Stepping Into the Breach: Four Ways Risk Managers Can Engage on Cybersecurity
Five years ago a cyber-attack on your organization would likely have been a quick one-two punch to compromise your firewalls and obtain your customers’ personal data. As the risk manager, you would have been informed of the breach by IT staff, determined the severity of the incident, and given an account to the company’s compliance staff.
Fast forward to today. An attack takes a subsidiary’s corporate network offline and threatens the entire firm’s email system. Critical product formulas or sales data may have been stolen. You are called to not only provide a report of the incident to the chief information security officer, but also to the CFO and CEO. The media and shareholders are clamoring to know how it happened, and the board wants to know how you plan to prevent another one.
Prepared or not, your role has changed as cyber criminals have grown more sophisticated — and more menacing. You can no longer simply react to cyber events. You are a crucial member of cybersecurity task forces and cyber risk strategy teams, and are increasingly relied on by the most senior corporate leadership.
You’re probably routinely called to be part of the team that develops best practices for assessing, managing, and responding to cyber events, on top of ensuring that effective cyber insurance or other risk transfer mechanisms are in place. And as regulators, shareholders, customers, and others hold senior corporate leadership accountable for cybersecurity, you have to be diligent in identifying, analyzing, and anticipating all of your organization’s risk exposures.
Four Steps to Proactive Cyber Risk Management
To help meet the increasingly difficult and complex challenge of cyber risk management, start with these four tactics:
- Create an operational risk working group around cyber that includes IT, information security, legal, and others. As a risk manager you’re probably uniquely positioned — for example, through risk committees — to pull together a cross section of key stakeholders around an issue such as cybersecurity.
- Quantify, as much as possible, the costs of a cyber event across all business units. Consider using analysis and assessment tools that quantify impacts by business, sector, and other areas.
- Communicate the potential impact of risks to various stakeholders inside the organization as well as to third-party vendors.
- Deliver the cyber risk management strategy to the chief information officer and/or the C-suite/board in a timely manner — and be accountable for maintaining and amending the plan as required.
Heightened awareness of cyber events has enabled risk executives to play an ever-more critical role in their organization’s cybersecurity strategy but only with the right risk management tools can you truly succeed.