Cyber risk experts have begun to work on the assumption that it's impossible to keep networks perfectly free from attack.
It’s time for a sea-change in managing the risks of a cyber attack on your company, according to authors and subjects of articles in CFO’s Special Report on the subject. No longer can you assume that software and firewalls will keep hackers out of your systems. Instead, you have to assume the worst will happen and carefully plot out what to do in the aftermath.
In the borderless world of information technology, in fact, computer-security specialists and corporate risk managers have begun working under the assumption that it’s impossible for companies to keep their networks completely free from penetration, according to the lead story of our package, “What’s the Cost of a Cyber Attack?” Given that reality, they’re zeroing in on the need to detect hackers once they’re inside the system and to respond to the attack, rather than just focusing on sealing networks from every possible breach.
“Traditionally, cybersecurity has been focused on the front protection piece,” including internal controls, employee training, and firewalls, according to Heather Crofford, CFO of shared services at Northrop Grumman, the big aerospace and defense contractor. For Northrop and many other companies, however, “detection, response, and recovery are where the increasing investment needs to be,” she says.
Since the risk can’t be complete, eliminated, CFOs are wondering if insurance policies targeted solely at cyber risk can help stem the tide of financial loss once a breach occurs. Some companies have, in fact, bought “dedicated” cyber insurance policies that provide coverage for such risk exposures, writes Lynda Bennett, an attorney who represents corporate policyholders, in “Cyber Insurance Policies: Are They Worth the Money?” Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them, according to Bennett.
The remaining articles discuss the increasing interest of regulators in cyber risk, how to hire the right people to stop the bleeding if a breach occurs, and the CFO’s unique role in cyber security. We hope our coverage will help you put together effective strategies and tactics to cope with the Brave New World of cyber peril.