Risk managers, the insurance industry and IT professionals are failing to communicate effectively about cyber risk, according to a panel of experts debating cyber risk at Airmic's ERM Forum last month.
"As an industry, we're not good at presenting and communicating on this subject," said Peter Erceg, a senior vice president of global professional and financial risks at insurance broker Lockton. "This needs to change. We need to learn how to communicate cyber in business terms and risk managers have a key role to play. A lot of companies still don't think it will happen to them."
The same problem pervades the IT and security sectors, said Robin Oldham, the head of defence engineering firm BAE Systems' security consulting practice, advising on cyber security. "We've done a terrible job of communicating in this industry. Helping people understand what we do will help them do their job."
A member's experience of managing cyber risk
Theresa Healy, head of insurance and risk at Ladbrokes Coral, shared her experiences of tackling cyber risk with ERM Forum delegates in the cyber breakout workshop. These were her top pieces of advice:
- Understanding your business from an enterprise-wide perspective is key to visualising where a cyber risk may materialise.
- Make sure IT and risk functions are not siloed.
- Putting risk management theory into practice is not easy. The challenge is to encourage IT professionals to live and embed risk management, rather than viewing it as a purely compliance exercise.
- Relationships between internal teams are vital. If you want to know how your internal controls are working, talk to HR, audit, compliance and IT, for example.
- The digitalisation trend is an opportunity for risk managers to talk to senior executives and to demonstrate the broader business value they can bring.
- Insurance is an enabler for dealing with cyber risk, but it is not a panacea. The key is to show the board that the benefits of insurance are not just financial.
Collaboration is key, the panel agreed. "Nerves appear when the word 'cyber' crops up and the temptation is to leave it to the cyber experts," according to Peter Cheney, a partner at security advisory Control Risks. This is the wrong approach, he stated. "You all have to work together."
The panel from left to right: Dr Jamie Saunders, visiting professor, UCL, Ben Russell, head of cyber threat response, National Crime Agency, Robin Oldham, head of cyber security consulting practice, BAE Systems, Peter Cheney, partner, Control Risks, Peter Erceg, senior vice president of global professional and financial risks. Lockton
The good news is that cyber risk has moved much higher on the corporate agenda in just a decade. "Ten years ago, no one would have even turned up to this panel debate," Dr Jamie Saunders, visiting professor at UCL, observed. "But it's firmly a board subject now."
Despite this, however, organisations are failing to understand the "nuances of cyber risk management", according to Mr Cheney. "For example, there is a tendency for businesses to focus too much on PII and data protection, at the expense of trying to find out what actually happened in any attack," he said.
While many companies have created crisis plans, he added, they are often disjointed and ineffective come the day of need. "I have seen companies who have different crisis plans in place in different parts of the business, and they are not always aware of the differences," he explained.
Risk managers must be absolutely clear on their crisis plans, including who should be doing what, "before a crisis takes place", he added.