In our previous episode of Risk Journeys Scott explained that context is often the missing element of the cyber risk equation. We asked him to share a few stories consulting with our global roster of clients, to paint a more vibrant picture on the powers of risk assessment.
What do you do when a CISO starts talking about vapor clouds?
Can you tell us about that $20-Billion-dollar event that was cyber excluded?
We met the security leader of a very large petrochemical refiner. We were having an exploratory discussion on what cyber risk meant to him. And he said, “I got this $5 Billion-dollar petrochemical refinery plant with pretty advanced technology, if somebody really wanted to…they could get in over pressurize a couple valves and cause some devastating damage. Depending on the way the winds were blowing that day you would have a huge vapor cloud and take out the entire neighborhood, along with all unfathomable loss of life as well as subsequent terminal diseases. That would probably be about a $20 billion-dollar event.”
That must have been quite the eye-opener. What happened after that?
The CISO at the company definitely had an ‘aha’ moment when we discussed this scenario. He brought the risk officer into the conversation and we quickly learned they had absolutely no coverage for such a scenario. Their property insurance policy was chock full of cyber exclusions. Imagine, having $5 billion dollar’s worth of property insurance and there was no cyber coverage.
That’s such a great example of context, even though quite an alarming one. We heard about another interesting situation you recently experienced. Wasn’t there a healthcare client that had, how do we put it, a bit of a blood problem.
Blood testing crisis, an unusual risk scenario (particularly poignant now)
Yes, it had to do with blood. But first let me take a step back and talk about the trap of thinking about cyber risk without context. On a micro level, and particularly for a healthcare company, focusing on patient health information seems to be the top priority. It surely makes sense if you look at things from a data perspective. After all, personal health records are the most valuable on the dark web. And given all the recent healthcare breaches and financial consequences, it’s on the top of every healthcare CISO’s mind. So now, turning to this client in healthcare. All their security efforts were geared towards HIPAA compliance and the various HIPAA components in regard to safeguarding patient information.
After we completed our assessment, we discovered a risk that was completely off the radar. They were completely blind to the fact that they had manufacturing facilities producing a large supply of a critical blood testing compound, which could be impacted by a cyber event against the control systems. And they didn’t even have a firewall around the technology running these facilities. They never thought to look there because those operations didn’t use any protected health information.
The subsequent financial impact would obviously be detrimental. Once the potential outcome was quantified, the outcome of this cyber event was quickly pushed to a priority level equivalent to breached personal data situation.
Would it be safe to classify this regulation mindset trap often plagues organizations and results with getting cyber tunnel-vision?
Micro focus on regulations: HIPAA compliance isn’t enough for healthcare enterprise
The client was never able to look at their risk from a macro level, being so micro focused on regulatory impacts of cyber incidents. Because it’s a hot topic and in the news, they were completely focused on personal information risk. They just didn’t contextualize all their other essential risks to their business functions. They’ve had far more significant of a risk to actually contend with than simply paying a couple million dollars HIPAA fine. Imagine the risk faced with not being able to manufacture this blood testing compound. A domino effect that can lead to a chain of disruptions for the business. It’s unfortunate as many executives gauge their success by seeing what their peers are doing and the only risks they’re looking at are the same risks that their peers were impacted by.
Often Scott encounters cybersecurity executives who think they are armed with the right tools until Axio dives deeper. In our next episode we discuss how the CISO and CFO can communicate effectively, beyond a color chart.
Thanks for reading Risk Journeys! Every week we highlight a different team member, sharing their story and viewpoints.