There is a Business Side to Cyber Security Cyber security can no longer be thought of as a “nice to have”.

Marc Petock, Vice President, Marketing Lynxspring & Connexx Energy Contributing Editor

Talk about cyber security these days often focuses on technology. As with many things, there are multiple sides that should be discussed. When it comes to cyber security, there is a business side.  The negative consequences cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures and procedures to increase the cyber security posture of your systems, far outweigh the risk of not making them secure.

On the business side there are a variety of points you need to be aware of. I have listed below several that are central to today’s cyber security environment regardless of the type of industry or business you are in.

• Interruption of business and operations
• Exposure and compromise of intellectual property and sensitive information
• Introduction of malicious files, viruses to the corporate IT network
• Negative publicity, loss of customers and customer confidence
• Brand and company name damage
• Financial issues
• Litigation
• Occupant harm (buildings)

Data privacy laws, regulations, and industry best practices are growing stricter and, in some cases, more complex as they catch up with the variety of technologies now in widespread use in the enterprise.

Liability and Legal

• Cyber security is a new and growing area of litigation
• The number of class-action lawsuits resulting from cyber incidents is increasing
  
• Companies that fail to protect user data can now feel the wrath of the Federal Trade Commission (FTC)

• A panel of judges for the Third U.S. Circuit Court of Appeals unanimously recently ruled the FTC have the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures

• The Securities and Exchange Commission pursued a company that allegedly failed to properly protect its clients’ data in what might be a first-of-its-kind enforcement action.
  
• Wendy’s is facing a class-action lawsuit alleging breach of implied contract, negligence, and violations of Florida's Unfair and Deceptive Trade Practices Act due to a cyber incident. The suit alleges Wendy's acknowledged the cyber weakness and could have prevented the data breach by adopting technology that helps make transactions more secure.

• United States--The Cyber Security Act of 2015 creates a framework for  sharing of cyber threat information between private entities and the federal government
  
• Europe--Cyber security obligations for service operators and providers
  

• European General Data Protection Regulation (GDPR) was given final approval
  
• The new law, when it comes into force in 2018, will hold companies fully accountable for implementing technical and organizational measures as part of a comprehensive data governance policy.
  Requirements include a data protection officer, investment in new technologies, significantly more documentation and regular assessments.
  
• Companies will also be legally required to disclose personal data breaches within 72 hours
• Businesses that don't do the work and are found to be in breach of the GDPR will face tough penalties, including fines of up to 4% of a company's total global annual turnover. It’s safe to say this new regulation will have significant implications for companies of all sizes around the world.

State Cyber Laws

• Each state has their own
• Almost all laws have provisions requiring notification within certain period after detection
• Most appear to make no distinction between losses caused by an entity and losses caused by an entity’s vendor
• Penalties are being assigned to instances---For example in Florida it can be up to $500,000 in civil penalties per breach for failure to notify timely; In Louisiana there is a $5,000 per violation if notification is not received within 10 days and additional penalties for every subsequent day thereafter

Moody’s Ratings

• Cyber threats are treated as event risks and are being taken into account for the  Moody’s Ratings evaluation
  
• Looking at credit implications associated with good cyber measures-cyber defense, detection, prevention and response
  

• Industry’s first cyber security preparedness score for businesses
• FICO-like score that allows businesses to measurably understand the risk of data breaches, outages and software vulnerabilities
• Assess risk and compliance profiles

Cyber security can no longer be thought of as a “nice to have”. The operational, financial and reputational impact to a business is tremendous. Security must be considered a fundamental requirement for both the IT side as well as for the operational infrastructure and all the systems that make it up. When it comes to cyber security, the business case is equally as important as the technology side. Businesses face a litany of issues such as unpredictable customer behavior and market fluctuations — all familiar with leaders and have planned for. Yet these same leaders are often alarmingly unprepared for the most potentially damaging threat — a cyber incident that could mean the loss of everything … all in a matter of seconds.