In today’s evolving cyber risk landscape, Boards of Directors are becoming increasingly concerned about the security performance of their businesses. In fact, the National Association of Corporate Directors has found that 89% of public companies and 72% of private companies regularly discuss security at Board meetings, states Jake Olcott.
This is because directors have become overwhelmingly aware of the fact that not only has there been a continual stream of data breaches in the last couple of years, but also that increasing regulation such as the EU’s General Data Protection Regulation (GDPR) has raised both compliance risks and public awareness of companies’ responsibilities for protecting personal data. Boards are being forced to acknowledge that the effects of a data breach go far beyond the direct hard costs. There can also be a significant impact on customer trust.
To put some context around this, The Ponemon Institute’s Data Breach Report published in July found that the average cost of a data breach has hit an all-time high of $3.86 million. That’s up 10% since 2014. However, according to the report, the hidden or indirect costs of a breach, including notifying customers and any subsequent loss of business, frequently far outweighed the direct costs of fines and legal undertakings. For example, companies that lost less than 1% of existing customers following a breach incurred an average total cost of $2.8 million (£2.1 million), while companies that experienced a churn rate of greater than 4% lost $6 million (£4.5 million) on average.
This considerable potential for financial loss means it’s not surprising that cyber risk, coupled with reputation management, is rising up the Board agenda. Directors are striving to understand and quantify cyber risk on the same terms as they assess strategic risk, compliance risk and operational risk.
A further emerging concern for directors is the third party risk posed to their business from its supply chain and wider business ecosystem. A compromise of any of those trusted partners could lead to a data breach or systems outage. A recent study conducted by Gartner found that nearly 70% of chief audit executives view third party risk as one of their top concerns as we head into 2019.
How, then, can companies mitigate these risks? Evidence from The Ponemon Institute’s document shows that organisations which are proactively focusing on building customer trust – both in advance and in the aftermath of a data breach – and raising it to a Board-level issue are somewhat better insulated against the reputational damage caused by breaches. They have reduced the number of lost customers, ultimately reducing the cost of the breach.
For example, when a business deployed a senior-level leader, such as a chief privacy officer or CISO to direct customer trust initiatives, they lost fewer customers and minimised the financial consequences of a breach. Additionally, organisations that offered identity protection to data breach victims kept more customers than those that didn’t.
Cyber risk and customer trust
Clearly, improving customer trust and demonstrating transparency are strategically valuable to companies. It’s interesting to see how organisations are tackling this issue and communicating their progress to stakeholders. Of particular note is that cyber risk is no longer the sole preserve of the CISO. The wider potential impact of security failures and data breaches on customer welfare and business sustainability means that it has moved into the realms of Corporate Social Responsibility (CSR).
One of our clients, namely the energy company EDP, is currently the top-rated integrated utility company globally, having achieved the highest Dow Jones Sustainability Index score. The business is committed to continuous improvement and transparency in CSR.
EDP has identified “improving trust” as a core strategic priority, stating : “Trust is an asset that we want to reinforce”. The company therefore includes information about the initiatives undertaken and progress achieved towards that target in its annual reports.
When it comes to cyber security, EDP recognised that the cyber risk in its extended supply chain should be proactively monitored to protect customers. The company has therefore adopted security ratings to continuously assess its own cyber security performance and that of its ecosystem of third-party suppliers. This uniform assessment extends sustainability and security principles across the value chain.
By measuring security performance, EDP is driving continuous improvement among its suppliers and quickly identifying any emerging risks. This, in turn, influences shareholder value by strengthening customer trust and is the reason why the company chose to include its security rating in the annual CSR report.
Keeping it simple
Key to the success of reporting cyber security progress to stakeholders is simplicity. Cyber security reports can be complex and opaque to the extent that even Board directors struggle to understand them. An organisation may decide to “improve its security posture” or “change its risk profile”, but it can be difficult for wider audiences to understand just what that means.
When reporting at overview level, organisations need a simple metric that can be presented as a Key Performance Indicator. This provides a benchmark and can be used to set targets, then demonstrate progress over time. In the case of EDP, its initial security rating on 1 January was 590. The business set a target to achieve a rating of 640 over the course of the calendar year. The actual rating achieved by 31 December was 650, so the company was able to clearly and simply demonstrate to a non-technical audience that it had successfully exceeded its target.
Of course, behind that single rating number is a comprehensive analysis into which Board directors can delve to glean intelligence on compromised systems and vulnerabilities, security diligence and protocols, user behaviour risks, network infrastructure, and domain infrastructure issues. They can then identify areas for risk mitigation, improvement and investment.
Nevertheless, having that top line benchmark number delivers an at-a-glance indication of how the organisation and its ecosystem is performing. This helps Board members to quantify security risk more effectively and make informed decisions about issues such as the required levels of cyber insurance coverage.
Trust as a business differentiator
In 2019, we’ll start to see the real impact of regulatory changes such as the GDPR and the public profile of organisations that have suffered breaches will be seriously tested. We’ll see more companies become proactive about improving customer trust and transparency around cyber security and data protection, aiming to minimise the ‘soft’ costs of breaches that, in today’s security environment, are inevitable.
As the way that cyber security is viewed by organisations and end users continues to mature and develop, we’ll see more and more companies strengthen their communications around cyber risk management, protection and preparedness. They will start to present trust as a business differentiator.
Companies will also make this part of their CSR programmes as well as their security programmes in a determined bid to mitigate risk not just on a financial level, but also from a reputational perspective.
Jake Olcott is Vice-President of Communications and Strategic Partnerships at BitSight