Time to shift from awareness to action on cyber: Cotelle
We spoke to Philippe Cotelle, head of insurance and risk management at Airbus Defence & Space since 2014, is a recognised expert on cyber risk management. He is working hard at national level with AMRAE and on a pan-European level with Ferma to raise awarenessof the risk and value that structured risk management can bring.
Mr Cotelle, who trained as an engineer, is well qualified to help lead the cyber effort at pan-European level.
He has lead the SPICE (Scenario Planning to Identify Cyber Exposure) project within Airbus, which has developed a new approach to cyber-related business impact analysis.
The AMRAE member coordinates a research programme with the French Institute of Research & Technology on cyber risk management and collaborates with the French administration and Organisation for Economic Co-operation and Development (OECD) on this topic.
Mr Cotelle is also a member of the joint working group brought together by Ferma and the European Confederation of Institutes of Internal Auditors (ECIIA), to develop recommendations for cyber governance.
Adrian Ladbury (AL): Why has cyber risk become so important for French companies?
Philippe Cotelle (PC): I think that this is not a specific case for French companies. This is a general concern for most companies that are facing the challenge of digitalisation to achieve new expansion.
(AL): What is the best way for a company to manage cyber risk? Who should lead the effort and who should be involved to ensure an enterprise-wide response?
(PC): In order to adequately address this risk, an organisation should focus first on the definition of a clear governance structure. This is the purpose of the document produced by Ferma and the ECIIA, which was officially released during our event at the European parliament on 29 June.
The fact that the two functions – risk management and audit – with the widest-ranging role across an organisation have teamed up, is a clear response to cyber risk. This document highlights the need for the creation of a cyber risk governance group chaired by the risk manager. It should include security and business, as well as the the first and the second line of defence.
(AL): Which cyber risks are insurable and which are not? Is capacity adequate and how should the insurance market improve the cover on offer?
(PC): On this we need to be careful, because cyber risk is not only insured by dedicated cyber coverage. In most cases, cyber risk coverage is also embedded in conventional insurance coverage. It is sometimes explicitly mentioned and sometimes part of what is called the ‘silent covers’.
Most of the coverage currently available is designed to reimburse costs incurred by the insured following a cyber incident, either on a first-party or third-party basis. This latter part is the main focus of the development of the cyber insurance market in the US.
The most sophisticated coverage includes some element of business interruption indemnification. In addition to that coverage, some services are also offered either as security audit or support during the crisis phase, with experts in security and communication.
The capacity provided by the market in France is in theory around €500m, but in practice it is extremely difficult to find more than €150m to €200m capacity on a given insurance placement.
(AL): What are the big cyber risk insurance challenges in your view?
(PC): There are two challenges related to the cyber insurance offering. First, capacity is really not sufficient to address the true exposure of cyber risk.
To be fair, companies also need to perform a true cyber risk quantification assessment in order to gain a better view of the potential impact, and therefore be more aware of the lack of capacity compared to their exposure. It could be that the insurance capacity offered for a cyber attack should match the capacity offered on conventional insurance coverages, because the consequence for first-party and third-party losses could be of the same magnitude.
Second, one can observe a shift in the value of tangible to intangible assets, from machines and buildings to reputation, data and intellectual property. The impact of a cyber attack is significant and can affect a company’s reputation, future market opportunities and its financial value.
The insurance market does not provide a solution that would put the insured back to the situation prior to the loss. The cost of reimbursement for communication experts is very far from the reputational impact. In addition, loss of confidentiality on intellectual property is not insured and loss of market opportunity cannot be covered.
(AL): What are you doing with AMRAE to help improve the way cyber risk is managed in France? Are you working with the government?
(PC): AMRAE has been active in this field for a very long time. The cyber and information system commission has issued a number of documents on this topic. AMRAE is also active on the research side within the frame of IRT System, a French public tech lab. For the second year running we are coordinating a research programme involving risk managers, insurers, reinsurers and public administration. A first report was issued last year and a second will be ready by this year end.
Through those research programmes our collaboration with ANSSI (Agence Nationale de Sécurité des Systemes d’Information) is very close and active. We have recently organised a very successful session for risk managers to discuss the experience of WannaCry and share lessons learned. We also believe this activity shall be developed at European level with a strong contribution from Ferma, but also at international level in cooperation with the OECD.
(AL): Do you believe that companies should hire a dedicated cyber risk manager to work alongside the existing risk manager and if so, why?
(PC): Ferma and its 22 member associations strongly believe that cyber risk should not be addressed in a new ‘silo’ and companies should not create a new function of cyber risk manager. Cyber risk is an enterprise risk and should be treated like other enterprise risks by the risk manager. The governance that is proposed aims to involve the risk manager in this coordinating role.
The creation of a new function would result in confusion and would not efficiently support top management and the board to provide a clear view on their risk and on how to use available resources in the most efficient way.
I am aware this means that risk managers need to face the challenge of tackling this risk, which was for too long, way too long, just seen as a technical issue. Risk managers need to become a credible partner within their organisation to gain a clear status and become an added value in this field. It is the case that because digitalisation is clearly the development path of most companies, there is no other choice.