Cyber risk is frequently defined as a data breach. However, this logic is akin
to declaring robbery as the only traditional risk to businesses. Instead, cyber risks should be treated as an imputation of traditional concerns to a business’ virtual presence. As such, a comprehensive cyber risk management strategy addresses the entire life cycle of data processing and retention, not just the mitigation phase of cyber events.
Cyber risk management begins with the creation of a company’s risk profile. A compartmentalized approach should be used to mitigate liabilities that businesses regularly encounter.
The first step in developing a company’s risk profile is to determine a company’s indirect and direct risks. A company’s greatest cyber risk is usually indirect, generally consisting of statutory and regulatory compliance, insurance coverage and changes to industry best practices. These risks are also the most volatile, as federal, state, local, and industry rules and regulations are constantly being modified to meet evolving technological capabilities and capacities.
Direct risks are generally within a company’s control. These areas include internal and external risks. Internal risks are liabilities that arise from employee conduct and performance of equipment. Proper implementation of non-disclosure policies, termination protocols and equipment maintenance mitigate internal cyber risks.
External risks have been popularized by media reporting, and most commonly consist of data breach or denial of service. These malicious, third party actions can be significantly mitigated by assessing and monitoring data systems.
After developing a risk profile, businesses will have a better understanding of the scope of their cyber liabilities and hazards, which will maximize the impact of cyber policies and protocols, and in turn, minimize the probability and cost of adverse cyber events.