Italian risk managers must adopt enterprise-wide cyber approach

Italian companies must face up to the rapidly rising cyber threat with an enterprise-wide risk management response rather than simply relying on insurance, agreed a panel of experts gathered by Italian risk and insurance management association Anra for its latest ERM seminar in Milan. Sonia Peron, chair of the Italian board of statutory auditors, also reminded more than 100 Italian risk and insurance managers in the room that paying ransomware is no quick fix and can mean that victim firms fail to really dig into their vulnerabilities and address underlying exposures. Luca Bechelli, partner, information and cyber security at specialist IT and cyber consulting firm P41, pointed to latest numbers from Clusit, the Italian association of information security, as a stark reminder why cyber risk needs to be addressed at the highest level and on an enterprise-wide basis. The Clusit 2023 report found that last year was the worst ever for cybersecurity, with a 21% increase in cyberattacks worldwide and 169% in Italy alone, Bechelli told Anra members. It is clear that the Italian authorities are well aware of the rising cyber threat, which is partly blamed on the conflict in Ukraine and state-sponsored Russian hackers. Last May, the Italian government under former Prime Minister Mario Draghi said it was “getting real” about cybersecurity and would devote 1.2% of gross national investment a year to it. This commitment formed part of a new national cybersecurity strategy presented by Roberto Baldoni, director of the Italian National Cybersecurity Agency (NCA), and Undersecretary of State Franco Gabrielli. “Italy wants to pursue strategic autonomy and digital sovereignty through a cybersecurity ecosystem based on public-private partnership,” said Draghi at the time. This was clearly positive news for Italian business and consumers but Bechelli stressed that this risk needs to be dealt with by all firms sooner rather than later because the risk landscape changes at the “speed of light”. “The risk manager is used to dealing with risks on a time scale measured in decades, while for cyber risk a five-year assessment is extreme because this type of threat changes at the speed of light… you cannot wait longer than a few months,” he said. Giulio Coraggio, head of intellectual property and technology at the Italian arm of global law firm DLA Piper, stressed that cyber insurance is not the simple answer. An “ad hoc” insurance policy does not solve the problem, he said. "All companies want a cybersecurity policy but often they are not insurable because they are… such a high cyber risk that the insurer does not want to take charge of it. Legal advice can help in handling the incident in establishing legal privilege," said Coraggio. The discussion then turned to whether companies should pay ransom demands following a cyberattack. Peron stressed the dangers of paying ransomware and hoping that the problem will simply go away. "Paying the ransom apparently seems the simplest solution but it is not because it hides a series of pitfalls and a series of risks that must absolutely be evaluated,” she said. She said companies that pay ransoms need to be aware of the complex regulatory and legal landscape. “While the person who suffers the ransom is defined as a simple victim, for private companies we find ourselves in a sort of regulatory vacuum. If those who claim responsibility for the attack are international organisations recognised as terrorist in nature, the paying company can be held responsible for having financed the criminal activity,” she said. Anra vice president Paola Radaelli, senior risk management consultant at Strategic Group and moderator of the session, stressed that this dangerous legal landscape means cyber risks must be managed enterprise wide.

Italian risk managers must adopt enterprise-wide cyber approach

Insurance and ransom payments not always the answer: Anra

Want to read this article?

Read Next

Evolving modern slavery risk poses mounting supply chain challenges

R&Q confirms talks to sell Accredited

Continued rate hikes forecast for energy buyers: Amwins

Final recommendations published by Taskforce on Nature-related Financial Disclosures

Generali GC&C strengthens senior leadership in Asia

Evolving modern slavery risk poses mounting supply chain challenges

R&Q confirms talks to sell Accredited

Continued rate hikes forecast for energy buyers: Amwins

Final recommendations published by Taskforce on Nature-related Financial Disclosures

Generali GC&C strengthens senior leadership in Asia

This website uses cookies to improve your experience. You can review our Cookie Policy here.

Want to read this article?

Read Next

Evolving modern slavery risk poses mounting supply chain challenges

R&Q confirms talks to sell Accredited

Continued rate hikes forecast for energy buyers: Amwins

Final recommendations published by Taskforce on Nature-related Financial Disclosures

Generali GC&C strengthens senior leadership in Asia

Related Articles

This website uses cookies to improve your experience. You can review our Cookie Policy here.