operational changes to the business for cybersecurity reasons.
Almost all businesses rely on technology. It may be as simple as ordering supplies online, banking or email. Cybersecurity is not only essential for businesses that operate online or have significant digital communications with customers – it’s a necessity for all organizations. Understanding cyber risk, however significant or not, is – and will continue to be – fundamental for businesses that wish to be successful in today’s market.
This need for understanding is heightened when we look ahead at developments in technology such as AI – whether a company adopts AI for its own use or utilizes services that incorporate some form of AI. Even the use of a generative AI tool in business carries risk: for example, an employee might unwittingly leak sensitive company information by uploading text to a generative AI engine and asking it to refine the language.
This blog is the third of a series looking into cyber insurance and its relevance in this increasingly digital era – see also part 1 and part 2. Learn more about how organizations can improve their insurability in our latest whitepaper, Prevent, Protect. Insure.
There is likely to be regulation surrounding AI as well, and cybersecurity will be an element that will carry its own requirements. This adds to the many regulations that businesses need to follow from a cyber perspective. The General Data Protection Regulation, PCI Compliance, the SEC’s cyber incident disclosure rules … there are many regulations that need to be followed and reported on to ensure that a business remains compliant. At the core of many of these regulations is cybersecurity, adding further complexity to the cybersecurity teams’ operations.
To reduce the risk, cybersecurity needs to be ingrained in the business digital infrastructure under the premise of ‘secure by design’. This may take the form of following a cybersecurity framework such as the National Institute of Standards Technology, with clear policies and metrics in place to ensure that the company:
- adheres to regulations
- follows an approved cybersecurity framework
- has the necessary policies in place to reduce cyber risk
- can deal with any cybersecurity incident.
For small businesses, this may seem overkill to document and create policies about what you already know, who is empowered to make decisions and what happens ‘if’. However, creating a governance posture within the company will help ensure its longevity and is a requirement for growth: start as you mean to go on.
From a cybersecurity perspective, this may be the point where outsourcing provides the best option as the skills are often scarce and difficult to retain. Managed service providers that can implement cybersecurity operationally and assist with the governance required could be an option, with many of them offering access to advanced solutions such as managed detection and response (MDR) services.
How does this all fit with cyber risk insurance? Insurers are increasingly requiring businesses to have robust cybersecurity measures in place. A business with a formal, documented process is likely to achieve lower premiums and spend less time attempting to implement the pre-insurance requirements.
While the initial costs may be higher, companies with better digital protection are set to save money on their insurance premiums and avoid the recovery costs from the potential cyberattacks they may have faced without cyber insurance.
Learn more about how cyber risk insurance, combined with advanced cybersecurity solutions, can improve your chance of survival if, or when, a cyberattack occurs. Download our free whitepaper: Prevent. Protect Insure, here.