Risk Assessments Are the Best Checkup

The Ponemon Institute’s 2018 report on cyber security at small and midsize businesses stated that 67% of respondents suffered a cyber incident in the past year and the average cost of recovery from an attack was $1.43 million.

How many small and midsize businesses can risk paying that instead of paying for regular assessments? Granted, assessments can vary in scope, price and quality, but even the largest organizations can obtain high quality, comprehensive cyber risk assessments for less than a tenth of that cost.

Cyber-security risks are on the rise, and so is spending to keep them under control. Gartner predicts that global cyber-security spending will increase by 8.7% this year, reaching $124 billion. One summary of the Gartner report notes that funding increases are primarily due to compliance requirements, IT business risks, and the need for improved detection and response capabilities.

According to Spiceworks’ 2019 State of IT Report on IT budgets and technology trends, the top reason for IT budget increases was to upgrade outdated infrastructure and address increased security concerns. Security may actually grab credit for both reasons since the 2017 WannaCry and NotPetya attacks exploited vulnerabilities in out-of-support hardware and software, forcing companies to upgrade their systems. Altimeter’s 2019 The State of Digital Transformation report places cyber security as the second most important reason for technology investments in 2019.

None of these reports, however, mention cyber risk assessments or maturing the organization’s cyber-security program as a driver in spending. Why? Perhaps because executives fear an assessment will identify risks that will then have to be dealt with, costing more money. Or they may believe their anti-malware or intrusion detection system is a “silver bullet” software tool that keeps their system secure. They might not understand that a risk assessment is the equivalent of a medical checkup and necessary to track the “health” of the cyber-security program and identify areas that need attention.

Cyber security is an enterprise issue, and the only way that businesses can ever hope to reasonably manage cyber risks is to develop and maintain an enterprise security program that is based on best practices and standards for cyber security. There are several standards, but they are consistent. Mappings of them are available (see Table 2 of the NIST Cybersecurity Framework Version 1.1).

Information security standards set forth the full array of requirements for a security program, including governance, policies and procedures, personnel security measures, access controls, physical controls, operational and infrastructure considerations, incident response, backup and recovery, and compliance. The whole ball of wax.

Risk assessments evaluate the controls of a cyber-security program against the requirements of the standards, taking into consideration the current threat environment, innovation, and changes to business operations. An assessment will identify the gaps and deficiencies in controls that make organizations vulnerable to an attack. It can determine the maturity of a cyber-security program and identify remediation measures that should be undertaken. The Information Systems Audit and Control Association (ISACA) recommends assessments be performed every two years. Some laws and regulations require them annually. As a general rule of thumb, large corporations should perform an assessment annually, while small to midsize organizations could do every two to three years, absent disruptive changes.

When businesses don’t spend money on regular cyber risk assessments, they are betting the company. The organization is more vulnerable to attack, it doesn’t know where its weak points are, it will be less likely to have an adequate cyber risk transfer strategy, and the viability of the business may be at risk.

Plus, when an incident does occur (and it will), the company is in a much stronger position with regulators, investors, customers and the public if it undertakes regular assessments of its cyber-security program and strives to mature and improve it. Executives who choose to avoid assessments are in for a roasting when a serious attack occurs, because they cannot show that they have a program for cyber security and controls that align with best practices and standards. They can show only that they spent money on various cyber-security activities or tools without pegging it to a plan intended to protect the assets of the organization.

The importance of assessments—and perhaps the reluctance of companies to undertake them—is why they are a required action in numerous federal laws and regulations, such as HIPAA, Gramm-Leach-Bliley, the Federal Information Security Management Act (FISMA), and the Family Educational Rights and Privacy Act (FERPA). Several states also have enacted laws requiring risk assessments of cyber-security programs (e.g., California, Colorado, Massachusetts, New York and South Carolina). The superintendent of the New York Department of Financial Services made clear that its cyber-security regulations require “each entity to conduct an annual review and assessment of its cybersecurity program’s achievements, deficiencies and overall compliance with regulatory standards and to certify the institution’s compliance with the regulation on an annual basis.”

The insurance industry has helped push companies into conducting cyber risk assessments. Applications for cyber insurance may ask whether a cyber risk assessment has been conducted, and some carriers offer a policy discount if the client has conducted a risk assessment and has a remediation plan. In 2017, the National Association of Insurance Commissioners adopted the Insurance Data Security Model Law, which has been implemented in eight states and has an entire section devoted to risk assessments.

This is an area for agencies and brokerages to do well while doing good. They should both encourage their clients to conduct risk assessments and work with carriers to incentivize policyholders to assess their cyber-security programs, close their gaps, and be prepared.