There are no two opinions on the fact that the stake of society in general and corporate entities in particular on data is on the increase. Companies are investing a lot of their money to create data assets and part of this data is “Sensitive” in the sense that its loss or compromise can cause huge damage to the Company and its customers.
In a recent limited study done in India, it was estimated that average cost of data breach in a Company is around Rs 8.3 crores. This would be much higher if the Customers of data lost had invoked legal compensation for breach of data.
Companies need to think if they are willing to absorb such risks or take suitable steps to counter these risks.
Unfortunately, the financial risks are easily understood by the CFOs and CEOs but not the CTOs or CISOs. At the same time, it is the CTOs and CISOs who report to the CFO/CEO, the level of technical risks as they perceive.
Unless the CFO/CEO understands the technical aspects of risk or the CTO/CISOs are able to make a financial assessment of the technical risks, neither of them can match the risks to the risk appetite of the Company.
There is also another psychological problem in CTO/CISOs sharing their real risk perceptions with the CFO/CEOs because any report of unmitigated risk reflects on the efficiency of the CTO/CISO himself and it will be self incriminating.
There is therefore a tendency for the CTO/CISO to underestimate reported risks to the CFO/CEO. Since the CFO/CEO who is not adequately informed about the technical aspects of risk cannot challenge the views of CTO/CISO on the extent of risks faced by the Company and whether it is being underplayed by the CTO/CISO, the Company ends up under securing its data assets.
In certain cases, the CFO/CEO may also be guilty of putting off required security activities for reasons of financial constraints in the hope that their company will be lucky enough to avoid any major losses.
Both the groups namely the CFO/CISO on the one hand and the CTO/CISO on the other hand will therefore be trading on probability that threats may not materialize in their environment.
This tendency has been observed in interaction with the IS professionals in general and has been corroborated in the Cyber Insurance Survey 2015 that we are presently undertaking. It is amusing to see that many in the technical community are shying away from even providing their response to the survey since the questions raise unpleasant memories of possible ways by which the company may lose money.
This is a classic problem of all insurance agents when they meet a prospective customer and try to convince him that his life is fragile and he needs insurance. At least Life insurance is avoidable since once a person dies, the problems are for the survivors. However in the case of Health Insurance, people are slowly realizing that living without a Health Insurance Cover is dangerous since they may incur expenses on health and survive to meet the debt liabilities.
The dilemma which Companies need to resolve is precisely that. Should I under secure my assets and face the challenge when it comes? or Should I spend today’s profits to cover the fear of a data breach which may never materialize?
Some executives may however feel that Cyber Insurance is like life insurance, if my company dies, so be it. I will go over to some other Company and survive. Unfortunately this logic does not apply to the Promoters and to some CEOs. For them death of the Company is the end of a life’s ambition.
Both the CEO/Promoter as well as the CXOs should realize that some times the escape will not be smooth enough to say, “let the company die, I will survive elsewhere” because the law may catch up with them where they may have to pick up criminal liabilities of negligence.
In this context, it is time for the Promoters of Companies or the Board of Directors of a Company who have to take the bull by the horn and question the CFO/CEO/CTO/CISO as a group and ask them tough questions on how they have evaluated the risks, how they have valued the risks and what is the unabsorbed value of risks for which the Company should be prepared to write a cheque in case of a data breach.
It is only then that the Company will realize that if risks absorbed are greater than their capacity for risk appetite, they need to call in a Cyber Insurer and negotiate a “Risk Transfer” contract.
I urge the Directors of all Companies to start thinking in this direction now rather than thinking of wriggling out of a data breach situation after it occurs.
I welcome the comments of CXOs and Directors of Companies on these views.
Naavi