In the first two parts of this series we looked at determining companies at risk within a portfolio and then assessing the cyber risk within a particular company. Today we will look at how to manage those risks and give you our key “takeaways” on keeping your portfolio out of the headlines.
Once cyber business risks have been identified and qualified, decisions will need to be made on how to manage these risks. It may not be necessary to mitigate all risks, and indeed the costs of doing so could well outweigh the risk reduction benefits. Risk acceptance or transference via insurance should also be considered and a cyber security improvement programme initiated if required.
It may prove useful at this point to determine tactical and strategic mitigation initiatives. Tactical actions may be required if critical risks are identified during the assessment which require mitigation almost immediately. An example of a tactical recommendation could be a manual check of staff access to a system to be carried out on a monthly basis, prior to the strategic automated check being rolled out. Tactical solutions could also be the preferred approach if a company is close to being sold. A cyber breach close to exit could have a significant impact on company valuation, and tactical solutions may be the best approach to preventing this.
Care should be taken at this point to ensure that mitigation initiatives align with the broader resourcing and technology strategy of the company. For instance, if organisational change is required, including a headcount increase, outsourcing options should be investigated if the company is pursuing an outsourcing strategy.
Similarly, if there is a need for technical investment, this should be made in line with any procurement efficiencies that are being followed. E.g. single vendor or multi-vendor strategy.
Whilst these decisions are being made and mitigation initiatives implemented, governance changes should also be introduced. Most importantly a process and framework for ongoing cyber risk management should be introduced, enabling the identified cyber business risks to be tracked and managed, and emerging cyber risks identified as either the threat landscape or business changes.
Ultimately the output from this should provide the fund manager and management team with full visibility of cyber business risk within the company, and so the capability to manage that risk.
One final note. At this key stage, and prior to significant cyber security investment, it would be sensible to determine if a cyber risk accreditation, such as ISO:27001, should be pursued. This could create significant extra value in certain industries whilst being cost effective to implement if rolled into a cyber security improvement programme. If this is to be pursued, the earlier this decision is taken the better.