It’s time for a sea-change in managing the risks of a cyber attack on your company, according to authors and subjects of articles in CFO’s Special Report on the subject. No longer can you assume that software and firewalls will keep hackers out of your systems. Instead, you have to assume the worst will happen and carefully plot out what to do in the aftermath.
Cyber risk experts have begun to work on the assumption that it’s impossible to keep networks perfectly free from attack.
“Traditionally, cybersecurity has been focused on the front protection piece,” including internal controls, employee training, and firewalls, according to Heather Crofford, CFO of shared services at Northrop Grumman, the big aerospace and defense contractor. For Northrop and many other companies, however, “detection, response, and recovery are where the increasing investment needs to be,” she says.
Since the risk can’t be complete, eliminated, CFOs are wondering if insurance policies targeted solely at cyber risk can help stem the tide of financial loss once a breach occurs. Some companies have, in fact, bought “dedicated” cyber insurance policies that provide coverage for such risk exposures, writes Lynda Bennett, an attorney who represents corporate policyholders, in “Cyber Insurance Policies: Are They Worth the Money?” Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them, according to Bennett.