Cyber incident risk is one of the most consequential areas of risk management organizations face today. The risk isn’t new, to be sure; large-scale, high-profile cybercrime goes back at least to 1995, when a hack of Citibank computer systems resulted in the theft of more than $10 million. What’s different now is the dramatic growth we’re seeing in the number, sophistication and severity of attacks. Cybersecurity incidents doubled between 2016 and 2017, from about 82,000 to a record 160,000. And attacks are becoming more targeted and strategic; one example is the recent emergence of malware specifically designed to attack industrial control safety systems. Finally, the costs associated with damages from cyber incidents are skyrocketing—including an increase of more than 15 times in ransomware costs alone from 2015 to 2017.
In this environment, cyber risk has become as much a major business risk as an IT problem. Business and IT leaders are well aware of it: in a recent survey commissioned by RSA, 80% of those responding said they consider security breaches to be a business risk, not just a security risk. Several factors contributed to this shift. For one thing, as more…
