Risk managers suited to lead cyber defensePosted On: Apr. 1, 2019 12:00 AM CST
Risk managers are playing a crucial role in marshaling their firms’ personnel and resources to address cyber threats.
Experts say risk managers are in the unique position within their organizations of being able to gather resources throughout the company without being “siloed” into an individual function.
Since the 2014 cyberattack on Sony Pictures Entertainment Inc., “the risk is ramping up and the response has really not kept pace,” said Paul King, Dallas-based senior vice president and national technical director of executive and professional solutions for USI Insurance Services LLC.
Kevin Richards, Chicago-based global head of cyber risk consulting for Marsh Risk Consulting, said the leading risk managers with whom he works are “pushing the business a little bit harder to, first, better understand where those risks actually are,” and “trying to quantify those cyber exposures in terms of local currency … so they can start to put cyber on the same table” with their other coverages and “advise the business in true risk management fashion.”
“The risk manager is focusing on all the different types of risk that are affecting the company, and to that degree, that’s how they can be a quarterback, in a sense, in terms of pulling together all the constituencies to help address cyber risks across the firm,” said Stephanie Snyder, Chicago-based senior vice president and national sales leader for cyber insurance with Aon PLC.
“You pull in the risk manager because they already have a lot of tentacles into the various silos within an organization,” said Ms. Snyder. The risk manager “can help coordinate and have a larger voice in terms of how the organization’s protecting itself” and the balance sheet against cyber risk.
Nahua Maunakea, Denver-based executive director of global risk management for IHS Markit Ltd., an information technology firm, said, “I like the idea of being a facilitator” and “of engaging the various stakeholders, both internal and external, together, getting them around the table and making sure they check their egos at the door,” asking them, “What do we do to address the opportunity that’s being presented to us?”
Jeffrey Schermerhorn, regional leader of FINEX cyber and E&O for Willis Towers Watson PLC in Los Angeles, who works with Mr. Maunakea, said Mr. Maunakea approaches the issue by building a consensus among stakeholders. Risk managers are building alliances, bringing the various sectors of the company “together at one table and assisting in developing a plan to be prepared to respond to a breach,” he said.
Risk managers are “actually acting as a unifying force for the organization,” said Kelly Geary, New York-based managing principal and U.S. cyber practice leader and coverage and claims leader for Integro Insurance Brokers. “An interdisciplinary approach to cyber security is the one that’s most effective” because organizations are traditionally set up in silos, she said.
Shiraz Saeed, Starr Cos.’ New York-based cyber risk national practice leader, said, “Risk managers are in a unique position within the organization to understand cyber risk. The risk manager needs to be the focal point. They’re the ones leading the team in understanding the risk.” The risk manager understands “the sophistication level of their organization,” said Josh Ladeau, Rocky Hill, Connecticut-based global head of tech E&O and cyber for Aspen Specialty Insurance Co.
A less sophisticated organization, for instance, may want to focus on partnering with insurers that have more of a turnkey incident response operation, he said.
But risk managers “must get upper management involved,” said Thomas Douglass, St. Louis-based executive vice president with Arthur J. Gallagher & Co.
They “need their stamp of approval, and it has to come down to this is an organizational need,” not just one for an individual department, he said. The risk will never be totally managed, “but we can put the organization in the best position possible to defend ourselves,” he said.
Emy Donovan, head of cyber and technology professional indemnity for Allianz Global Corporate & Specialty SE in San Francisco, said risk managers advocate for an understanding of cyber risk at the board level. “We’re almost at the point where the majority of companies understand this is something they need to worry about, but there’s still, I think, a lot of pushback,” where the attitude is, “Who would target us?” They can get help in this process, said Tracie Grella, head of cyber risk insurance at American International Group Inc. in New York. “Many insurance companies and insurance brokers are providing modeling information” that “provides some guidance on the quantification of cyber’s risks and mapping out companies’ exposures in a way that can be shared with the business’ leaders,” she said.
Risk managers’ success in coordinating their firms’ cyberattack defense can vary.
Gerry Kane, Schaumburg, Illinois-based head of cyber risk engineering for Zurich North America, said, “I can see from the outside, some are very well respected and they have a terrific relationship with the (chief information officer), who owns technology, and the (chief information security officer), who owns security. And there are other places where you can see that the relationship is not that good.” Steve Anderson, Dallas-based vice president and product executive with QBE
North America, said one organizational change helping risk managers is that the role of chief information security officer is becoming intertwined with the chief technology role.
That change, “from a risk management perspective, is very important” because in the past “they were kind of counterproductive to each other,” Mr. Anderson said.
Putting these roles together makes the position “an enabler rather than a blocker of information,” he said.