Cybersecurity has been a “hot potato” issue for years. Companies know significant risks exist but don’t have any method to calculate their budgetary priority. The media continues to report massive cybercrime statistics, and board members scratch their heads, wondering what they should focus on concerning cybersecurity. However, the industry hasn’t figured out how strategically frame that conversation.
Changes in the insurance market, skyrocketing criminal activity, and an expanded regulatory environment will soon clarify the business value of cybersecurity because it will start costing real money. Companies protect themselves from regulatory compliance and business continuity risk Cyber insurance is a $14.5 billion market today. Unfortunately, there is scant data on cyber risk, and actuaries have been unable to quantify its value successfully. Insurance carriers have been making their best guesses unsuccessfully and have assumed significant losses. As a result, carriers are raising their rates this year FBI statistics show that cybercrime has increased We think of our companies as being in a safe, friendly place, but once connected to the internet, it’s like those businesses are located in a blighted neighborhood with thugs around every corner. The fact that we can’t see these risks makes it difficult for non-technical leaders to internalize the fact that they exist.
Government agencies and Congress are starting to focus on digital risks that impact the public. For instance, the Colonial Pipeline, a major source of gasoline and jet fuel for the Southeastern United States, suffered a ransomware attack that shut down operations for six days, causing gas shortages across its supply region and impacting millions of registered voters. Shortly after this incident, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring regulations for incident reporting in broadly defined categories of “critical infrastructure.”
In addition, the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) are getting into the act Cybersecurity costs are about to go up for all businesses in the United States. Companies will have to pay closer attention to their security infrastructure, monitor and manage it, and establish reporting mechanisms to regulatory bodies. Instead of relying on insurance to defer risk, they’ll have to expand their internal capabilities to manage and mitigate risk, and there will be financial consequences when these processes fail. With regulatory momentum, government oversight of the digital economy will become more engaged. Hopefully, broader risk and security awareness will provide less opportunity for cybercriminals, and the internet will become a safer environment for businesses. What this means to companies, however, is that risk management and cybersecurity will have to be better understood by the C-suite and a business-impacting priority for Boards.