Managing Corporate Risk
By Jim Kebert, CFO, cStor
I encountered two completely independent things recently, and it wasn’t until I put them together that I found them very profound and related.
The Balancing Act
The first item was going through our company’s annual insurance renewal process. You get a quote from your current carrier(s), then discuss with your broker how you might be able to save money by changing things like your deductible, or retention, as referred to in the insurance industry. You might, as we did, get quotes from other carriers to see where you can save money. The numbers are important, but so are the details in the language of a policy. One policy that might appear to be less expensive might expose the company to more risk, so it’s both quantitative and subjective. This is all about managing RISK – balancing the costs and risks that you’re willing to take.
The second item came in a roundabout way. I was evaluating a new client for credit purposes. This potential new client was coming to us for our expertise in cybersecurity. They had a strong balance sheet and had been profitable for the last two years. However, what caught my attention was the fact that they had a significant charge in the last year for an incident related to ransomware. The charge was over 25% of the past year’s income from operations. My initial reaction was that it made sense that they were involving us in their cybersecurity selection. It wasn’t until later that it dawned on me how related these two things were; selecting a cybersecurity strategy is much like having an insurance strategy. It’s all about managing risk.
In the insurance aspect, you would take the necessary steps to mitigate your exposures. Those steps could come in many forms and be completely different depending on the industry. One precaution you might take is to make sure that your managers are up to date on employment law and practices, even with the impact of COVID 19. Another business, such as a restaurant, might have regular hood cleanings to prevent fires. The insurance policy is one aspect of minimizing your risk, but so are the actions you take that impact risk too.
Mitigating Cybersecurity Risk
Cybersecurity is no different. You select a cybersecurity strategy and framework, select products to support that strategy, but then also continue to take actions to minimize your risk. However, what makes cybersecurity even more challenging than insurance-related risk is the fact that there are others with the goal of attacking you. They are attacking you to benefit themselves. This makes the risks associated with cybersecurity even larger and potentially more frequent.
Another significant difference is that you should be thinking about your cybersecurity program much more frequently than on an annual basis. With cybersecurity, as with any risk management process, you must identify, assess and understand the level of risk present within your organization. With the ongoing nature of cybersecurity risk, frequent control reviews and processes should be in place to eliminate, mitigate or transfer that risk until it is reduced to an acceptable level. Our recent blog outlines some key areas to focus on when implementing cybersecurity risk management programs.
There’s a cost to cybersecurity. You’re going to pay one way or another – it all depends on who and how much. To me, it’s clearly better to invest in a way to protect your organization properly, or the costs will potentially be much greater in the long run. Furthermore, the costs won’t only involve money but also a company’s reputation and potential lost productivity, business revenue and profit.
