ERM Forum panel debate challenges members to work more closely with IT
Risk managers, the insurance industry and IT professionals are failing to communicate effectively about cyber risk, according to a panel of experts debating cyber risk at Airmic's ERM Forum last month.
"As an industry, we're not good at presenting and communicating on this subject," said Peter Erceg, a senior vice president of global professional and financial risks at insurance broker Lockton. "This needs to change. We need to learn how to communicate cyber in business terms and risk managers have a key role to play. A lot of companies still don't think it will happen to them."
The same problem pervades the IT and security sectors, said Robin Oldham, the head of defence engineering firm BAE Systems' security consulting practice, advising on cyber security. "We've done a terrible job of communicating in this industry. Helping people understand what we do will help them do their job."
A member's experience of managing cyber risk Theresa Healy, head of insurance and risk at Ladbrokes Coral, shared her experiences of tackling cyber risk with ERM Forum delegates in the cyber breakout workshop. These were her top pieces of advice:
|
Collaboration is key, the panel agreed. "Nerves appear when the word 'cyber' crops up and the temptation is to leave it to the cyber experts," according to Peter Cheney, a partner at security advisory Control Risks. This is the wrong approach, he stated. "You all have to work together."
The panel from left to right: Dr Jamie Saunders, visiting professor, UCL, Ben Russell, head of cyber threat response, National Crime Agency, Robin Oldham, head of cyber security consulting practice, BAE Systems, Peter Cheney, partner, Control Risks, Peter Erceg, senior vice president of global professional and financial risks. Lockton
The good news is that cyber risk has moved much higher on the corporate agenda in just a decade. "Ten years ago, no one would have even turned up to this panel debate," Dr Jamie Saunders, visiting professor at UCL, observed. "But it's firmly a board subject now."
Despite this, however, organisations are failing to understand the "nuances of cyber risk management", according to Mr Cheney. "For example, there is a tendency for businesses to focus too much on PII and data protection, at the expense of trying to find out what actually happened in any attack," he said.
While many companies have created crisis plans, he added, they are often disjointed and ineffective come the day of need. "I have seen companies who have different crisis plans in place in different parts of the business, and they are not always aware of the differences," he explained.
Risk managers must be absolutely clear on their crisis plans, including who should be doing what, "before a crisis takes place", he added.