Managing cyber risk effectively means considering the business objectives and setting rules on who can declare a breach has occurred, speakers told insurance professionals at a recent conference.
“There is a big connotation as it relates to the word ‘breach,’” said Michael Eubanks, senior vice president of information technology and chief information officer for the Liquor Control Board of Ontario. “What I have tried to reinforce with my organization is, that is a very serious word and only one person can say that.”
Eubanks made the comment during the International Cyber Risk Management Conference, held by MSA Research Apr. 16 at the Metro Toronto Convention Centre. Panelists were asked by moderator Steve Tenai, a litigation lawyer with Aird and Berlis, about their observations on cyber risk management and technology implementation.
Elaborating on his point, Eubanks said that shortly after assuming his role, he wanted to ensure the LCBO had an incident breach plan.
“One of the things we want to ensure was no one outside of the [office of the chief information security officer] could recommend or suggest that a breach had occurred,” said Eubanks. “The reason why I think this is very important is because all of us watch the news and the media, and we use words loosely.”
Breach notification became mandatory Canada-wide this past November with the implementation of the Digital Privacy Act. As a result, companies must keep logs of all breaches and report breaches if there is a real risk of significant harm.
“I think all of us in (the cyber risk management) space have got different things that happen to us, and by using the wrong words, it can have huge implications,” Eubanks said last week during ICRMC. “Words like breach – only one or a few people are allowed to say it, and that’s based on fact and expertise and responsibility. Because if that is not true, you could certainly go down a path that causes more pain than pleasure.”
Also on the panel was Richard Wilson, Partner for cybersecurity and privacy for PwC Canada.
One IT process Wilson has observed is identity and access management; for example, when a computer system verifies whether a worker has authorization to access a server.
“People started off early by buying tools just to grant access,” Wilson observed. “They quickly realized that there is a massive process that needs to underlie it in order to configure the tools intelligently and effectively. So, for those organizations that really design and understand the process first and then procure tools to support it, they get to high functionality much faster.”
Tenai asked Wilson where a client should start when designing an organization’s technology infrastructure for cyber resilience.
“You start the discussion around technology by not talking about technology,” said Wilson. “You can’t start there. If you do, you are down in the weeds too quickly.”
The risk manager should instead start by considering corporate objectives and what the business is trying to accomplish, Wilson suggested. “If you are a bank, are you trying to grow market share? Are you trying to improve your brand if you are a retailer? You might be trying to protect customer data. You might be trying to digitize your network.”
Those types of questions then lead to another set of questions around risks – such as data breach, ransomware or someone shutting a system down, suggested Wilson.
“With all that in mind, we can say, therefore, what technology – among the processes and the resources – we need to procure, that is directly aligned with recognizing that threats and vulnerabilities relating to that business.”