How Risk Managers Can Manage Cyber Risk
We recently attended our first RIMS Annual Conference in Boston. It’s the largest gathering of risk management professionals. The conference primarily serves corporate risk managers and members of the insurance industry, and over 10,000 attended. It was a wonderful opportunity to hear cyber risk concerns from a large number of risk managers and to better understand the challenges they face.
Here are the 3 most significant risk management challenges we observed, along with our responses:
Cyber risk is the greatest threat to most organizations.
Continued growth in the frequency and impact of cyber breaches means current cyber risk mitigation is inadequate. High-profile breaches like the case against Equifax, currently facing a stack of lawsuits exceeding three times its market valuation, highlight the existential risk faced by organizations of all sizes.
A huge disconnect exists between spending on breaches versus the actual causes. Equifax’s CEO blamed their massive breach on a failure to apply software patches. It was later revealed that the company’s cybersecurity program had received a rating of zero on a 10-point scale 11 months earlier. A proper response would have instituted policies and processes to ensure regular application of patches.
Response: Realize that most cyber breaches are not failures of technology. They result instead from a lack of establishing comprehensive policies and procedures to preclude simple mistakes. Make sure to take a comprehensive view of cyber risk and to engage appropriate stakeholders across the organization in mitigating cyber risk.
Cyber risk is still too often viewed as a technology problem.
The highly technical nature of cybersecurity can intimidate risk managers, causing them to defer responsibility to the technical staff. While cyber risk is unique, effectively managing it is similar to financial risk management: the vast majority of issues require that effective policies and processes are implemented and followed. This certainly falls within the core competencies of all professional risk managers.
New forms of cybercrime require a higher level of training and awareness across the entire organization, and they require more stakeholders to engage in risk mitigation. For example, the HR staff must look at their responsibilities through the lens of cyber risk prevention. Background checks and awareness education are just two obvious ways they can contribute to cyber resilience.
Response: Managing financial risk requires more than ensuring that good operational technology is in place to support it. It requires that the right policies, procedures, and people are put in place, and that appropriate parts of the entire organization are engaged. Similarly, risk managers should ensure that the organization takes a comprehensive approach to mitigating cyber risk.
Most organizations focus too little on third-party cyber risk.
We were surprised to learn how little awareness of third-party risk exists. After major breaches, the spotlight is initially on direct (first-party) damages to customers, with the most common form of reparation being identity protection policies for affected groups. That is important, of course, but some of the largest suits (and settlements) are based on derivative lawsuits, i.e. suits filed by third parties.
For example, the UK Information Commissioner’s Office (ICO) fined Yahoo for £250,000 and slammed the company for its negligent, irresponsible behavior. The first-ever US case brought directly against Yahoo management and the board resulted initially in a $29 million settlement. Later, the settlement was rejected by a US district judge as not “fundamentally fair, adequate, and reasonable” and the settlement amount has now been raised to $117,500,000.
Corporate board members continue to rely on D&O policies and principles of Delaware law like “reasonable judgment” and “duty of care” for protection from personal liability. The ongoing outcomes of cases like Yahoo and Equifax should cause major concern, and risk officers should investigate stronger liability protection for directors and officers.
Response: Assess cyber risk using standards, then monitor, audit, and certify the results. Strongly consider using the NIST Cyber Security Framework (NIST CSF), the national standard for managing cyber risk. Relying on this standard developed by 3,000 experts will guide you to the most significant areas that need focus. Also investigate the Department of Homeland Security’s SAFETY Act’s liability protection that extends the government’s sovereign immunity from prosecution to users of designated SAFETY Act solutions. (Full Disclosure: Cybernance was the first to automate NIST CSF into its platform in 2015, and it is designated as a “Qualified Anti-Terrorism Technology” by DHS.)
It’s easy for a risk manager to believe their technical expertise is insufficient to manage cyber risk. In fact, ensuring that the organization addresses all the key risk areas is straightforward. Professional risk managers and internal auditors already have the soft skills and process knowledge needed to engage the entire organization in mitigating risk. Expanding risk management and internal auditing to cover cyber risk is a natural extension of their responsibilities.
To find out more about cyber risk management, check out cybernance.com/RIMS.
A Special Thank You
We wish to publicly thank Audrey Rampinelli, the former Chief Risk Officer of Loew’s Corporation in New York, for inviting us to participate in the first RIMS InsureTech “Start-Up Stadium.” Audrey is widely recognized as a risk management expert who can get an immediate response from anyone at the highest levels in the insurance industry. We greatly appreciate Audrey’s help and encouragement.