{"id":13954,"date":"2024-04-09T08:46:46","date_gmt":"2024-04-09T12:46:46","guid":{"rendered":"https:\/\/steelcityre.com\/?page_id=13954"},"modified":"2024-05-13T15:44:37","modified_gmt":"2024-05-13T19:44:37","slug":"success-story-reputation-security-protecting-healthcare-company","status":"publish","type":"page","link":"https:\/\/steelcityre.com\/success-story-reputation-security-protecting-healthcare-company\/","title":{"rendered":"Success Story 8 Reputation Security Protecting | Healthcare Company"},"content":{"rendered":"\n
<\/div>
\n
<\/div>
\n
<\/div>\n

Reputation for Security Protecting… <\/h1>

…a $7bn Healthcare Company<\/p><\/div>\n\n\n\n

<\/p>\n<\/div>\n<\/div><\/section>\n<\/div><\/section>\n\n\n\n

<\/div>
\n
<\/div>
\n
<\/div>\n

Interview: A Reputation for Cyber Security Protects a $7bn Healthcare Company<\/strong><\/h2>
<\/div><\/div>\n\n\n\n
\n
\n

It is generally accepted that the relentless commitment to penetrate cybersecurity defenses will at times succeed against even the best systems. A Chief Information Security Officer, Chief Risk Officer, Enterprise Risk Manager, or a Risk Manager managing this risk must responsibly strengthen both institutional defenses and reputational resilience.<\/p>\n\n\n\n

A limiting condition to the former is the degree to which a firm is exposed through its software or service vendors. Reports indicate that 43% of the most recent incidents across all industries originated at software or service vendors. With the chance of a breach being a coin flip, reputation resilience is necessary.<\/p>\n\n\n\n

Steel City Re imagined a conversation with a risk executive at a publicly-traded health technology company about the new wave of cybersecurity risks and corporate resilience strategies. The conversation, a composite of individual discussions, has been edited for length and clarity.<\/p>\n\n\n\n

Risk Executive.<\/strong> This risk is affecting all of us because investors are having a hard time figuring out which firms are serious about cyber risk management, and which are phoning in their solutions just to be compliant.<\/p>\n\n\n\n

Steel City Re.<\/strong> Would you elaborate?<\/p>\n\n\n\n

Risk Executive.<\/strong> Our work in cyber security is highly technical and involves layers of systems. Risk managers are technically responsible for managing the risk of a system failure. Yet generally they defer to us on processes we would like to implement and insurances we would like to buy because every cyber security engine looks the same to them when they look under the hood. Step outside of the company where visibility is much lower, and investors have no idea if what is under the hood works, or not.<\/p>\n\n\n\n

Steel City Re.<\/strong> If you\u2019ve avoided an incident, isn\u2019t that sufficient proof to an investor?<\/p>\n\n\n\n

Risk Executive.<\/strong> To the cynical, not having an adverse event just means we’ve been lucky.<\/p>\n\n\n\n

Steel City Re.<\/strong> And if there is an adverse event?<\/p>\n\n\n\n

Risk Executive<\/strong>. Having an adverse event means the risk management apparatus is incompetent and the board of directors is asleep at the switch. This is worrisome on a personal level as investors have started suing CISO\u2019s along with boards when they believe that they\u2019ve been harmed, meaning, the adverse event triggered the tanking of a firm\u2019s stock price.<\/p>\n\n\n\n

Steel City Re. <\/strong>The idea of strengthening reputation resilience is to prevent the stock price from tanking?<\/p>\n\n\n\n

Risk Executive. <\/strong>Yes.<\/p>\n\n\n\n

Steel City Re.<\/strong> It sounds like you\u2019re dabbling in investor relations.<\/p>\n\n\n\n

Risk Executive.<\/strong> Not at all. My role in strengthening reputation resilience is providing the investor relations professional with simple, easy to understand, and completely credible story of cyber security that they can then present to investors in a way that investors can best appreciate and value.<\/p>\n\n\n\n

Steel City Re. <\/strong>That prevents a stock price drop?<\/p>\n\n\n\n

Risk Executive.<\/strong> It reduces the initial fall and accelerates the recovery. That\u2019s what reputation resilience looks like when seen through an investor\u2019s lens. There\u2019s a significant body of literature on the behavioral economics of it all, and empirical data on how it really works.<\/p>\n\n\n\n

Steel City Re. <\/strong>We\u2019re missing something. We understand there is a $17bn market for cyber security insurance whose sole reason for existence is to provide firms with financial protection. Isn\u2019t your work for investor relations\u2014and building reputation resilience\u2014done once you\u2019ve secured insurance?<\/p>\n\n\n\n

Risk Executive. <\/strong>Not anymore, not today, for two reasons. First, cybersecurity insurance is expensive, does not offer the level of limits we typically need given the costs of an adverse event, and the policies are riddled with exclusions. My own CFO wouldn\u2019t buy more for these reasons, so if we hadn\u2019t strengthened our reputational resilience, a big event would surely eat into our balance sheet, reduce our earnings, and tank our stock.<\/p>\n\n\n\n

Steel City Re. <\/strong>The second reason?<\/p>\n\n\n\n

Risk Executive. <\/strong>The second reason is the reputational impact. Remember that cynical investor? There are also cynical customers, regulators, suppliers, and even employees. Adverse events make them, let me say, \u201csad.\u201d The value of our reputation falls in the minds of sad stakeholders and they don\u2019t want to engage. The operational goals of a reputation risk management program are to keep customers buying, not boycotting; employees working, not fleeing; investors buying, not selling; lenders adjusting interest rates down, not up; regulators deferring, not enforcing; and social license holders acquiescing, not protesting.<\/p>\n\n\n\n

Steel City Re.<\/strong> What can a risk executive can do to build a story for investors, and from your last answer, every other stakeholder too?<\/p>\n\n\n\n

Risk Executive.<\/strong> The story we tell here at our firm, condensed, is that we have a thoughtful risk management process and dutiful oversight over our cyber security program which we recognize as a mission critical asset.<\/p>\n\n\n\n

Steel City Re.<\/strong> That\u2019s the story you want investor relations to convey; and perhaps government relations to convey to the regulators. Why?<\/p>\n\n\n\n

Risk Executive. <\/strong>We want to win the minds of the investors so they will not be sad if something goes awry. We want them to give us a break\u2014not to be cynical\u2014and that\u2019s where the risk executive\u2019s work comes to the fore.<\/p>\n\n\n\n

Steel City Re. <\/strong>You had us at hello, but we\u2019re missing the details of what you do and how it works.<\/p>\n\n\n\n

Risk Executive. <\/strong>Let me break down into three parts what we did and why:<\/p>\n\n\n\n