2021 heralded a year of record cyberattacks, with the Identity Theft Resource Center (ITRC) reporting that the number of data breaches publicly reported so far this year has already surpassed the total for 2020. With high profile attacks hitting the headlines from the SolarWinds breach and Colonial Pipeline shutdown to the CNA Financial attack, where one of the largest insurance companies in the United States paid a $40 million ransom so that it could continue to operate, risk and compliance have never been more paramount.
Ransomware and supply chain cyberattacks are becoming increasingly systematic, and organizations must have robustly developed, planned and tested risk and resilience frameworks in place. The stakes have been raised and there are no more excuses. There are no second chances. Organizations must adopt a holistic approach to resilience and be proactive in making all business decisions with resilience in mind.
As we reflect on this past year, it raises the question: what is in store for businesses and their risk and compliance strategies in 2022?
Greater focus on ESG and cybersecurity programs in risk modeling
The increase in cyberattacks has driven a more stringent underwriting process, which has led to the maturing of the cyber insurance market, with insurance companies demanding much more from organizations when it comes to risk mitigation. 2021 witnessed a high number of large-scale, devastating cyberattacks that rendered services inoperable, caused severe financial loss and left some users “uninsurable” because of poor cyber hygiene. In 2022, businesses can expect to experience a greater expectation of accountability in minimizing risk as underwriters have grown more aware of what kind of risk controls make effective cyber programs.
Organizations will need to prove to their cyber insurance provider that they have cyber processes and policies in place to prevent a breach. For example, cyber insurance underwriters now expect businesses to adopt multi-factor authentication within their information technology (IT) environment as well as an updated patch management program, air-gapped and encrypted backups and employee awareness and phishing simulations, among other strategies.
Users, employees and investors are increasingly holding companies accountable for their environmental, social and governance (ESG) practices around equality, diversity and climate change. Companies are expected to act morally and responsibly to support the broader objectives of not just their local community, but the wider world. Similar to cyber insurance, insurance companies have linked the strength of ESG programs to predictors for risk and placed increased scrutiny on these programs. At the same time, there is increased momentum around the role of ESG in financial disclosures. For instance, the House of Representatives in the United States recently passed legislation that, if signed into law, would require companies to report ESG metrics. In Europe, SFDR regulations continue to evolve.
As we enter 2022, businesses will need to fully understand the ESG issues that affect their company and ensure that they embed them into their risk management and business operation framework. They will need to ensure ESG policies and procedures are integrated into their culture, systems and processes and be wholly transparent in their ESG approach through structured ESG reporting.
Risk and compliance are taking a primary role as change enablers
There’s no doubt about it — the game has changed when it comes to expectations that companies act responsibly and ethically to support society. It’s more than just a bottom line: stakeholders expect that companies understand their relationship with the world around them. Without a robust risk management framework that includes ESG, resiliency and strong cyber and compliance programs, this presents a serious risk to enterprise reputation, the ability to attract and retain the best talent and users, and the market position as well.
While risk and compliance were once seen as the organization’s police and reacting to violations, misconduct or other wrongdoing, that is no longer the case. As we move into 2022, organizations will be focused on ensuring risk management and compliance is as central to their ethos just as much as, for instance, superior customer service or employee wellbeing is. Ethical behavior and decision-making programs will become increasingly common as leaders overhaul the traditional perception of compliance within the workplace and instill proper risk-related governance where risk and compliance are seen as real change enablers.
Risk and compliance teams within organizations are uniquely suited to work cross-functionally with others in the organization. Their teams have access to all stakeholders and business processes, and they are accustomed to building programs from gray or emerging topics and being effective with limited resources. Risk and compliance will continue in a business-enabling role where they can identify and create strategic opportunities to achieve business goals.
Regulators will also shift to examining the culture of compliance within the organization as part of sentencing guidelines or when determining fines, penalties etc. if wrongdoing occurred. Organizations must evidence that risk, resilience and compliance are woven into their values and that leadership is setting the appropriate tone from the top. They must demonstrate that they champion a culture of compliance, risk management and ethics and continue to improve this as the company and regulations evolve.
Organizational resilience takes center stage
Resilience is not just about overcoming a disruption or managing to operate in the face of multiple unexpected events outside of an organization’s control — it means so more than that. Organizational resilience is about proactive organizational decision-making, and this involves incorporating the separate functions of governance, risk and compliance alongside other business functions into an organization's objectives.
Next year, we’ll see business leaders focus their attention on creating smarter, more resilient ecosystems. Third-party partnerships will be important to this too, with leaders placing third-party management at the center of strategic risk and operational planning and modeling.
Whilst reputational risk has always been a concern, it has been hugely amplified in the last 12 months. Leaders realize that if an incident does occur, they need to demonstrate that it is not a result of their organization’s culture or values. They need to do this to minimize any reputational damage that a data leak or cyberattack can cause.
Organizational resilience is not just something security leaders do once and it’s done, box ticked. It’s an ever-evolving process that does not occur overnight. Security professionals are all learning together about the appropriate approach to risk and resilience, and the journey is never really finished. It’s about creating a strong sense of organizational priorities and purpose, and mobilizing stakeholders — employees, investors, customers — to personify this and deliver a robust and relevant business model with risk and resilience at its core.