Printed from

Chief risk officers' broad cyber challenges outlined in report

Posted On: Jan. 13, 2015 12:00 AM CST

Companies’ chief risk officers should promote a culture of open communication, increased awareness of cyber risk at senior firm levels, and facilitate discussions and understanding of cyber risk at both the business and board level, says a report on cyber resilience issues.

The report released Monday suggests also that companies should avoid an overreliance on cyber insurance, and that governments may need to assume responsibility as the reinsurer of last resort for cyber risks.

“The challenges for (chief risk officers) are to establish a cyber-risk management framework supported by a team with the relevant skills and expertise to engage all business functions to recognize the individual accountability and responsibility of all employees in managing cyber risk,” says the report, “Cyber resilience — the cyber risk challenge and role of insurance,” issued by the CRO Forum, which is chaired by Swiss Re.

The report says chief risk officers also should articulate how cyber risk is integrated within the broad risk management landscape and ensure appropriate ownership of, and responsibility for, cyber risk management, among other suggestions.

Discussing cyber insurance, the report says challenges for the insurance market include insufficient or poor quality loss information; the uncertain value of loss information, highly interconnected information technology systems, and “continually evolving attack strategies, perpetrators and motives.”

“Whether a cyber attack is covered by an insurance policy may depend on the motive for the attack and its perpetrator … as this will affect whether clauses and exclusions for cyber insurance can be considered,” says the report.

“As the market matures, capital markets may lend a hand in the expansion of capacity for cyber reinsurance as deals become more economically attractive the report says also. “However, it should be recognized that there are limits to the role that insurance can play for managing the threat of cyber attacks. Sole reliance on insurance as a solution can create moral hazards by reducing incentives to actively manage the threat of cyber attacks.

“In the case of cyber warfare, cyber terrorism and government sponsored cyber attacks, public solutions may be needed, with governments assuming responsibility as the insurer of last resort.”