Reputational Risk

© 2012 IBM Corporation

Five IT risk management practices of companies with excellent reputationsHow security and business continuity can shape the reputation and value of your company

IBM Global Technology Services

© 2012 IBM Corporation2

Definition of IT risk and reputational risk

Findings from 2012 Reputational Risk Study

Financial implications of security breaches

Recovery from reputational damage

Five characteristics of companies with excellent reputations

Ten essential practices…how they can help

Philip KiblerIBM, GTS Director Cyber Security Assessment and Response

Phil has 31 years of IT experience and has led IBM Professional Security Services business since 2007. Recently he has been focusing on Cyber Threats and Intelligence and marshaling the resources of the IBM Corporation to support clients globally to deal with the growing Cyber Storm.

Today’s speaker


Reputational risk and IT:

Reputational risk:a type of risk related to the trustworthiness of business. Damage to a firm's reputation can result in lost revenue or destruction of shareholder value, even if the company is not found guilty of a crime. Reputational risk can be a matter of corporate trust, but serves also as a tool in crisis prevention.

Source: http://en.wikipedia.org/wiki/Reputational_risk

What is reputational risk and why you should care?

Equation taken from - International Centre for Financial Regulation


Reputational risk and IT:

IT risk is comprised of a number of core components:

� Security and privacy

� Business continuity and disaster recovery

� IT compliance

� Supply chain

� Business transformation

� Product assurance

How do we define IT risk?


Reputational risk and IT: introduction

To find out where and how IT makes its biggest impact on reputational risk, IBM conducted a worldwide study.

#1 IT risks have a major impact on a company’s reputation

#2 Companies have rising IT risk concerns related to

emerging technology trends e.g cloud, social media

#3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems

Study demographics

� Conducted by Economist Intelligence Unit, paid for by IBM

� 427 respondents from around the world

� 23 industries

� 15 job titles

� Company sizes <$500M to >$10B


IBM factors reputational risk into the domain of IT security risk.

Security Risk Management is the application of control to detect and block the threat, to detect and fix a vulnerability, or to respond to incidents (impacts) when all else fails. Reputational risk becomes a factor in the evaluation of the potential impact

Threat

Can exploit

Vulnerability Impact

(Weakness)(Actor) (Loss)

And cause

Risk exists when …


83% 84%78%

58%

83%81%

63%59%

38%

71%64%

28%

36%33%

42%

The study identified the 5 key characteristics of companies reporting excellent reputations.

7

Integrate IT into reputational risk

management

Have strong/very strong

IT risk management

capacity

Have adequate IT risk

management funding

Very strenuously

require supply chain to match

standards

1 Defining Characteristic: Have a special emphasis on reputational risk with the support of senior management and have effective escalation and reporting process

Organizations reporting their reputation as: Excellent Very good Average or worse

Reputational risk and IT: what you can do now

Are very confident/ confident in IT risk

management related to data breach/data

theft

23

45


In the recent IBM reputational risk and IT study, security factors are ranked #1 among IT risks that can cause reputational harm.

8

Reputational risk and IT Study: security findings

of respondents identify and manage reputational risk as part of their IT security operations

of respondents very strenuously require third-party sources to match their level of IT security

of respondents included data breaches, data theft and cybercrime among the IT risks that are most harmful to reputation


80% rate reputation as excellent or very good

There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it.

17% rate their company’s overall ability to manage IT risk as very strong

There is room for improvement in almost every organization

Reputational risk and IT: perception vs. reality


Are proactive in the management of latest security threats

We also found critical discrepancies between confidence level and availability of security threat intelligence to support that confidence.

10


“IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization’s survival.”

— IT manager, French IT and technology company

Perception

Reality

Have access to the latest security threat intelligence

are very confident or confident they can manage IT risks related to data breaches, data theft and cybercrime



Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners.

Only39%of companies are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control

� How many outside sources does your company do business with on a regular basis?

� How thoroughly have you communicated your IT risk mitigation standards to these sources?

� How are you monitoring your sources’compliance with your standards?


Source: Ponemon Institute LLC, “The Impact of Cybercrime on Business,” May 2012

IT security industry analysts are quantifying and tracking the actual costs of a data breach.


Payment processor

Hackers intrude core line of business.

Nearly 130 million customers affected.

Online gaming community

Community and entertainment sites hacked.

Around 100 million customer records compromised.

Retailer

Customer data stolen over more than 18 months.

At least 45 million records stolen.

Estimated costs: up to $900M

Estimated costs: up to $500M

Estimated costs: $3.6B

Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.


Well publicized scenarios of financial and reputational impact due to security breaches are in the news every day.


The impact on “reputation recovery” is measured in months, not hours or days.

Website outage

0-6 months 6-12 months 12+ months

System failure 72% 17% 10%

Workplace compromise 71% 18% 11%

Data loss 70% 17% 12%

Failure to align continuity plans with business 65% 21% 13%

Insufficient DR measures 63% 24% 12%

Data breach 65% 19% 16%

Compliance failure 64% 22% 14%

78% 14% 8%



Manage incidents with intelligence2

IBM uses a ten essential practice approach to better manage IT Risk and protect client reputations.

Risk-aware culture and management1

Defend mobile and social space3

Security-rich services, by design4

Automatic security “hygiene”5

Control network access 6

Address cloud and complexity 7

Manage third-party compliance 8

Secure data, protect privacy 9

Manage the identity lifecycle 10

Maturity-based approach

Proactive

Au

tom

ate

dM

an

ual

Reactive

Proficient

Basic

Optim

ized

Security

intelligence



What can you do now?

� Be aware. Do a Risk Security Assessment for visibility and prioritization for proper risk management strategy

� Be proactive.Manage against vulnerabilities for real-time protection against sophisticated attacks

� Be prepared.Have an incident response plan in place to quickly respond and remediate against a breach


Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company.

17


Download the full study report includes all you’ve seen

today, plus other important findings

www.ibm.com/services/riskstudy

Add your voice to the discussion

Take the reputational risk survey online and get a complimentary copy of the upcoming expanded

report

Learn more about IBM’s Ten Security Essential Practices

Scan the code or go to bit.ly/ibmrisksurvey

ibm.com/smarter/cai/security


Thank you for attending!


© Copyright IBM Corporation 2012

IBM Corporation IBM Global ServicesRoute 100 Somers, NY 10589 U.S.A.

Produced in the United States of AmericaAugust 2012

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Reputational Risk

Technology

security breaches

security findings

reputational

united states

2012 ibm corporation

estimated

data theft

security