Login Register Subscribe
Current Issue

Enterprise risk management can address cyber risks as they evolve beyond IT


WASHINGTON — Given the wide variety of ways cyber exposures can hit an organization and the complexity of successfully addressing them, an enterprise risk management approach is essential to cyber risk management, according to several experts.

“For many companies, the business case for investing against cyber risk still has not been made,” apparently because cyber risk has not been put into terms corporate leaders can understand, said Tom Finan, senior cyber security strategist and counsel in the U.S. Department of Homeland Security.

“I do think an answer is an (enterprise risk management) process that starts to educate both sides,” said Mr. Finan.

“Boards of directors are treating cyber risk as an IT problem only,” he said. “But if you're going to have an ERM program, which many companies do, it's not an ERM program if you're excluding a major business risk.”

“A company needs to establish leadership from the top” when addressing cyber risks, said Larry Clinton, president and CEO of the Arlington, Virginia-based Internet Security Alliance. “You need to develop an enterprise risk management approach.”

Mr. Clinton noted that with cyber attacks being cheap to execute and defense against them expensive, “the economics of cyber security favor the bad guys.”

Meanwhile, business processes such as lengthy supply chains, bring-your-own-device policies and cloud computing undermine security and increase the risk, he said.

“The Internet of things” also increases the exposure, Mr. Clinton said. “Everything is now connected to the Internet, so everything is vulnerable to cyber attack.”


Mr. Finan, Mr. Clinton and others offered their views last week during the inaugural Business Insurance Cyber Risk Summit in Washington.

Sandor Boyson, co-director of the Supply Chain Management Center and a research professor in the Robert H. Smith School of Business at the University of Maryland, said accelerated globalization increases cyber risk exposures along companies' supply chains. “Cyber supply chain risk management is an emerging discipline” in response to that, he said.

Jim Halpert, a partner at the DLA Piper law firm in Washington, said it's important that boards get involved in companies' cyber risk management efforts, seeking reports from senior management on risks, actual cyber attacks and the companies' risk management plans, as well as whether the company is properly managing cyber exposures.

“This is not an IT issue,” Mr. Halpert said, adding that boards must focus on addressing cyber risks enterprisewide.

And Mr. Halpert stressed the importance of training employees on cyber risks and how to minimize exposures.

Jon Iadonisi, co-founder and CEO of White Canvas Group in Arlington, Virginia also emphasized the value of training in the cyber risk management effort. “When people learn to drive, you reduce the risks of accidents through training,” he said.

Vendor management is another important element of cyber risk management, said Mr. Halpert.


Tom Kellermann, Irving, Texas-based chief cyber security officer at Trend Micro Inc., noted, for example, that mobile application developers rarely vet their apps for security. “So there is your gaping hole,” he said.

It's important to hire the right people to test the security of those apps, said Mr. Halpert. “You don't want to have the wrong company test your mobile apps,” he said, adding that addressing the cyber issues resulting from poorly tested apps could be far more costly than paying for the right company to test the app to begin with.

Mr. Clinton said that while some worry about the threat of cyber terrorism and there are some “troubling scenarios” of potential cyber-based terrorist attacks, national security analysis suggests those sorts of attacks are unlikely, so concern of a major cyber terrorism event “is a misguided notion.”

“The terrorism model is not the appropriate model for us to analyze cyber security, and the more we use the terrorism model the less effective it's going to be,” he said. “Instead we need to look at the modern cyber threat.”

That threat, Mr. Clinton said, is attacks launched by criminals rather than terrorists. Ninety-five percent of these attacks are financially motivated, he said.

Judy Greenwald contributed to this report.