Cyber Decoder talks to FERMA board member Philippe Cotelle about the growing need for cyber risk governance in the digital economy.
Is cyber risk rising up the agenda of corporates?
It is fair to say that digital technology is becoming strategically important for business, and will increasingly be the way forward to improve results, turnover and growth. But at the same time, cyber events now have a more immediate impact.
How are organisations currently approaching cyber risk management?
Boards generally recognise the need for a framework to manage cyber risk, but there is often a gap between awareness and implementation.
Too often organisations take a technical approach to cyber risk and focus only on the IT security side, which is not sufficient to address the problems they face today. The technical people may be aware of the threats, but the business impact is not well understood.
Is corporate governance keeping pace with the digital world?
That FERMA and the European Confederation of European Institutes of Internal Auditing (ECIIA) felt the need to develop proposals on cyber risk governance shows that this is an important and emerging issue. And the feedback we have had on the proposals shows this is a topic that has resonance.
What about regulation?
There are new EU regulations, such as the General Data Protection Regulation (GDPR) and the Network and Information Security Directive, but they do not explicitly address the topic of cyber risk governance. Yet we are seeing the creation of new roles, such as chief data officer and chief information security officer. These are all functions that relate to cyber security, but without a cyber risk framework, there is the potential for confusion over who has responsibility for cyber security.
So what does good cyber risk governance look like?
There is no one-size-fits-all solution. But the recent Wannacry case showed that industries, whether automotive, telecoms or transport, or a public service like the UK’s National Health Service, equally face the same threat.
So while they may react differently to reflect their own situation, they all need to prepare and implement a rigorous process to identify their exposure and allocate their resources in the most efficient and optimised way.
What is the role of the risk manager in cyber risk?
Risk managers are well placed to provide the board with an enterprise-wide view of cyber risk and the financial impact. They ensure the board and management have a digital strategy, establishing key scenarios of exposure and the potential business impact. Very few companies have this today, but it is the way forward.
What can organisations do with this information?
It is also the role of the risk manager to propose mitigation solutions. Not just security measures, but also to create a link between an investment in security and the impact on exposure scenarios. That way, the board can drive the allocation of resources in the most efficient and optimal way.
Where do you see the role of insurance?
Buying cyber insurance can be a ‘tickbox’ exercise for some companies. But once you have identified your exposures and measured the business impact, investment in insurance can be made part of a consistent risk management strategy. It will also be possible to demonstrate the value of cyber insurance.
Philippe Cotelle is Head of Insurance Risk Management, Airbus Defence and Space, France. He is also a board member of the Federation of European Risk Managemnet Associations (FERMA) and was part of the FERMA/ ECIIA Joint Expert Group behind the Cyber Risk Governance Report.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org