Cyber risk mitigation — increasing costs or creating value?

During the Covid crisis — and more recently with the war in Ukraine and the resulting geopolitical upheaval — we all realized that the pace of change in our environment had accelerated yet again. What we understood for a long time as a VUCA world (Volatility, Uncertainty, Complexity, Ambiguity) changed into something even harder to understand. Jamais Cascio described our current situation by coining the term BANI (Brittle, Anx­ious, Non-linear, Incomprehensible) in an essay in 2020. How should a company’s board of directors and executive board exercise leadership in this environment, particul­arly in view of the exponential growth of opportunities and challenges in technology? Even if delegating sensitive issues, such as cyber risk mitigation, to a specialist internal department was deemed sufficient in the past, this approach is definitely no longer appropriate in today’s environment.

Even for SMEs, there’s no longer any hope of flying under the radar and remaining unnoticed by cyber criminals. There have been plenty of reports recently of attacks and damages from large companies, in public administration, and even SMEs. The theft of sensitive data, frustrated customers, and completely underestimating the cost of restoring hacked systems are all too common in Switzerland. With the advancing digitalization of business processes and models, and the increasingly complex world of IT — just think of the Internet of Things — there’s an ever-growing number of targets for all kinds of hackers.

There’s no such thing as complete security against cyber risks. Everyone knows this and everyone should be aware of it. So the occurrence of a cyber incident is not some theo­­­r­etical thought experiment, but a concrete event to be expected. However, this means that alongside preventive technical, organizational and cultural measures, we also need to make plans for, and train people in, how to behave during and after an incident. In other words, specific crisis and business continu­ity management. Unfortunately, far too many organizations are poorly prepared for these eventualities. Any company management team that runs the risk of being caught unawares by a cyberattack is not taking its responsibility seriously. But senior management teams don’t just have to contend with incidents that occur with little notice, they also have to manage scenarios that develop over a longer period. Artificial intelligence (and in the not-too-distant future, probably quantum computing, too) is a powerful tool that, in the hands of criminals and government agencies, will be used to generate other potential threats.

Since 2020, we’ve seen Covid-related staff shortages, energy bottlenecks and cyber­attacks cause interruptions, or at the very least delays, to supply chains. Maintaining or restoring the ability to deliver products or services despite adverse circumstances has become an important success factor for corporate value creation in today’s environment, and is often referred to with the term ‘operational resilience’. In a digitalized environment, establishing and ensuring ‘IT resilience’ is a basic prerequisite for the company’s operational resilience. Adequate cyber risk mitigation, that is required, promoted and managed with foresight by the company management team, makes a sig­nificant contribution to this. It should therefore be seen not as an annoying ‘insurance fee’, but as an essential part of securing value creation.

How can a member of the executive board or board of directors fulfill this responsibility? Find yourself in a room full of cyber specialists discussing risks, concepts and measures, and you’d be forgiven for thinking you might as well be listening to a pod of dolphins communicating, for all the sense they’re making. Because you just can’t understand a word they’re saying. Fortunately, members of the MB and BoD don’t have to be technical experts in cyber risk mitigation. But they do need to be able to assess whether the company has identified the real risks of cyber incidents and if it has the necessary maturity to manage these risks. They need to understand whether critical data is adequately protected and whether their own critical systems and business processes, as well as those of key suppliers, are sufficiently resilient. They also need to check that an incident and business continuity management system has been introduced and is being trained among their staff.

While large companies and critical infra­structures usually have the technical expertise to plan and implement these tasks in-house, SMEs often have gaps in their knowledge. However, standards and frameworks such as the Cybersecurity Framework from the National Institute of Standards and Technology (NIST) and the Minimum Standard for Improving ICT Resilience from the Swiss Federal Office for National Economic Supply can offer help here. The FINMA Circular 2023/1 ‘Operational risks and re­silience – banks’ is also informative and can serve as a valuable guide for other sectors.

To be successful in a world characterized by BANI patterns, resilience is a key factor. Getting there takes time and effort, but there is no alternative. With a step-by-step approach, it’s easily achievable. If, for example, a roadmap of initiatives is drawn up based on ‘health checks’ and these are imple­mented step by step, the company management team has the opportunity to intervene at any time. An essential prerequisite is that they commit to effective cyber risk mitigation and the associated responsibility.