As I have said, cyber security has a technology side and a business side. From a business perspective, the negative consequences that cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures to increase the cyber security posture of your control systems, far outweigh the risk of not making them secure.
Here are a few interesting items in the news of late related to the business side of cyber security.
Third-party vendor risk: The New York State Department of Financial Services (DFS) announced it will propose new cybersecurity regulations for financial institutions. The exact details of the regulations are being hashed but include a number of areas in which the DFS intends to act: Cyber Security Policies and Procedures, Third-Party Service Provider and Management, Multi-Factor Authentication, Appointment of Chief Information Security Officers, Application Security, Cyber Security Personnel and Intelligence, Annual Auditing, and Procedures for Noticing Cyber Security Incidents.
As noted, one of the new regulations focuses third party providers and suppliers and the requirement to implement policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party providers. New regulations could mandate firms to “perform cyber security audits” of their third-party vendors or require third-party vendors to make “representations and warranties” about the state of their information security.
Cyber Attacks Could Now Affect Credit Ratings: Moody’s Investors Service announced that as cyber risks become more pervasive, it will take a higher priority within their analysis and that the credit implications associated with cyber defense, detection, prevention and response will start to take a higher priority within its credit assessments and analysis.
Target: Yes, even after 2 years since the Target cyber issue, they remain in the news. Target has to pay nearly $40 Million to settle with banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach. This most recent settlement comes on the heels of a $67 million settlement with Visa, and a $10 million settlement with consumers, both earlier this year. The most recent settlement brings Target’s total costs to a staggering $290 million (and it is far from over). This on top of lawsuits that are still pending, as well as regulatory enforcement and investigation actions by the FTC and various state attorneys general.
Insurance: Insurance companies are cracking down on insurance because of cyber security. They are beginning to evaluate and rate company cyber health and insure (or not) and charge accordingly. As such, insurance is becoming more sophisticated as the companies offering coverage begin to demand companies they insure meet specific cyber security requirements to be eligible for coverage; begin to determine premiums and policy coverage based on the implementation of those requirements or flat out choose not to offer coverage as the risk is too great due to ineffective cyber security practices and cyber security postures.
When it comes to cyber security, the business case is equally as important as the technology case. The operational, financial and reputational impacts to a business are tremendous.