Ferma survey suggests lack of ERM to meet cyber threats
The survey found that 75% of respondents reported a growing concern around cyber risks while more than half also said that board involvement in managing cyber risk was growing.
But these positive developments are tempered by the fact that only 44.1% of surveyed risk managers reported an increase in their company’s budget for managing cyber risks while only 16.3% of the canvassed companies have a chief information security officer dedicated to managing cyber security. A far larger percentage (40%) reported that this task typically fell to either a chief information officer or the head of IT.
There were more contradictory findings from the survey. For example, the majority of respondents expressed the need for government and business to work more closely together, yet new regulation around data protection rules is one of their biggest concerns (55%), along with the adoption of mandatory notification measures in the event of a data breach (48.7%).
hide
Meanwhile, more than a third (36%) of risk managers said that information security training is conducted at an enterprise-wide level involving all employees yet the same number said that such training takes place only once a year or once every two years.
The Ferma survey results were presented as part of a webinar featuring four speakers who discussed the wider issues around cyber risk and the role that insurance should play in its management.
The first of these speakers, Andrew Horrocks, a partner at law firm Clyde & Co, outlined the exposure that companies face from new EU data protection rules-most notably the increase in fines for data privacy breaches which he described as a ‘very wide ranging and important change’.
Mr Horrocks also highlighted the current limit available in insurance policies for such fines, which in the UK is £500,000. The biggest fine for a UK company under current data protection legislation is £350,000 but this could well change under the new rules.
“The UK limit will go right through the roof if the new EU directive goes through in two to three years’ time. Fines could run into millions and companies not even headquartered in the EU could face fines equaling 2% of their worldwide turnover. It is a significant change,” he said.
Julia Graham, Chief Risk Officer for DLA Piper, the world’s largest law firm, emphasised the importance of adopting an enterprise risk management (ERM) approach to cyber risk. “Too many people are looking at cyber risk as an IT issue. I think it is a classic enterprise risk and you really need the whole business to consider this risk from their perspective.”
Companies also have to consider that cyber exposures are composed of both the more obvious everyday, short-term, tactical risks and the less obvious strategic risk or black swans that are harder to predict and have a deeper and wider impact on the business. “Too many businesses only look at the tactical risks,” said Ms Graham.
Ms Graham also referred to the survey’s finding that less than half of the canvassed companies have increased their information security budgets despite the fact that many boards are more concerned than ever by cyber risk.
One reason for this and many of the other tensions in the Ferma survey results could be the question of who is leading the effort on cyber risk, suggested Ms Graham. “This is still often the domain of the chief information office, which is fine as long as the rest of the business is involved.”
At DLA Piper Ms Graham has established a governance advisory board to act as a steering group for cyber risk management. It brings all the different facets of the business together (marketing, finance, HR, information security, compliance/audit and risk managers) and advises the main board on the core principles of cyber risk management.
One of these principles, and a key component in engendering more boardroom involvement (another issue raised in the Ferma survey), is to use a language that everybody can understand when addressing cyber risk issues. “Technical jargon can be very demanding and if I don’t understand it, then the board won’t understand it either,” said the risk manager.
Ms Graham also suggested that companies invite third parties to address the board on cyber risk issues to ‘bring some of these risks to life’, and praised the efforts of a number of government initiatives such as the Centre for the Protection of National Infrastructure in raising awareness among senior executives.
The importance of addressing cyber risk issues as a united business rather than through disparate departmental efforts was also emphasised by Jérôme Gossé, Financial Lines Underwriter, Zurich Global Corporate France when explaining the help on offer from insurers. “Insurance is not the solution to cyber risk. It is the last step but it is an essential step and one that has to involve every department.”
The role of insurers has become more important, argued Mr Gossé, because the frequency, cost and publicity surrounding cyber risk events are increasing and companies are increasingly reliant on new technologies like cloud computing and remote access that create new vulnerabilities.
The task for the insurers is to fill the gaps left by traditional insurance policies that were not designed to cover cyber risk and cannot be easily extended-for example, the legal liability that results from an IT security breach is not typically covered under traditional liability policies. And, given the imminent changes to the EU data protection laws, this is likely to be an area of growing importance for European companies.
Companies considering risk transfer via insurance must therefore consider the likely financial impact from cyber risks, review what coverage they have through existing policies and then decide what risks are insurable and what risks they can feasibly mitigate themselves.