Ventiv Technology

The cover story in Risk & Insurance's April issue put it bluntly: "In every industry and at every company size, cyber risk is a foundation-level exposure that every business must confront—one that must be viewed with the same gravity as a company's property, liability or workers' comp risks." That's because in today's world, technology systems are core to companies of all kinds. More and more companies seek to differentiate themselves from their competitors by emphasizing to investors their use of technology and information assets. However, this emphasis on technology is a double-edged sword. For a long time, the primary targets of cyber criminals were technology, financial and healthcare firms. Today, reliance on technology across industries has made cyber risk an equal- opportunity threat. The question for risk managers often comes down to, What's the best way to approach the task of understanding and then ensuring proper mitigation of cyber risks? The answer lies in applying the same risk management principles to cyber risk that hold for any risk. It's also essential to adopt the mindset of viewing cyber risk as an enterprise-wide exposure and not just an IT issue. Complicating matters, however, is the fact that companies of all sizes and varieties today are dependent on third-party, cloud-based business solutions. That means that a great portion of a typical company's cyber exposure lies outside its own systems, with third-party providers. The problem is, in the vast majority of cases, it's simply impossible to know what a third party's policies, procedures and controls are with regard to data access and security. That's why we advise risk managers to begin their immersion in cyber risk with an in-depth analysis of the critical busi- ness systems that have been outsourced to third parties—and prioritize the solutions that host or process sensitive and/or regulated data first. At many companies, employees across the organization are using cloud solutions that require only an end-user license agreement and not a traditional business contract. IT, IS and risk manage- ment teams may have no knowledge of the range of third-party, cloud-based solutions in use across the organization. By extension, there's no knowledge of where the data is located and who has access to it (meaning not only what individuals but what and how many companies have access to it). The Ventiv Technology information security team recommends that organizations conduct a thorough evaluation of their dependence on third-party cloud partners. It's the first step in understanding and identifying the risks associated with using outside software. DAVID BLACK IS VENTIV TECHNOLOGY'S CHIEF INFORMATION SECURITY OFFICER. CONTACT DAVID AT DAVID.BLACK@ VENTIVTECH.COM OR +1-770-308-5423. senior leadership is asking risk managers to take greater ownership of cyber risk. There's a growing consensus that managing cyber risk should no longer be the responsibility only of information security and information technology teams. IT'S AN ACCELERATING TREND: VENTIV TECHNOLOGY ////////////////////////////////// 3SIXTY º | 21

• Cover