If there is one pattern to emerge from events involving cyber operational risk, it is their practical impact on a company’s ability to do business.
Whether they involve denial of service on a computer network, cloud access, supply-chain disruption, or sabotage–the results can be catastrophic. Panelists at the Advisen Cyber Risk Insights Conference reviewed cases involving companies such as Amazon, Microsoft and Dell and concluded cyber supply-chain risk management needs to evolve fast.
“Information security people tend to be IT,” said Andy Roth, partner and chair of the global privacy and cybersecurity group at Dentons. “But they often need a fraud-risk management mindset.”
Behavioral modeling is needed to anticipate malware attacks, for example, not just to protect against those already seen. Sustainable governance models, in which information is fed automatically back into a system, are also called for.
In one case, a data center belonging to Amazon routinely failed, affecting customers like Netflix and, in turn, the customers’ clients. Amazon itself gives best-practice advice to clients (like backing up data in more than one place), but do clients, from whom others purchase cloud services, necessarily follow suit? In another case, malware was installed on Dell motherboards before they were shipped out.
“The problem in the IT supply chain is that it’s not involved with the CIO” or in C-suite discussions, said Sandor Boyson, director of the Supply Chain Management & Research Center at the Robert H. Smith School of Business at the University of Maryland.
The segregation of a department so crucial to a company’s defense against cyber operational attacks can result in “a lack of coordination,” he said. “Vulnerabilities build up.”
Insurance products, too, are evolving to meet these risks. Cyber policies, if they include third-party coverage, can function like business interruption insurance and extend to reputational and revenue losses.
“Cyber is a new product and adding business interruption on top of that is hard for companies,” Michael Palotay, senior vice president of underwriting at NAS Insurance, which effectively combines them. Besides, “business interruption is not in the news, like cyber,” as in the case of data breaches, he added.
