Risk managers urged to lead cyber charge as companies struggle with GDPR

With a worryingly small percentage of companies in the Benelux region ready for the forthcoming General Data Protection Regulation (GDPR), risk managers were urged by experts at our Risk Frontiers conference in Brussels to sieze the opportunity and take control of cyber governance within their organisations, to address this and other areas of concern. Speaking at the event, Ferma president Jo Willaert urged all European companies to adopt the cyber risk governance model put forward by his federation and the European Confederation of Institutes of Internal Auditing (ECIIA). For larger organisations, this includes a cyber risk governance group headed by the risk manager to ensure this pressing threat is better managed. Other experts agreed that this approach is much needed as cyber risk grows. Brokers at the Cyber Risk – Rising to the Challenge conference said that better cyber risk management and governance is needed to protect companies, particularly when it comes to the GDPR that will come into force across the EU in May 2018. Sjaak Schouteren, manager of cyber risk solutions in the Netherlands at Aon, highlighted research by his firm that finds as few as 5% of Dutch companies are already compliant with the GDPR. He said an even smaller percentage of Belgium firms are ready. “So please take action,” urged Mr Schouteren. Fellow broker Véronique Franken, Finpro leader of Marsh Belgium and Luxembourg, gave similar figures. She said that only 8% of companies surveyed by Marsh in her territory are fully compliant with the GDPR. Mr Schouteren said beyond the huge potential fines under the GDPR, falling foul of the new requirements is potentially a “reputation wrecker”. He believes many companies simply underestimate the work involved in complying with the regulation. “Often when I leave a client they say they knew they had to do something but they didn’t know how much. People do see the impact, but there are quite a lot of companies that remain ignorant at this phase,” added Mr Schouteren. In his presentation at the event sponsored by AIG, Aon, Chubb and Marsh, Ferma president Mr Willaert urged firms to adopt the federation’s cyber risk governance model. This includes the adoption of a cyber risk governance group at large firms, led by the risk manager. Such an approach will help organisations deal with the whole range of growing cyber risks, including those related to the GDPR, said Mr Willaert, who is also corporate risk manager for Agfa-Gevaert in Belgium. He said the new structure put forward by Ferma and the ECIIA earlier this year is needed to bridge the gap between operations and management when it comes to cyber risk. Ferma’s president explained that the federation’s recommendations for a cyber risk governance model, published in a report this June, aim to develop a framework to help organisations of all sizes identify and mitigate cyber risk. The main proposal is for a risk manager-led, cross-function cyber risk governance group to be created in companies of suitable size, which reports to the risk committee. This group should be composed of operational functions from the first and second line of defence to determine cyber risk exposures in financial terms and design possible mitigation plans. Failure to adopt this structure will likely mean cyber risk is not managed adequately, said Mr Willaert. “I definitely say this new group is necessary and I strongly believe that if we don’t structure the cyber risk exposures in a format like we propose, the risk will continue to be manged like it was in the past, in silos. That is really my message,” he said. “The idea is to make the structure of a company more appropriate and have no more silos. The idea is to have a global view on the translation of cyber risks in financial issues. That is the only subject that management understands,” he added. Mr Willaert went on to explain that this extra group is needed to plug the gap between those in the business that understand cyber risk and the board, which should ultimately decide how it is managed. “We need a bridge between the people who know what the risks are and the people who decide what they will do with these cyber risks, and how they will incorporate these exposures in their strategy. This is not possible without the bridge of risk management. In large companies, we need that extra group or committee, because there are usually no operations people on risk committees of large companies, only management. So, in order to ensure a flow of communication to the risk committee, we consider that extra executive group necessary because cyber risk is so large,” he said. Although Mr Willaert believes cyber is taken seriously by CEOs and boards in most larger companies, he feels there remains a long way to go to fully manage the risk. Ferma and the ECIIA believe that corporate governance is often not taken into account when it comes to cybersecurity. They argued that as cybersecurity becomes an entreprise-wide risk and digitalisation a source of value and opportunities, corporate governance must reflect this new status. The two associations’ joint cyber risk governance model therefore tries to offer a solution to meet the growing cyber threat and needs of modern businesses. Kyle Bryant, regional cyber risk manager for Europe at Chubb, agreed that cyber governance is the foundation on which cyber risk needs to be managed, and praised Ferma’s proposals. “I think the work Ferma has put in to create this framework is great, it’s fantastic,” said Mr Bryant at the event. “I think you have to start with governance. If you don’t have the right framework to implement the right policies, with ownership and a regular continuous improvement process, your application of security policies and procedures can become irrelevant rather quickly.” He said a major benefit of governance frameworks is they tend to break down silos, but stressed they must given more than just lip service. “You have to have more than good intentions. Implementing that framework once is not good enough, you have to continually improve with regular meetings and modifications to make sure you are picking up on the ever-changing risk,” said the expert. Although Mr Bryant backed Ferma’s cyber risk governance model and believes one person with the capacity and expertise to drive change needs to oversee cyber risk management, he believes the role does not necessarily have to be fulfilled by the risk manager. Other individuals can be well placed to do that job in some organisations, argued Mr Bryant. But he believes risk managers are a viable option, well placed for this task and can increase their profile by leading the charge. “Boards need someone taking that mantle. While some may not feel they have the technical expertise to pick up the technology piece, and provided they can build a team to help them with that side of things, I think risk managers are the appropriate party to take on that role. It will help them move up the level of influence within an organisation,” said Mr Bryant. He added: “You need to get buy in from c-suite and say: ‘here is our organisational framework for managing the exposure, here is how we are going to implement it and here is who we need on board’. Risk managers bringing that to the board have a pretty powerful message because they are building the foundation from day one on which to build the house.”

Risk managers urged to lead cyber charge as companies struggle with GDPR

Want to read this article?

Read Next

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Want to read this article?

Read Next

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Related Articles