Risk managers welcome UK government cyber security guide
Julia Graham, Chief Risk Officer at Anglo American law firm DLA Piper—the largest in the world—said that she was ‘very pleased’ that the UK government introduced the cyber security guidelines ‘because hearing these things from figures of authority can make a difference’.
Ms Graham was speaking at the Risk Frontiers, Cyber Risk seminar—run by Commercial Risk Europe—and held in Brussels in conjunction with Belrim, the Belgian Risk Management Association.
The challenge of gathering boardroom support for cyber risk management programmes and the financial resources for IT security technology and specialist insurance coverage has often been cited as a barrier to a more secure business environment.
hide
This challenge has also been recognised by the UK government that launched the 10 Steps to Cyber Security guidance in September 2012 as part of its overall Cyber Security Strategy, which was launched in November 2011. It is designed to help the private sector to brand the UK as a safe place to operate online.
The guidance was commissioned by the UK’s Department for Business, Innovation and Skills (DBIS) and jointly produced by the CESG, the information security arm of the Government Central Headquarters (GCHQ), and the Centre for the Protection of National Infrastructure (CPNI).
According to the DBIS, too few company chief executives and chairs take a direct interest in protecting their businesses from cyber threats.
Consequently the government insisted that the country’s top chairmen and chief executives were at the guidance launch. They heard first hand the GCHQ’s view on cyber threats and advice on how to safeguard a company’s most valuable assets, such as personal data, online services and intellectual property.
In addition to the FTSE 100 chairs and CEOs, the launch event was attended by ministers from the BIS, Foreign Office, Cabinet Office, Home Office and senior figures from the intelligence agencies.
Speaking at the event, UK Business Secretary Vince Cable said: “Cyber security threats pose a real and significant risk to UK business by targeting valuable assets such as data and intellectual property. By properly protecting themselves against attacks companies are protecting their bottom line. Ensuring this happens should be the responsibility of any chief executive or chair as part of an approach to good corporate governance which secures a business for the long term.”
According to Ms Graham, the event had an immediate impact. “Our chairman does not like writing things down but immediately after the meeting he wrote to the CEO to ask what we were doing about cyber risk so it instantly put it in that boardroom domain. It got that board level buy-in because the message came from the very top and they heard it from a source they couldn’t argue with.”
Other risk managers speaking at the Risk Frontiers event in Brussels agreed that achieving board level acceptance has been a sizeable challenge in improving cyber risk management. “Progress has not been easy because it is difficult to communicate to the board that they are responsible and that it is their liability,” said Kathryn Rauhut, Strategic Advisor at the World Institute for Nuclear Security.
“Fukushima was a criminal liability at executive level. In the nuclear industry security is seen as something that involves guards, gates and guns so we have to change their perspective and get the board to look at it differently and provide the resources,” she added.
In addition to applauding the way the UK government targeted top executives and ‘scared them to death’, Ms Graham also praised the content of the guidebook. “The guide explains cyber security in a way that senior managers can understand, and that is important. There is a lot of information out there but it has to be summarised for the board. And if you follow these 10 steps then you will cover 80% of the ground and the most effective elements are the ones that do not cost much.”
The 10 step guide offers some high level questions that the BIS believes will help executives determine their critical information assets, support them in their strategic level risk discussions and help them ensure that they have the right safeguards and cultures in place.
In addition to the 10 step guide, which is aimed specifically at company chiefs, there is also an executive companion that discusses how cyber security is one of the biggest challenges facing business and the wider UK economy today.
It offers guidance for business on how together with UK authorities they can make the UK’s networks more resilient and protect key information assets against cyber threats. The document focuses around key points of risk management and corporate governance and includes some anonymous case studies based on real events.
The third and final product supports the executive companion and provides more detailed cyber security information and advice for 10 critical areas, covering both technical and process/cultural areas.
“If implemented as a set it can substantially reduce the cyber risk by helping to prevent or deter the majority of types of attacks. For each of these 10 areas, we have summarised the issue, outlined the potential risks and provided some practical measures and advice to reduce these risks,” said the BIS.
The approach suggested by the BIS is similar to that outlined by Ms Graham at the Risk Frontiers event. To deal with cyber risk, DLA Piper has established a governance advisory board that is headed by Ms Graham. It includes marketing, HR, legal, IT, information security and finance representatives, and reports to the executive.
In addition to providing senior executives with a regular and formal report on cyber risks, the governance advisory board also enables Ms Graham to implement an enterprise risk management approach to cyber risk—something which she believes is vital. “Cyber is no different to managing any risk.
But many of the risks around technology or information tend to be ring-fenced by the IT department. Enterprise risk is based on looking at all risks together as part of a portfolio approach.”
Such an approach, whereby all the risk management measures are written down and recorded, will also mean companies are less reliant on what is still an immature cyber insurance market and more effective when they do look to transfer risk. “Insurance is almost the place of last resort. You have to go through the whole process of risk management before you buy any insurance. Underwriters will expect this,” said Ms Graham.
“We went through a proper risk assessment to look at our exposures to see what is already covered, what do we have insurance for, what is left and what is worth buying insurance for. It is not an easy process but you have to be able to write this down and show it to underwriters, and IT departments are not always great at writing things down,” she added.