Login Register Subscribe
Current Issue

Cyber exposures top list of emerging risks

Reprints

A former Nuclear Regulatory Commission scientist was sentenced earlier this month to 18 months in prison for trying to plant a virus in a U.S. Energy Department computer network.

While no malicious code was transferred, the federal case against Charles Harvey Eccleston underscores the rising threat of cyber attacks that topped risk management professionals' list of emerging risks in a new survey.

The majority of respondents in the survey by the Risk & Insurance Management Society Inc. and Marsh L.L.C, which was released earlier this month, named cyber attacks as the top emerging risk for their companies. Only 27% of the respondents to the annual “Excellence in Risk Management” survey said identifying emerging risks is a priority, however.

“While everyone has known about cyber for a number of years now, the acceleration or velocity of change in cyber is constantly evolving and increasing,” said Brian Elowe, Boston-based U.S. client executive leader at Marsh. “Every day we're reading about some new application of technology and new use of technology. And every time there's a new use of technology, there are new risks associated with that.”

Mr. Elowe said organizations are looking beyond their own vulnerability to cyber attacks and turning their attention to their supply chains.

“It's not just their own exposure to cyber, but it's what key suppliers and vendors of theirs are exposed as part of their own value chain,” he said. “It's very, very complex and continues to emerge.”

Randy Nornes, Chicago-based executive vice president at Aon Risk Solutions, said “cyber risk is kind of in the eye of the beholder.”

“A lot of people focus on the cyber risk of yesterday,” Mr. Nornes said. “We get pretty good at fixing the problem that's already happened. But I don't think most people or most organizations are really good at focusing on the things that haven't happened yet.”

David Sommer, Charles E. Cheever Chair of Risk Management at St. Mary's University in San Antonio, said cyber attacks will grow more serious for the foreseeable future.

“Aside from the rapid change of pace,” Mr. Sommer said in an email, “another challenge of cyber risk is that it requires such a multifaceted approach to deal with it. Part of it, of course, is highly sophisticated technological re-sponses, but it also involves the human element: educating em-ployees about the risks of keeping sensitive data on laptops or carelessly opening email attachments.”

In addition, he said, “a thoughtful crisis management plan to minimize financial and reputational damage after a cyber event occurs” is essential.

Mr. Nornes stressed the importance of communication, noting that “we had a lot of conversations with risk managers about how they interact with their peers” at RIMS' recent conference in San Diego. “Most of the risk managers had not had any interaction with the chief information security officer,” and most of the security officers “didn't even know they had a risk manager.”

Mr. Elowe said organizations will benefit by increasing the conversation about what kind of new risks they might face.

“Most organizations have risk committees,” he said, “and these risk committees are charged with understanding the most material risks facing them and making sure they have protocols around them. But when we asked, "Does your risk committee include discussion around emerging risks?' almost two-thirds of organizations said they don't have conversations about emerging risks or very rarely have conversations about emerging risks.”

“That's kind of an interesting dichotomy,” Mr. Elowe said. “The C-suite and the boards want to understand what's around the corner, yet their own risk committees aren't having these broad-based conversations. Then that's probably an opportunity to increase discussions about broad-based trends and how they might affect them.”