Printed from BusinessInsurance.com

Enterprise risk management can be used to address cyber risks: RIMS panel

Posted On: Apr. 17, 2012 12:00 AM CST

The gridiron was metaphor for managing cyber exposures Tuesday as an expert panel took a four-quarters approach to applying enterprise risk management to addressing cyber risks, complete with referee.

As Edward G. Hochuli, National Football League referee and partner at the Phoenix-based Jones Skelton & Hochuli P.L.C. law firm, stood ready with penalty flag and whistle, panelists addressed the risks of data breaches and how companies can best address them at the annual conference of the Risk & Insurance Management Society Inc. in Philadelphia.

Incorporating enterprise risk management into cyber security was the session’s first quarter. “Organizations typically have the IT department manage the information security risk,” said Carol Fox, RIMS director of strategic and enterprise risk practice. Managing those risks in the information technology silo, however, may hold risk implications, she said. On the other hand, managing cyber risks effectively may hold competitive advantages for an organization.

“How best to make this work in an organization is really to look at it from an enterprise risk management perspective,” Ms. Fox said.

In the session’s second quarter, the panel examined technical aspects of IT security and forensics. “A written information security program is probably the first step a company wants to take in protecting data,” said David A. Speciale, director of business acquisition at Identity Theft 911 L.L.C. in Providence, R.I.

Such a program doesn’t have to be a long or complicated document, he said, but should address such factors as what sensitive data exists in the business, the form in which the data exists, who provides the sensitive data, where the data is housed and existing data security measures.

In the third quarter, the panel examined issues of privilege, data protection regulation and due diligence. “For every document that is misplaced or allowed to go into the cyber world, it’s a $214 cost,” said John E. Hall Jr., partner at Hall Booth Smith & Slover P.C., and the average cyber loss for an organization carries a $7.2 million cost.

While a handful of states have “self-critical analysis” statutes that protect companies from plaintiffs attorneys using their analysis of possible cyber exposures against them in future suits, in most states the surest way to get protection for such risk analysis is to involve an outside attorney to provide attorney-client privilege.

Moving into the session’s fourth quarter with discussion of performing an attorney-directed risk assessment, Richard P. Magrath, global director, strategic partnerships at USLAW Network Inc. in Atlanta carried on the football metaphor. “The key is having a quarterback,” he said.

In addition to providing the protection of attorney-client privilege, an outside attorney can serve in that quarterback function, bringing together the necessary players in the cyber risk management team such as the risk manager, general counsel and the chief information officer, Mr. Magrath said.