Printed from BusinessInsurance.com

Cyber security crisis presents risk managers with new opportunities

Posted On: Feb. 22, 2015 12:00 AM CST

The crisis in cyber security gives risk managers a chance to shine.

As many organizations struggle to manage growing cyber risks, risk managers can take larger roles in cyber security issues than they have in the past.

Beyond buying cyber insurance to pay for breach-related costs, risk managers can do several other things to help prevent and respond to data breaches, experts say. These range from partnering with information technology, legal and other departments in their organizations to helping to keep corporate boards informed and taking part in emergency response planning.

“Risk managers and chief risk officers should become highly engaged,” said Grace Crickette, chief risk officer for AAA Northern California, Nevada and Utah in Emeryville, Ca. “There's a huge opportunity for risk managers to participate with IT security teams.”

A decade ago, information technology departments and risk managers often engaged in turf battles over risk assessments and the need for cyber insurance, with information technology specialists often arguing that money devoted to insurance would be better spent on technological defenses.

“Anybody who says that (today) is probably going to get a serious stare-down from the C-suite,” said Richard Betterley, president of Betterley Risk Consultants Inc. in Sterling, Mass.

“That's a trend that's significantly reversed,” agreed Emily Cummins, director of tax and risk management for the National Rifle Association of America in Fairfax, Virginia.

In many companies, there has been “an organizational, cultural shift to a culture of security, where these walls break down,” said John O'Donnell, a senior broker with the FINEX division of Willis North America in New York.

Still, many companies — especially smaller ones — are grappling with the best ways of dealing with cyber threats.

Despite greater concerns about the exposure among board members and top executives, risk management efforts in some ways actually flagged last year, an August 2014 Advisen Ltd. survey of 507 risk managers found.

Only 62% of the respondents were certain their companies had data breach response plans

in place, according to New York-based Advisen and Zurich North America, which sponsored the study. The number of companies with multi-department information security risk management teams continued to drop, hitting 52% of respondents last year from 56% in 2013 and 61% in 2012.

And information technology was overwhelmingly reported as the department primarily responsible for cyber security risk management, cited by 69% of respondents, with the risk management department a distant second at 11%.

Still, risk managers can become a key part of their organizations' teams that tackle cyber risk.

The process of buying cyber insurance itself can enhance risk managers' role, for example. Underwriters typically require a range information from information technology, human resources, legal and other departments, and those departments have to work with risk management to provide it.

“It's going to facilitate internal communication,” Mr. O'Donnell said.

Loss prevention and other services provided by insurers — such as table-top emergency response exercises — also come via the risk manager, added Robert A. Parisi Jr., cyber risk product leader with Marsh USA in New York.

“Cyber hits across everything a company does,” Mr. Parisi said. “We've seen cyber insurance in many cases raise the profile of the risk manager.”

Risk managers should be working with information technology and other departments to develop a company's incident response plan and be part of the team that implements that plan in case of a breach, Ms. Crickette said.

They also should be part of a team that develops the company's security risk management program based on information technology security standards such as those in the International Organization for Standardization's ISO 27000 series, she said. A risk assessment using those standards should cover about a dozen areas of concern, including data access controls, physical security of servers and other hardware, policy and governance and employee training, she said.

Making sure that workers and third-party vendors are trained on data security measures is key, NRA's Ms. Cummins said, since unintentional employee errors are a major cause of data breaches.

“Training individual employees and contractors is the best thing you can do to contain and mitigate your risk,” she said.

To better understand the cyber security landscape, Ms. Crickette also advised joining, or at least engaging with, various organizations that deal with the issues. These could include the Information Systems Audit and Control Association, based in Rolling Meadows, Illinois; the Washington-based National Association. of Corporate Directors; and EC-Council USA, based in Albuquerque, New Mexico, which offers professional certification and programs for chief information security officers.

Risk managers also need to make the effort to become advisors to corporate board committees dealing with cyber security, experts say.

Many risk managers already deal directly with boards, helping outline the scope of the risk and explaining what's being done to protect the company, including not just insurance but also risk management processes and breach response plans, Mr. O'Donnell said.

“Risk managers play a key role in dealing with the board and getting the company ready,” Ms. Cummins said.