Cyber risk is business risk and legal risk

| Innsikt

Yesterday, the Norwegian wealth fund Norfund, confirmed that the fund was target of a cyber-attack in March this year, which resulted in a loss of 100 million NOK. According to Norfund the loss was a result of a sophisticated compromise attack, whereby defrauders manipulated and falsified information exchange between Norfund and a borrowing institution.

The managing of cyber security and preparedness is obviously becoming increasingly vital for most businesses along with a growing vulnerability and risk of cyberattacks. Though the Norfund case is extraordinary in light of the extensive loss suffered, the attack is unlikely to represent a single matter of its kind. Lately, there has been a dramatic increase in cyber-attack attempts, which also other Norwegian financial institutions confirms.

So, how can businesses be better prepared for cyber-attacks and ensure a proper management if the crisis rises?

First of all the matter needs to be given top management attention and priority. Cyber security compliance should to be part of the business DNA and strategy. The benefits of having in place good preparedness plans and tested procedures for cyber risk management should not be underestimated.

Analyzing the business key assets and identifying highest risks is vital. Only by mapping out the main threats and understanding the overall risk picture, the management can ensure a solid cyber-risk compliance program. Adopting a strategic approach to cyber security compliance, including ensuring proper training of relevant staff, is vital to avoid severe loss and damage.

Management should however also focus on increased legal risks and requirements. The business may mitigate the risk of loss by having in place a solid insurance coverage. Further, the implementation of a cyber-risk compliance program will lower the risk of claims for indirect damages suffered by third parties. Another, and somewhat less communicated benefit from having in place a profound compliance program, is the ability to ensure funding or prepare for merger or sale situations. M&A due diligences will often – and should – include investigations of the business data storage and data protection management, including IT security robustness. If a business is lacking in these areas, it may have a direct effect on funding willingness and may affect the price offered by a potential bidder.