Communicate, cooperate on cyber riskReprints
One of the unfortunate side effects of constant reminders that communication is important is that sometimes they merely become part of the background noise. That's too bad, because it remains a critical issue for risk managers, particularly with regard to cyber risks. This was one of the refrains articulated by several speakers during last month's Business Insurance Cyber Risk Summit.
For instance, the cooperative communication between Southwest Airlines Co.'s risk manager, Kristy M. Harris, and the airline's vice president and chief technology officer, Craig Maccubbin, was critical to its success in obtaining cyber coverage.
As broker Lauri L. Floresca discussed during the conference, Mr. Maccubbin's expertise in technology and his ability to “talk the talk” with technically inclined underwriters was crucial.
While more companies are embarking on efforts to break down the isolated silos that exist within company units, the tendency to protect individual turf is only human. The cooperation between risk management and technology at Southwest Airlines should serve as an example, and perhaps a goal, for other companies as well.
Of course, communication should be handled strategically.
As speakers at the conference warned, because chief information officers' goal is to get the information out fast while chief information security officers' concern is that the information be secure, there is an inherent conflict of interest, and the two functions should have different reporting paths.
Communication between companies as well as between companies and law enforcement can be valuable as well.
Clearly, a company's efforts to combat cyber attacks can be enhanced only if companies work together toward the same goal by sharing information rather than having firms struggle separately. We can only hope that Congress will finally approve long-awaited, effective legislation that will encourage this cooperation.
And finally, keep in mind FBI agent M.K. Palmore's advice to Cyber Risk Summit attendees to establish communication with law enforcement before there is a cyber attack.
“You do not want your first interaction with the FBI to be your response to an internal breach,” he said, providing some wise guidance for risk managers to follow.