Cybersecurity centers around the use of technology, but it is not an issue that can be addressed solely by a company's Information Technology (IT) department. The potential impact of a cyber incident is too significant and requires leadership and awareness from the top of the organization. When Colonial Pipeline was hacked, the company paid a $4.4 million ransom. Some of this money was later recovered, but the attack has cost Colonial Pipeline in other ways.
The company supplies approximately 45% of fuel to the East Coast and elected to shut down operations during the attack, affecting millions of customers with a spike in gasoline prices. Fearing gas shortages due to social media and news hysteria, nervous motorists waited in line at gas stations for hours in some areas. The following month, CEO Joseph Blount was called to testify before the Senate Committee on Homeland Security and Government Affairs. Once an obscure part of industrial infrastructure, Colonial Pipeline is now widely recognized as a ransomware victim, exposing the frailties of critical infrastructure to cyber-attacks.
The American Medical Collection Agency (AMCA) was a debt and medical receivables collection agency focused on collecting patient receivables for various third-party clinical-diagnostic laboratories. AMCA collected and maintained PII on millions of patients during normal business operations, including names, home addresses, Social Security numbers, and bank account and credit card information. AMCA invested over $1 million to upgrade its IT systems, but this did not prevent a significant data breach in 2019. After disclosing this cyber-attack, major clients, including Quest, Labcorp, and others, opted to terminate business with AMCA. In addition to the immediate revenue impact, AMCA began to incur significant costs resulting from the breach, including litigation and remediation. AMCA lacked cyber liability insurance, and the company covered the costs through a $2.5 million loan and company cash. AMCA also sought costs savings through a 75% reduction in headcount. Three months later, AMCA filed for bankruptcy, and the company was eventually dissolved.
The impact of a cyberattack quickly spills beyond the Information Technology (IT) space, and a company's top leadership needs to address cybersecurity as part of its overall risk management strategy. This holds true both from a risk mitigation approach before a cyber incident occurs and navigating the company through crisis when a major cyber-attack occurs.
What is your organization's cyber risk?
A cyber risk appetite statement explicitly defines what an organization has deemed an acceptable risk, and every organization's risk tolerance will be different. This statement should be unambiguous and measurable to enable strategic decision-making for the organization's leadership.
Set your risk appetite in three steps… Read More