Cyber risk management

Almost all organisations use technology, networks and the internet to process, store and communicate information. An organisation is exposed to cyber risks whenever it uses IT equipment and systems, and especially a network or the internet.

Cyber risk management is concerned with all forms of digital risk. Cyber risk management traditionally falls within the field of information assurance (IA), the practice of assuring that an organisation’s information and technical resources are:

• secure
• only accessible to authorised personnel
• are used only for the purposes they are intended
• are complete and intact

Information assurance is a well-established discipline that marries risk management with the IT systems, practices and policies of an organisation, applying aspects of corporate governance to the technical infrastructure of an organisation. Information assurance is broken down into a number of distinct areas:

• Integrity: information assets are accurate and complete within an organisation.
• Availability: information assets are available when needed.
• Authenticity: information assets are genuine and their sources are valid.
• Non-repudiation: transactions and communications of information assets are valid and cannot be denied.
• Confidentiality: only those who have the right to access information assets can access them.

Information technology and information security activities are a part of IA, but IA goes beyond the traditional boundaries of these activities. Security breaches are only one cause of cyber risk events. Causal factors such as power failures, data corruption, and data entry or processing errors may affect an organisation’s ability to assure the accuracy, completeness and availability of its information. In addition, the rise of social media has added to the range of causal factors and cyber risk events that can occur. For example, employees may make negative comments about their organisation, their colleagues or management on social media, damaging the reputation of the organisation. Employees may also reveal sensitive information on social media platforms.

As cyber technologies change, cyber risk management controls must develop to include both formal IT technical controls and less formal HR-type controls. These formal and informal controls include:

• Technical controls: system-based safeguards such as access controls, malware protection, encryption and firewalls.
• Physical controls: physical prevention of unauthorised access (such as secure server rooms and keeping data backups locked away), protection from theft and fire prevention.
• Procedural controls: acceptable use policies, effective risk assessments and auditing, business continuity planning and asset management registers.
• Peole controls: effective recruitment practices, proper staff training and cyber risk awareness programmes.
• Legal controls: ensuring compliance with relevant legislation, including data protection laws and controls to manage any legal issues that might result from employee misconduct, such as cyberbullying.

All employees have responsibilities for the management of cyber risk; this includes complying with acceptable use policies, reporting potential hacking attacks and not revealing sensitive information on social media. Oversight of cyber risk management activities is often within the IT team. This team may be supported by the risk function and other specialist functions like HR and compliance, especially in relation to people and legal-related controls.

Summer must read The Good Governance Guide to Risk Author: Simon Ashby Series Editor: Sue Lawrence Price: £49.95 | Published: June 2021

Starting with risk identification, evaluation and reporting, this book will guide you through all the steps necessary for robust risk management, ensuring your processes are as rigorous and thorough as possible. The book takes a global perspective on risk and emphasises why managing it properly is essential to organisational success. With various risk management frameworks and approaches, the guidance can be directly applied to all organisation types. What’s more, the book looks forward to the future of risk management, addressing topics such as climate change, financial crime and shareholder activism, helping you stay one step ahead.

The Good Governance Guide to Risk is available to order here

For more resources on risk and risk management, take a look at our risk resource hub.