Originally posted on 12 Feb 2020
Updated 02 Nov 2021
How Vulnerable Is Your Business?
With the latest release of Allianz’s 2020 Business Risk Barometer, it’s clear to see cyber attacks have been catapulted to the no.1 position for business risk on a global scale.
“With businesses facing a number of challenges such as larger and costlier data breaches, more ransomware incidents and the increasing prospect of litigation after an event.” — Allianz’s Risk Barometer, 2020
There is also a worrying trend that supply chain cyber attacks and data breaches are becoming larger and more expensive to deal with — and the greater the business interruption, the higher the losses. In this post, we look at how organisations can defend themselves against these cyber risks and data breaches.
Data-Rich Organisations Beware!
Organisations gathering and processing greater volumes of personal data is resulting in larger and costlier data breaches — also known as mega data breaches (breaches in excess of a million records), which are now more commonplace.
For those companies that depend on data to provide their services, the consequences can be disastrous. Extortion demands are a big concern for these organisations, but business interruption results in the heaviest losses from ransomware attacks, with the real target being the theft of personal data.
“A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn (11% higher than in 2018).” — Allianz’s Risk Barometer, 2020
Cyber security has become a major focus as businesses look to protect the critical data of their customers. Therefore, cyber risks should be prioritised as a focus for data-rich organisations.
Operational resilience is now a key focus for regulatory authorities. Sam Woods, CEO of the Prudential Regulation Authority (PRA), stated:
“Operational resilience is a vital part of firms’ safety and soundness, and has become an important priority for the PRA. This consultation marks the next stage of integrating operational resilience into our regulatory framework. Alongside this, our proposals on outsourcing and the cloud will steer firms to be resilient in their adoption of new technologies.”
Jon Cunliffe, Deputy Governor for Financial Stability, said:
“Financial Market Infrastructures need to consider not only what steps they need to take to minimise operational disruption, but also how quickly they can recover from any operational disruption.”
Find out more about operational resilience in our IT, cyber and compliance guidance for Insurers and FCA regulated organisations.
Your organisation may be well protected. But the same can’t always be said for your suppliers or acquisitions — especially if they possess a weak approach to cyber security or if they already have vulnerabilities that increase the danger of supply chain cyber attacks.
You, as the acquiring firm, could find yourselves liable for any damage from breaches or attacks pre-dating the merger. That’s why auditing new acquisitions and suppliers must be a priority and a vital part of your due diligence. The Marriott hotel group learnt the hard way, with its 2018 breach traced to a 2014 intrusion into the Starwood hotel group, which Marriott acquired in 2016.
It is worth focusing on better supply chain management to prevent a data breach. It is important to identify your supply chain risks and tackle them head-on before cyber criminals potentially end up costing your data-rich company a fortune.
Intra-group outsourcing is when a firm has an outsourcing arrangement with a company in the same group, including cross-border outsourcing to parent or sibling companies outside the UK. The FCA states that intra-group outsourcing requires the same rules as outsourcing to an external third party. The risk shouldn’t be perceived as being any less nor subject to outsourcing requirements. Risks must be identified and managed effectively, whether it be a third party or intra-group outsource.
Growing Regulatory Actions and Legal Costs
Large data breaches are resulting in regulatory actions and — most significantly — large fines. They can also trigger affected consumers, business partners and investors to pursue legal action, contributing to eye-watering costs. For example, Marriott in 2018 and credit score agency Equifax in 2017 were both reported to have had mega data breaches of personal data of over 300 million and 140 million customers correspondingly. Both have had several lawsuits and regulatory actions brought against them and Marriott will receive a fine of £100 million from the UK’s data protection regulator.
The Best Approach to Managing Cyber Risk and Improving Resilience against Cyber Attacks
- Cyber risk is part of our overall enterprise risk management and is viewed as a key business risk.
- Monitor and measure security and availability of systems through continuous vulnerability and risk assessments, remediation and sharing intelligence around cyber threats.
- Regular staff information security training, awareness and anti-phishing campaigns
Our Top Tips for Supply Chain Management
- Due diligence is a priority. Find out the supplier’s potential risk profile and how their actions could impact you if they were compromised.
- Verify your suppliers’ certifications. It’s wise to check out claims and certifications. They may have a PCI report on compliance or an ISO27001 certified ISMS covering only a small section of the requirement, meaning the supplier is not certified.
- Continually check your supply chains. You may have vetted them five years ago and deemed them to be low risk, but it’s important to implement a continuous auditing programme for good supply chain risk management.
- Get an independent, unbiased view. There’s a lot of value in bringing in an independent auditor to provide a balanced view of your suppliers, especially if information security auditing isn’t a part of your regular job.
We’re helping an increasing number of organisations by providing independent supplier security reviews and ongoing supply chain management using our proven framework.
Call us on 01242 505470 or fill out our cyber consultancy contact form and we’ll be happy to discuss your individual supplier audit requirements with you.