Building Customer Trust: Cyber Security in Corporate Social Responsibility Programmes

In today’s evolving cyber risk landscape, Boards of Directors are becoming increasingly concerned about the security performance of their businesses. In fact, the National Association of Corporate Directors has found that 89% of public companies and 72% of private companies regularly discuss security at Board meetings, states Jake Olcott.

This is because directors have become overwhelmingly aware of the fact that not only has there been a continual stream of data breaches in the last couple of years, but also that increasing regulation such as the EU’s General Data Protection Regulation (GDPR) has raised both compliance risks and public awareness of companies’ responsibilities for protecting personal data. Boards are being forced to acknowledge that the effects of a data breach go far beyond the direct hard costs. There can also be a significant impact on customer trust.

To put some context around this, The Ponemon Institute’s Data Breach Report published in July found that the average cost of a data breach has hit an all-time high of $3.86 million. That’s up 10% since 2014. However, according to the report, the hidden or indirect costs of a breach, including notifying customers and any subsequent loss of business, frequently far outweighed the direct costs of fines and legal undertakings. For example, companies that lost less than 1% of existing customers following a breach incurred an average total cost of $2.8 million (£2.1 million), while companies that experienced a churn rate of greater than 4% lost $6 million (£4.5 million) on average.

This considerable potential for financial loss means it’s not surprising that cyber risk, coupled with reputation management, is rising up the Board agenda. Directors are striving to understand and quantify cyber risk on the same terms as they assess strategic risk, compliance risk and operational risk.

A further emerging concern for directors is the third party risk posed to their business from its supply chain and wider business ecosystem. A compromise of any of those trusted partners could lead to a data breach or systems outage. A recent study conducted by Gartner found that nearly 70% of chief audit executives view third party risk as one of their top concerns as we head into 2019.

How, then, can companies mitigate these risks? Evidence from The Ponemon Institute’s document shows that organisations which are proactively focusing on building customer trust – both in advance and in the aftermath of a data breach – and raising it to a Board-level issue are somewhat better insulated against the reputational damage caused by breaches. They have reduced the number of lost customers, ultimately reducing the cost of the breach.

For example, when a business deployed a senior-level leader, such as a chief privacy officer or CISO to direct customer trust initiatives, they lost fewer customers and minimised the financial consequences of a breach. Additionally, organisations that offered identity protection to data breach victims kept more customers than those that didn’t.

Cyber risk and customer trust

Clearly, improving customer trust and demonstrating transparency are strategically valuable to companies. It’s interesting to see how organisations are tackling this issue and communicating their progress to stakeholders. Of particular note is that cyber risk is no longer the sole preserve of the CISO. The wider potential impact of security failures and data breaches on customer welfare and business sustainability means that it has moved into the realms of Corporate Social Responsibility (CSR).

One of our clients, namely the energy company EDP, is currently the top-rated integrated utility company globally, having achieved the highest Dow Jones Sustainability Index score. The business is committed to continuous improvement and transparency in CSR.

EDP has identified “improving trust” as a core strategic priority, stating : “Trust is an asset that we want to reinforce”. The company therefore includes information about the initiatives undertaken and progress achieved towards that target in its annual reports.

When it comes to cyber security, EDP recognised that the cyber risk in its extended supply chain should be proactively monitored to protect customers. The company has therefore adopted security ratings to continuously assess its own cyber security performance and that of its ecosystem of third-party suppliers. This uniform assessment extends sustainability and security principles across the value chain.

By measuring security performance, EDP is driving continuous improvement among its suppliers and quickly identifying any emerging risks. This, in turn, influences shareholder value by strengthening customer trust and is the reason why the company chose to include its security rating in the annual CSR report.

Keeping it simple

Key to the success of reporting cyber security progress to stakeholders is simplicity. Cyber security reports can be complex and opaque to the extent that even Board directors struggle to understand them. An organisation may decide to “improve its security posture” or “change its risk profile”, but it can be difficult for wider audiences to understand just what that means.

When reporting at overview level, organisations need a simple metric that can be presented as a Key Performance Indicator. This provides a benchmark and can be used to set targets, then demonstrate progress over time. In the case of EDP, its initial security rating on 1 January was 590. The business set a target to achieve a rating of 640 over the course of the calendar year. The actual rating achieved by 31 December was 650, so the company was able to clearly and simply demonstrate to a non-technical audience that it had successfully exceeded its target.

Of course, behind that single rating number is a comprehensive analysis into which Board directors can delve to glean intelligence on compromised systems and vulnerabilities, security diligence and protocols, user behaviour risks, network infrastructure, and domain infrastructure issues. They can then identify areas for risk mitigation, improvement and investment.

Nevertheless, having that top line benchmark number delivers an at-a-glance indication of how the organisation and its ecosystem is performing. This helps Board members to quantify security risk more effectively and make informed decisions about issues such as the required levels of cyber insurance coverage.

Trust as a business differentiator

Jake Olcott

Jake Olcott

In 2019, we’ll start to see the real impact of regulatory changes such as the GDPR and the public profile of organisations that have suffered breaches will be seriously tested. We’ll see more companies become proactive about improving customer trust and transparency around cyber security and data protection, aiming to minimise the ‘soft’ costs of breaches that, in today’s security environment, are inevitable.

As the way that cyber security is viewed by organisations and end users continues to mature and develop, we’ll see more and more companies strengthen their communications around cyber risk management, protection and preparedness. They will start to present trust as a business differentiator.

Companies will also make this part of their CSR programmes as well as their security programmes in a determined bid to mitigate risk not just on a financial level, but also from a reputational perspective.

Jake Olcott is Vice-President of Communications and Strategic Partnerships at BitSight

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts