Credit Rating Agencies are Evaluating Cybersecurity Risks, So Should You

News of yet another data breach is frequently seen as par for the course given the amount of data online and the potential opportunities to target it. As data breaches increase, the number of individuals affected by the fallout seems also to be on the rise.

While states and the US federal government have responded with legislation aimed at protecting consumers and requiring companies to take steps to beef up security or face steep fines, other institutions are also beginning to take notice.

Earlier this year and for the first time, credit rating agency Moody’s downgraded a company's outlook from stable to negative citing the considerable cybersecurity investments made necessary following a massive data breach two years prior.

As this episode demonstrates, the negative fallout from data breaches isn’t limited to a specific point in time. In fact, repercussions may continue to reverberate for years to come, impacting not just the IT teams defending against them, but the company’s long-term business prospects as well. Certainly, the move to build cyber risk into credit ratings coupled with the potential for fines, in addition to the proliferation of third party ecosystems, makes clear that data security and risk management is everybody’s problem. While many companies in the current environment understand that good cybersecurity means good business, too many still lag behind.

According to PwC’s Fall 2018 Digital Trust Insights survey, many organizations still lack essential roles, including chief information security officer, chief privacy officer, and chief risk officer, among others.

In addition, fewer than half of those surveyed felt that the executives responsible for cybersecurity and privacy had been appropriately identified at all. Most concerning, as companies everywhere rush to embrace the technological and business benefits of digital transformation, a scant 23 percent are similarly working to ensure these enterprise objectives align with their information security strategy.

In the midst of this environment around cloud migration, IT complexity and the Internet of Things (IoT), the likelihood of organizations experiencing a data breach is only growing, up 31 percent from 2014 according to IBM’s 2019 Cost of a Data Breach Report.

As highlighted in the report the average cost to organizations is likewise increasing with an average cost to organizations of $150 per compromised record for breaches affecting up to 100,000 records. If a breach is caused by a third party, organizations can expect to add more than $370,000 to final costs for an average of total of $4.29 million.

Thankfully, there are multiple approaches to help effectively mitigate the cost of and potential for a data breach. As a security executive myself, I recommend companies first and foremost appoint dedicated security leadership, such as a chief privacy officer or chief risk officer. This individual can help to inform and guide cybersecurity initiatives, providing oversight in cooperation with other senior leaders to close any gaps between IT and business policy developments and operations, particularly those centered on digital transformation.

The right cybersecurity leader can interpret potential security issues for the board and anticipate the company's security needs. With complete visibility into the company's infosecurity framework and its components, they can ensure the network infrastructure is correctly designed with best security practices in mind and provide direction on what needs changing.

Most importantly, in the event of an attack, they can triage and offer real-time analysis of immediate threats to prevent what might otherwise be a minor event from turning into a crisis.

Responding to attacks and security incidents quickly is made easier with an incident response team in place. In addition to determining the impact of a security event and coordinating an appropriate response strategy, even a small team of knowledgeable information security specialists can help in the mitigation of ongoing risks toward improving an organization's security posture. Such a team can create and extensively test incident response plans, provide written risk assessments to identify anticipated threats and vulnerabilities, and establish internal audit programs of technology controls, critical vendors and patch management.

They may also provide wider staff with security and awareness training and education helping to protect critical data and assets and prevent future incidents resulting from unintentional employee exposure.

Finally, companies should consider appointing an individual to their board with a deep cyber background to regularly update and garner feedback from other members. This individual should not only have the necessary technical and domain specific expertise, but also the requisite C-suite experience to effectively communicate the financial and operational needs required to maintain a robust cybersecurity program.

While there’s no silver bullet when it comes to preventing data breaches, by strengthening oversight of IT operations, along with implementation of security initiatives and business functions, companies are in a better position to avoid paying a premium in the short or the long term when then they do.

What’s Hot on Infosecurity Magazine?