Cyber risk is a strategic issue in which risk managers should play a leading role, according to a report released at the conference by Airmic, which also encourages organisations to revisit the cyber insurance market in light of significant events and market developments in the past 12 months.
According to the report, cyber risk management remains high on the risk agenda but its implementation is often patchy and lacks an enterprise-wide approach. It notes that less than a third of Airmic members are satisfied with their organisation's ability to manage the risk and argues that cyber is not just an IT issue. Businesses need to develop their cyber risk approach beyond technical protection, to include governance, strategic, reputation and brand considerations.
The risk manager, it argues, has a clear role to play in driving this approach. They are uniquely positioned to understand how a cyber event could have an impact across the business, and to establish a collaborative response to cyber threats, which includes the board, IT, legal, finance, HR and communications.
"Recent high-profile attacks have increased boardroom awareness of cyber risk, but despite this, our research indicates that board-level understanding of cyber developments remains limited," Georgina Oakes, Airmic's research and development manager, commented. "Cyber resilience can only be achieved if all business functions work together, and risk managers, with their cross-functional role, can be pivotal in leading this approach."
The report, Cyber risk - Understanding your risk and purchasing insurance, provides practical guidance for risk managers on how to lead the cyber risk conversation and implement effective cyber governance. It includes advice on how to identify key cyber-related assets, the actors that may target these assets and the potential outcomes.
Cyber insurance: growth in relevant cover
The report also encourages risk managers to review the cyber insurance market, arguing that there has been a shift towards more relevant cover in the past year. Currently, approximately half of Airmic members do not buy cyber coverage, with many citing lack of capacity, high cost of cover and coverage uncertainty as the main reasons.
"Cyber insurance is the fastest-growing area of the market, and we are seeing a major increase in the relevance of cyber products, the capacity available, and the number of companies purchasing cover, especially in the last 12 months," Carl Moore, partner at Lockton Companies LLP which contributed to the report, said.
There is an increase in "add-on" solutions, including support for data breach, legal and media advice, according to the report. "The insurance industry is offering more than just insurance - there are some really valuable risk advisory and services available that will support risk managers taking a cyber-risk leadership role," Julia Graham commented.
The Federation of European Risk Management Associations, FERMA, of which Airmic is a member, will be publishing a report on cyber risk governance on 29 June at an event at the European Parliament.