Managing cyber risk is of the utmost importance for any company looking to gain a competitive edge. Cyber risk refers to the risk of financial loss or reputational damage to an organization, due to failure of its information technology services.
We spoke with Justin McCarthy, Chairman of the Global Board for Professional Risk Managers’ International Association (PRMIA), whose combination of banking, technology and regulatory experience has made him a much sought after expert and speaker on many topics including cyber risk. He works as a Strategy, Technology, Governance, Risk and Compliance Consultant, as well as a lecturer and trainer.
Christopher P. Skroupa: How can one’s vendors be a cyber risk?
Justin McCarthy: It’s a good question to ask. Normally when we are considering cyber risk, we ponder threats such as malware, hackers and such. The vendor to which we have outsourced a service like our web site, customer service or our payroll processing hardly seem to be worth considering in the same way.
However, once we partner with these vendors, we will often give them unfettered access to our IT systems and data. Also in areas such as customer service, these vendors may be perceived by customers as being part of your company and not the outsourced vendor. Thus, a data breach at the vendor can be just as damaging as one at your company’s premises.
This aspect can have legal ramifications as well. Here in Europe, stronger data protection laws, and the new incoming regulation known as the General Data Protection Regulation, means such cyber related data breaches are becoming even more of a focus for regulators.
Finally, regulators, in financial entities, expect to continue to be responsible for outsourced service. They will be expected to have proper controls in place and to continue to protect customers’ data, even when it is transmitted to the provider of an outsourced service.
Skroupa: What kind of threats are we seeing from this “vector”?
McCarthy: Some of these threats can still be quite “traditional” cyber risks. Far too often I find myself in consulting work with smaller clients that have outsourced their IT function. I show up to do a cyber risk review, and start by looking for simple items like up to date anti-virus software.
They assume their firewall, AV and especially their operating systems patches are up-to-date, and that they are protected from recent threats like the WannaCry malware. However, a quick check with the IT vendor can find they assume otherwise. Too often I find unpatched mission critical servers that are vulnerable to the simplest cyber-attacks.
If a service, like your company’s website, is outsourced it’s made more visible. A company may have excellent IT security in place for their own offices. However, for the website they are dependent on the vendor’s security. I sometimes ask simple questions like how good is the vendors IT and physical security, and if all security has been tested.
Lastly, again as per an earlier example, sometimes the service outsourced may not be IT specific – e.g. Promotions or Payroll. However, if you are transferring important client data to a third party for marketing and promotion, or employee details for something like payroll, then we need to get assurances from these companies that this data is secure.
Skroupa: How can cyber risk be managed if someone is in the middle of an outsourcing or procurement process, then?
McCarthy: The first and most important thing to do here is to “get legal.” Ask for the contract for the service and review it. Find out what clauses cover you for a loss or exposure of your data due to a cyber-attack on your vendor. Even simpler, and less dramatic, ask what happens to your data when the service concludes – will they destroy or return your data?
Also, look for the Service Level Agreement, and review it for possible risks including cyber risk. How long could your service be unavailable before it is seen to be a “critical issue” by the vendor, and what is the agreed timeline to respond to such an event?
However, you also need to be practical when reviewing these documents – inquire what impact would such an outage have on your business and how could you mitigate such a risk. It may be comforting to know you have a penalty clause and a payment coming if a vendor cannot provide a service due to a cyber-attack… but this would be of little use if you and/or your vendor go out of business due to the cyber-attack!
This practical approach extends to more tangible actions; ask to visit the vendor’s site – what is the security like? Did you have to show ID to get in? What controls did they have in place to protect your data, and access to your systems?
Skroupa: If someone has already engaged an external partner or outsourced some key function then what can they now do to manage their risks?
McCarthy: While you have missed the opportunity to do this during the procurement process, there is still a possibility to address these risks. Go and look at the contract and SLA – it’s not too late to look at these and see if there are any risks. Document these risks, and put an action in place to address this – at the latest – when the contract is being renewed. In the meantime, update your Business Continuation/Disaster Recovery plan based on what you learn from reviewing the contract and SLA.
Finally, if you find that the risk is too great from the vendor then look at mitigating it. Risks can be managed by accepting, transferring, sharing or avoiding them. In an extreme case, you might want to avoid these risks by moving the service to another vendor, or even bringing it back in-house.
Skroupa: I am hearing some good things about Cyber Insurance – will this help?
McCarthy: This can be seen as a way of transferring our cyber risk, the risk is transferred to a third-party, in this case an insurance company.
However, we need to remember that only the financial risk is transferred to an insurance company. A cyber insurance policy does not transfer the risk of a cyber-attack to the insurance company, the attack is still just as likely as before.
If you do choose this option, then look closely at the proposal and any related forms. I have seen clients of mine sign a form saying that they monitor their network and systems. However, a quick check can find this is not the case and this could have an impact if a claim has to be made on the policy.
Finally, read the small print. Understand exactly what you are covered for, and what really are the costs of such a cyber-attack. You may be expecting a good payment if you are attacked – but this only addresses the financial and not other aspects such as reputation. Ask yourself, “can I put a financial value on my reputation?”
McCarthy has worked for a number of leading firms, including Bank of America Merrill Lynch, PricewaterhouseCoopers, EMC and with the Irish Financial Regulator. This work has allowed him to see the changes in risk management throughout and beyond the recent global financial crisis.
His work on the PRISM risk based supervision framework with the Irish Financial Regulator included exposure to banking, funds and insurance risk practices, as well as the quantitative work done on the related impact models and the challenge in feeding valid financial data to these models.
He has a BSc in Computer Science from University College Cork and an MBA from the Michael Smurfit Graduate School of Business at University College Dublin.
McCarthy will be a discussant in The Vendor Vector: Practical Strategies for Due Diligence and Risk Management conversation at the Global Cyber Security Summit in London, UK on October 12-13.