The Big One: A CEO Cheat Sheet to Guard against a Massive Cyber Attack


In Warren Buffet’s 2019 shareholder letter, he mentioned 2 potential risks to his insurance portfolio – Natural Disasters and the “Big One”.

Businesses around the globe have to constantly monitor their online security.  Organizations are under constant risk to become victim of a cybersecurity attack.  But do CEO’s ever think about getting hit by the “Big One” – a cyberattack that has disastrous consequences beyond anything that is being currently contemplated?

The economic cost of cybersecurity is increasing fast. In 2017, cyber attacks costed global economies $600 billion. With breaches becoming more common, it’s estimated this number will rise to $6 trillion by 2021.  With the frequency of attacks increasing, CEO’s realize that the #1 external issue affecting their businesses is cybersecurity and it requires their attention.

The “Big One” that Buffet talks about in his letter could be a game-changer – an attack that can stop a business in its tracks. It could be anything from a material business interruption, an impairment that prevents businesses from conducting transactions, a systemic failure or information warfare that spreads from company to company.  The “Big One” can bring an industry or economy to its knees.  Because of their unpredictable nature, the likelihood of an attack and its potential impact are hard to predict.

This kind of catastrophic attack involves an attacker who will be better and more innovative that you are. Hackers are organized, well-financed, creative, patient and persistent. In addition to your adversaries, your risk can also be determined by your direct supply chain. Your organization is only as strong as the weakest link in your defenses, whether that be in your own company or a supplier or partner.

Cybersecurity is also an area where businesses continually need to increase spending just to maintain an acceptable risk level.  When risks increase, so do premiums. If you do nothing, you’re being negligent. Cybersecurity risks cannot be eliminated. You can only transfer the risk or reduce it. As your costs go up, they may not be keeping pace with risk.

Also keep in mind, new risks don’t work well with old approaches. Ask yourself – should we rethink our cybersecurity risk management services model?  Many businesses have realized that cloud computing offers advantages in addition to avoiding large capital investments that captive data centers require.

Finally, America’s regulators have made one thing clear.  They are not here to help – they’re here to hold you accountable.

Here’s a CEO cheat sheet to deal with a potential cybersecurity “Big One”:

• Do not be complacent. Be proactive. Involve and engage your board members and management to place and practice for the worst.

• Consider alternative approaches to cyber risk management.  This includes outsourcing the cyber risk management to be more cost and risk effective.

• Regulators are ready to punish.  Much more regulation is coming, and it’s going to hold CEO’s responsible.

CEO’s need to be actively engaged in cyber risk oversight to reduce the risk profile of their organization as well their own risk profile.

Story via Forbes