Cybersecurity - A Different Kind of Risk Management
Oct 31, 2013 5:32pm
Joseph V. DeMarco, Partner, DeVore & DeMarco LLP
By definition, risk management involves uncertainty. Decision-makers use analytical models to deal with the certainty and are accustomed to models for physical world risks. The risk of hurricanes, for example, can be forecasted using established methodologies. Assessing and mitigating the risk of fire can be performed through the analysis of known factors such as the nature of a building’s construction and design. However, risks tied to cybersecurity expose managers to a greater degree of uncertainty. Indeed, cybersecurity risks must be assessed in the light of indicators that are not always identifiable and that are constantly changing. How can risk managers assess exposures when, for example, the extent of a computer system intrusion may never be known – or knowable? Or the wrongdoer’s identity never revealed? Moreover, in the cyber environment, the amount of data moving around an organization changes every second, the exact number of electronic devices within an organization is unknown and wrongdoers in the shadows are often eager to remain undetected to take advantage of vulnerabilities. Cyber stands out as one risk that merits something of a paradigm shift from traditional risk management.
Yet simply because cyber-risk management is a different kind of risk management does not mean that managers should resign themselves to fecklessness. To the contrary, in light of the ever increasing legal requirements and liabilities to an organization that fails to comply with laws and best practices in the area of cybersecurity, it is imperative that managers put in place plans to manage cyber risk and close compliance gaps where they exist notwithstanding their inability to measure their efforts with actuarial precision. While quantifying cyber risk and mitigation strategies may be hard, it is still axiomatic that addressing cyber risk in governance processes in addition to good technical and legal compliance efforts will (1) reduce legal and reputational risk overall, and (2) fulfill a manager’s fiduciary duty obligations to the organization.