Key Takeaways
- Senior executives must understand cyber risks and act accordingly, for example by creating tangible risk mitigation strategies. Both executive and non-executive directors have to incorporate and challenge cyber risks in strategic planning processes.
- The best prepared organizations are those whose board members are able to ask probing questions to uncover cyber risks within strategic plans. It is worth noting that board members do not need to be cyber experts.
- We expect that governance structures will evolve to keep up with rising cyber threats and that entities will consider cyber risks in all aspects of strategic business decisions.
Cyber attacks remain a top credit risk across geographies and asset classes. Amid increasing technological dependency and global interconnectedness, cyber attacks pose a potential systemic threat and significant single-entity event risk. We view cyber threats among the most significant structural risks and expect they will increasingly impact the credit landscape in the years ahead.
Reality Check: What Does A Cyber-Savvy C-Suite Look Like In Practice?
S&P Global Ratings believes it is critical that issuers' C-suite executives and board members have a basic understanding of cyber risks and incorporate these risks into overall business strategies.
C-suite executives and board members do not need to be cyber specialists, but they should be able to understand and challenge Chief Information Security Officers (CISOs) on cyber security updates. Thus, they can contribute to probe cyber risks at a holistic level, detect cyber risks within strategic plans, and, if done systematically, optimize investments in cyber security. Additionally, the involvement of the C-suite can help organizations get a realistic idea of the necessary cyber security spend and may prioritize cyber security in budget allocations.
Expectations regarding security budgets vary greatly (see chart 1) and it is important to give this matter serious and strategic attention.
Chart 1
A deeper understanding of cyber risks that starts at the top is vital to manage and mitigate internal and external cyber threats. CISOs should become a regular fixture at board risk committees to facilitate the information exchange with senior executives and gain a broader strategic view of the business. Attending these meetings also enables CISOs to better align security plans with strategic plans and, at the same time, helps the board understand the business impact of cyber risks. We continue to believe that the C-suite should be more supportive of simulation exercises to gauge and probe cyber resilience. The more sophisticated boards also integrate this within overall business continuity and disaster recovery planning.
The C-suite's understanding of cyber risks is evidenced by the state of its cyber risk management, including the definition of roles and responsibilities and the extent of cyber security contingency plans. Cyber risk management is improved by embedding cyber risk awareness across the entity and the constant re-evaluation of the risk-benefit of data stored within it. These elements are instrumental in avoiding attacks and minimizing costs.
We see the C-suite's reaction to cyber attacks, both from a leadership and a communications point of view, as a yardstick of its cyber security awareness. Prompt and well-considered remedial interactions with employees, customers, investors, and regulators in the wake of cyber attacks can help ensure the stability of credit ratings.
It's All About Communication
Effective communication between the C-suite and CISOs yields results. For example, many organizations find regular, clear, simple, and consistent updates on the effect of cyber risks on strategic priorities immensely useful. This communication allows timely decisions and adjustments and avoids unintended consequences, such as re-work and unbudgeted costs.
Insurers' C-Suite Paved The Way
Insurance companies' board members have demonstrated their ability to comprehend complex topics, such as catastrophe risk and interest rate risk exposure, after capital calculations and modelling procedures became increasingly sophisticated over the past 10 years. Their "secret": board upskilling and training, and the increased involvement of Chief Risk Officers (CROs).
Insurance CROs gained in stature and importance by ensuring that risk considerations are embedded in strategic decision-making. Those insurance companies that are best positioned to tackle complex insurance issues enlisted the expertise of their CROs to maximize profitability and minimize risks. Based on the increasingly complex cyber landscape, we expect CISOs, just like CROs in the insurance industry, will be key to ensure the success of business models and reduce operational (cyber) risks.
What's Next?
We recognize that the evolution of any risk management framework is a dynamic, ongoing challenge and that different entities are at different stages of this process. Board members across industries have increasingly shown their aptitude to ask the right cyber questions. Understanding cyber risks, however, is one thing--detecting and evaluating them is another.
We expect board members will increase their collaboration with CISOs and the heads of other business units to manage cyber risks effectively. Non-executives' insights and their external perspectives are crucial to improve learnings and build links with other industries. The most developed and sophisticated boards are those that incorporate potential cyber threats in their strategic plans, actively identify shortcomings, and ensure potential remediation is appropriately resourced. A mere awareness of cyber risks is not enough.
Editor: Kathrin Schindler.
Related Research
This report does not constitute a rating action.
Primary Credit Analysts: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
Martin J Whitworth, London +44 2071766745; martin.whitworth@spglobal.com | |
Secondary Contacts: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
Paul Alvarez, Washington D.C. +1 2023832104; paul.alvarez@spglobal.com | |
Sudeep K Kesh, New York + 1 (212) 438 7982; sudeep.kesh@spglobal.com | |
Nik Khakee, New York + 1 (212) 438 2473; nik.khakee@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.