Many of us have seen cyber security grabbing headlines lately. This past March at GARP, cyber security was a hot topic. Often it’s one of the first things my clients mention to me.
But despite the buzz, cyber security isn’t actually a new thing. Historically, banks and financial providers have long dealt with threats to their IT infrastructure involving cyber criminals breaking in and stealing money. Often it’s been viewed as a cost of doing business.
What’s new today is that cyber theft is no longer only about money. As data theft comes on the scene, the whole equation changes. When social security numbers, credit card numbers, embarrassing e-mails, health records or strategy documents are among the many data items that can be stolen, the challenge no longer is about working to minimize possible monetary damage.
Instead, the risk becomes reputational. The potential for damage to be catastrophic—and instantaneous—is real.
When hackers breech a bank’s security to steal money, it rarely makes headlines. But the theft of information is somehow more damaging and more embarrassing, and the entire world discovers in an instant—as we’ve seen more than once in global headlines. Money is fungible, and stolen funds are replaced by the banks. Our information is not.
Seemingly overnight, businesses have gone from managing fairly known concerns such as credit risk—which can be measured and, to some degree, predictable—to managing little known and maybe more damaging risks posed by cyber security gaps.
Is this an IT challenge, or is it a risk management challenge, or both? What can—and should—risk managers do? In my next post we’ll explore what cyber risk looks like these days, and why “cyber security” itself may be a misnomer.