Cyber Watchdogs' Bite: As Bad as Their Bark

Holistic cyber risk management can help meet regulators' expectations.

Cyber hacks, attacks, and outages have regulators on high alert. In the past year, state and federal agencies have increased their policing of cyber-events, conducting more pre-event audits and post-event investigations and imposing larger fines and penalties. And businesses shouldn’t expect them to pull back any time soon.

In part, regulators’ cyber focus stems from the pervasiveness of all things digital. Any cyber-event — whether a data breach or a fried server — has the potential to cause harm to many consumers and businesses. Cyber events also generate attention from news organizations and social media, with individuals often challenging regulators about how they “missed” these risks. After all, controlling cyber risk is one of the few areas our political parties agree on, meaning regulatory oversight is likely to expand significantly in 2015 and beyond.

Managing Regulatory Risk

Regulatory investigations represent a significant challenge monetarily and in terms of time, resources, and distraction. Cyber regulation is inevitable, but the risks can be managed. Risk managers and corporate leaders should keep the following in mind:

• Don’t leave cyber risk to just the IT department. Regulators expect board-level oversight and enterprise-wide preparations.
• Look beyond attack prevention. Even an unlimited budget for information security will not eliminate your cyber risk. Assessment, preparation, and response are critical elements of a cyber risk framework. Many regulators are looking beyond single events to the quality of your response to the question of "how prepared is your organization?" This means you should conduct assessments and audits regularly. Disaster recovery, business continuity planning, incident response, and other elements of organizational resilience are key.
• Connect your plans to external stakeholders and resources. Law enforcement, regulators, business partners, suppliers, and other cybersecurity resources should be part of your cyber risk management framework.
• Make risk transfer part of the approach. Purchasing insurance is a critical component of cyber risk management, giving regulators confidence that your organization will be armed with the necessary resources to respond should an incident occur.

For more about cyber regulators, read Tom Reagan’s article on CFO.com, Regulators Leaping into the Cyber Breach.