WASHINGTON — Senior management and boards of directors must use a team approach to galvanize their companies to address cyber risk, an attorney said during Business Insurance's inaugural Cyber Risk Summit in Washington.
“This is not an IT issue,” Jim Halpert, a partner at law firm DLA Piper in Washington, said during a Thursday session about managing cyber risks using a team approach.
Mr. Halpert said the board should solicit reports from senior management regarding risks, actual cyber attacks and risk management plans. It also needs to evaluate if the company is properly managing cyber risks, including in its allocation of resources.
The board should document whatever is done as well, he said.
“It's very important to have a strong record in case anyone's going to challenge what's going on,” said Mr. Halpert.
But beyond this basic oversight, the board must focus on addressing cyber risks as an enterprisewide risk, he said.
“It's very important to train employees” on this issue, he said. “There are all sorts of creative things they can do to educate employees,” but it takes innovation, and “a focus in that area can be very important,” Mr. Halpert said.
“Vendor management is critically important” as well, he said.
A chief financial officer “can create major risks” simply by doing a merger and acquisition deal, he said. By integrating another company's computer system, for example, that system's vulnerabilities “are going to become your vulnerabilities,” he said. “You can buy yourself a huge reputational problem.”
Various corporate departments should work together to address this issue, said Mr. Halpert, but a single manager with authority should be designated to head the effort.
Determine risk appetite
The board needs to provide feedback and guidance on how to address cyber risk, and companies need to understand what risks they can avoid if they spend enough money, which ones they can accept, which ones can be mitigated and which ones can be transferred through insurance, said Mr. Halpert.
Tom Kellermann, Irving, Texas-based chief cybersecurity officer at Trend Micro Inc., said business is facing a conundrum set up by the variables of cloud computing; the prevalence of mobile devices; and the activities of hacktivists, nation states and cyber criminals.
Regardless of who initially created the cyber weapon, he said, once it is “released into the wild, you're still dealing with a weapon that can be handed out to others.”
Also speaking at the session was Ethan Harrington, Kansas City, Missouri-based manager of insurance risk management at H&R Block Inc., who discussed considerations that should be taken into account in buying cyber insurance.