How can businesses keep abreast of the evolving cyber risk landscape — especially when it comes to supply chain and regulatory trends? In this week’s episode, Cristina Palomo from Schneider Electric, Aon’s client, discusses new regulations, the changing landscape around cyber risk and how companies can successfully manage a cyber crisis.
Featured in this episode:
Eddie McLaughlin, Global Practice Leader, AGRC, Aon
Cristina Palomo, Cybersecurity Risk & Compliance Director Governance, Schneider Electric
Additional Resources:
Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan
Tweetables:
Intro:
Hi everyone, and welcome to the award-winning “On Aon” podcast, where we dive into some of the most pressing topics that businesses and organizations around the world are facing. Today we hear from Cristina Palomo on new regulations, along with the changing landscape for cyber risk and cybersecurity. Now, please welcome this episode’s host, Eddie McLaughlin.
Eddie McLaughlin:
My name is Eddie McLaughlin, and I'm a Global Practice Leader in Aon's Global Risk Consulting business, which is our Risk Advisory Group globally.
According to the Aon Cyber Resilience Report in Q3 2023, one of the greatest challenges with managing cyber attacks across today's supply chain is understanding the third-party or the extended enterprise threat profile. In today's On Aon episode, we're discussing this issue and the evolving cyber risk landscape, with a particular focus on supply chain, regulatory threats and their impacts.
With me today to discuss these issues is Cristina Paloma, who is Cybersecurity Risk and Compliance Director in Governance at Schneider Electric. Thank you so much for being with me today, Cristina.
Cristina Palomo:
Thank you for having me here today, Eddie.
Eddie McLaughlin:
So, in our discussion today, we'd like to get your insights on a few things, please Cristina. Particularly initially starting with the changing cyber landscape and cybersecurity, and then perhaps move on to the changing regulatory environment and pending regulations. At all times, of course, we would like to particularly focus on the cyber risk landscape as it pertains to Schneider Electric. So, perhaps if I could get your thoughts on the initial question, Cristina, which is how have you seen the cyber risk landscape, particularly in Schneider Electric, change over the last few years?
Cristina Palomo:
So, Schneider Electric, it's big company with digital transformation and sustainability ambitions. Sustainability is of course, it's our objective, and this is achieved through leveraging digitalization, which enables better efficiency. However, increasing digitalization is increasing. Of course, our cybersecurity, cybersecurity attacks will face in an already dynamic threat environment.
What we have observed during the last years is that there has been a significant transformation in the cybersecurity landscape, and this is happening because the landscape has been continuously evolving because of… thanks to the technological progress, to the financial incentives and political shifts, making it increasingly challenging for companies to anticipate and prepare for the diverse range of threats that can impact our operations.
In Schneider, our digital footprint is huge. We have IT activities and infrastructure, which needs to be bridge-resistant and bridge-ready. We have our OT activities such as production and delivery, as well as infrastructure such our plants, our identity labs, which need to be protected.
Also, we have our Schneider employees, and especially some population at risk like our VIPs, our top executive, as well as customer-facing populations, shop floor employees, HR people that need to be well-informed and well-trained. We cannot forget our platforms, the platforms that we are using to support our operations and that are customer-facing that must meet higher security standards, requirements, and of course our customers, our standalone acquired companies, partners, and third-party installations that also require to meet with our cybersecurity standards. At the same time as a group, we are developing software, firmware, digital services. We operate in five continents with more than 100 countries with complex regulations and with more than 50,000 unique providers. So, without a doubt, it is a broad landscape, but it's also in our ability to adapt and to respond to this risk where we constantly demonstrate our resilience.
Eddie McLaughlin:
Perhaps an obvious follow-on question. We've just discussed how you've seen this cyber risk landscape evolve over the previous three years. Perhaps we could ask you to look forward, but what is your view on how this cyber landscape might change in the future, say in the next two to three years?
Cristina Palomo:
So, again, with digital transformation as part of our main ambitions, the cybersecurity profile of Schneider, but also for most of the companies, this digital journey needs to continue to evolve, right? We will continue evolving towards more connectivity in our landscape and increasing digitalization of our products. This is expanding, of course, our attacks will face and increasing the exposure where connected products and digital offers could be used as a gateway for malicious and sophisticated cyber attacks. We know that cybercriminals are constantly adapting their tactics and techniques to exploit new vulnerabilities and maximize their benefits. Technologies like artificial intelligence and quantum computing are just a few examples of tools that might be used.
Therefore, organizations like us, like Schneider, need to stay informed about the latest trends to proactively protect our systems and data and to understand our exposure to emerging threats. This is a continuous journey, and yes, cyber-criminals continue to become more sophisticated. However, the Schneider cybersecurity program has been here for more than 10 years and also continues to mature and adopt year over year to address these emerging threats.
Eddie McLaughlin:
Thank you, Cristina. Perhaps turning to another topic that we discussed in our introduction, as we know third-party risk, by that we mean outside the immediate environment of Schneider Electric, such as suppliers, customers, other stakeholders, it's quite acute to control that risk. How does Schneider Electric, how do you determine that third-party risk within your supply chain, and how do you attempt to mitigate or control those threats?
Cristina Palomo:
So, let's just start with some figures and put some context on this and why this third-party risk is so important. 60 percent of companies have experienced a breach in the past two years, and approximately 74 percent of these data breaches occur due to factors out of companies' direct control, like suppliers. The interconnectivity across the supply chain is super complex, and what we are doing in Schneider about this. To manage cybersecurity risk from third parties in a consistent and efficient way the company Schneider has set up a cross-functional program targeting a large range of suppliers from product components to technology providers. And what we are doing is a risk-based approach. Our suppliers are segmented into different risk categories, critical, high, medium, et cetera, based on current and future business strategy, their value proposition, and, of course, risk exposure of these different suppliers. This risk-based approach helps us as the security posture of our suppliers, of course. And this approach delivers a more collaborative and valuable outcome for Schneider, but also for our third parties and our customers.
The program relies on, let's say, three different main topics. The first one is our supplier security management policy with high-level controls and statements to be applied to all our suppliers regardless of their sectors. Second, contract management, so cybersecurity addendum must be signed with all our suppliers based on evaluated risk profile. And third, depending on the evaluated risk profile, cybersecurity and data privacy mitigation measure must be conducted for the selected supplier.
This different data privacy and mitigation measures are, let's say, based on three different points. The first one, we need to ensure compliance, and we are doing this through internal external cyber assessments. We also want to continue monitoring the suppliers. And in Schneider Electric we are doing this through external risk rating services, through regular operating committees, through audits, internal and external when applicable, and also through threat intelligence. So, from Schneider we monitor the dark web to gather any information of possible exploitation or threat in our supplier environment.
And then the last measure that we are always taking into account is documentation on supplier incidents and to capture and respond if needed. With this, the main benefit that we are obtaining is making cybersecurity top of mind in supplier interactions and also enabling a transparency mindset to ensure that supplier vulnerabilities and incidents are known.
Eddie McLaughlin:
Thank you, Cristina. A tough topic, but obviously an area that is front and center of cyber electrics security protocols. One other thing that you touched on as it pertains to compliance was regulatory risk, a big area. But may I ask you, how do you keep track and manage compliance with shifting regulations across five continents and a hundred countries within Schneider Electric?
Cristina Palomo:
So, we operate exactly in five continents, 100 countries with their complex regulations, right? So, we need to operationalize how we answer to these regulations and in our company, when we identify a new regulation that affects us and requires compliance, we have a systematic and repetitive approach to operationalize this internally. What we are doing is to use this approach not only for new regulations, but also to ensure that our organization, for instance, is aligned with international standards, with laws, with policies, okay? It's not only for regulations. The first thing that we are doing is to understand the regulation. This seems simple and easy, but it's something that we need to do. And this means reviewing the requirements one by one and translating them into the company-specific landscape to anticipate their impact. For instance, questions like, has my company identified this specific cyber risk? Is there an appropriate cybersecurity policy in place? Are employees regularly training this specific requirement? Do we have a process in place or a procedure to detect, report and respond about this specific incident? These are the questions that are raised in order to better understand the regulations' requirements and move in the right direction. Through this step, our company maps the requirements with our internal initiatives, and the main approach here is not to build new programs, but enrich the current ones or complement them, if needed.
The second step after understanding the regulation is to review our policies. The natural way that we have in this matter to respond to any regulation in our company is through our internal policy framework. Okay. The policies are the backbone of our company's cyber posture. They are the ones that are providing the rules, the guidelines, the directions to ensure secure behaviors and practices. And mapping each requirement, which these policies ensure that the regulations requirements are addressed in the company and helps to identify and advance any area of attention.
Also, organizations like us where we are also ISO 27001 certified, mapping with these standards is also very helpful to understand and to get a first idea of the maturity level of the organization.
Then the next step is to identify the owners, owners to implement these main gaps identified because to meet compliance, we need to implement actions and tasks and monitoring through accountable people. And identifying the accountable owners is super important for us. Once this is done here, then we have already the mechanisms to ensure that all our teams are aware and ready to comply and to then naturally implement the actions identified.
Eddie McLaughlin:
How does reputation risk feature in your cyber risk management program, if at all, Cristina?
Cristina Palomo:
So, how stakeholders perceive our organization is key for us. Trust is essential. While cyber risk and reputational risk are two different concepts, one can have a huge impact on the other. And any customer, of course, will differentiate between our organization and a national supplier. And this is why our aim is to collaborate with all of our suppliers and to reduce any threat that could affect our customers, interrupt the business continuity, violate compliance of private, of sensitive information, and ultimately, of course match that our business reputation. What is the Schneider approach here? Reputational risk is embedded in any single cyber risk scenario that we assess, and this is something that we are doing on a yearly basis, and of course reputational consequences and are also proactively reviewed and managed as part of our cyber initiative. The reputation risk assessments are part of our regular risk assessment. And then, of course, the initiatives identified to mitigate this risk are the consequence of this.
We are also continuously monitoring our social media, preparing potential crisis simulations plans, having our robust incident response communication plans, and training our staff to handle potential reputation damaging incidents. But reputation is synonymous with trust, and we are in close collaboration with industry, with governments and security organizations to ensure compliance for our company and our customers. We work to ensure that our security posture is articulated jointly with our customers and with authorities, as we believe collaboration is key to bringing trust across the value chain.
Eddie McLaughlin:
We've talked a great deal about your mitigation process, your assessment process, but of course, it is impossible to eliminate all cyber risk and according to the cyber resilience report that we mentioned earlier, but 70 percent of overall losses incurred during the first 10 days in the form of direct losses. So, I guess the question here is, is there an upside or is there a positive potential from managing a cyber crisis event well, and if you haven't seen a crisis here, how do you make sure that you're resilient in the event of a crisis, Cristina? And I know it's a big question, so I welcome your insight on that.
Cristina Palomo:
So let me answer with a very simple and clear sentence, if a company hasn't managed a cyber crisis, simulate one. Okay. Managing a cyber crisis event well is invaluable for organizations, and of course it minimizes the potential damage to the reputation, finance and operations, and the effective crisis management maintains the customer trust and loyalty, of course. In this perspective, the cyber crisis simulations exercise plays a crucial role allowing organizations to better prepare for these critical situations. And the benefit that in Schneider we obtain after this crisis simulation exercises is very wide. We train cyber and non-cyber senior executives at the country level in a real environment for the most severe scenarios. We strengthen our relationships with external parties, with customers, with national authorities, with CSOs, etc., mainly because we are doing crisis simulations, which are very realistic, and we are also involving external parties. We fortify our internal awareness and communication, and also at the same time, we are evaluating and enhancing our cybersecurity response and crisis processes.
Eddie McLaughlin:
Cristina, thank you so much for joining us today. Much obliged for your insights and your thoughts and perspectives. That's our show for today. Thank you all for listening. In the next few months, we'll have similar discussions with leading practitioners on workforce resilience, risk transfer, and other hot topics. Until next time, thank you all for joining us.
Outro:
Thanks for tuning in to the latest episode of “On Aon” with our episode host, Eddie McLaughlin, and today’s expert, Cristina Palomo, for a discussion on new regulations, along with the changing landscape for cyber risk and cybersecurity. If you enjoyed this episode, don’t forget to subscribe wherever you get your podcasts, and stay tuned for our next conversation featuring industry experts bringing you the latest on topics, including climate risk, workforce wellbeing, ESG trends, and be sure to stay tuned for our next episode during Cybersecurity Awareness Month on the predictions post-CrowdStrike. Be sure to check out our show notes and visit our website at Aon dot com to learn more about Aon.