Cyber-Risks Require Firm-Wide Defense

International Editor

London

Effective management of cyber-threatsrequires an enterprise-wide approach using the input of riskmanagers, information technology experts, security, humanresources, the general counsel and line management, according toinsurance and risk management officials.

“Too many companies are making a mistake by managing risks indifferent departments, or what we call silos,” said William Barr,vice president for the Chubb Group of Insurance Companies inPleasanton, Calif., during an interview at a recent conference hereon e-crime.

Mr. Barr urged companies to establish enterprise-wide riskmanagement programs, overseen by either their chief executiveofficer or a chief risk officer, reporting to the CEO.

Many companies still view their information technologydepartments as being the primary source of their cyber-riskcontrol, expecting them to manage cyber-threats alone, heemphasized, speaking at the recent Strategic Stakeholders e-CrimeCongress in London.

However, he added, IT executives dont have all the expertiseneeded to manage risk, particularly since cyber-risks can generatenon-IT-related exposures involving physical, human and capitalresources.

With such a “silo approach,” the effectiveness of cyber-securityefforts often depend upon how well the IT director or chiefinformation officer understands the cyber-threat issue, as well astheir interest level in the exposure, he continued.

“Ive also seen situations where a physical security director whodeals with the security of sites and cargo and the like is tappedon the shoulder and told, Youre now also the cyber-securitydirector,” Mr. Barr stressed during an interview at the e-crimemeeting.

“You really have to have somebody who is really knowledgeable onboth sides of the issue to be able to manage the threat,” he saidduring an interview. “That person also has to be knowledgeable orenlightened enough to understand that, even if they have thatknowledge, they cant manage it themselves.”

Chris Mandel, president of the New York-based Risk and InsuranceManagement Society, admitted that e-threats may not be a priorityfor those risk managers who concentrate on property-casualty orhazard exposures, simply because this isnt an area that has touchedthem much from an insurance standpoint.

“But if youre pursuing a broader approach to risk, as many of usare, you have no choice but to make sure that IT risk is one of themany things [examined in a companys risk profile],” said Mr.Mandel, who is also assistant vice president of enterprise riskmanagement for USAA in San Antonio.

At USAA, Mr. Mandel said three representatives from informationtechnology participate on an enterprise risk management committee,“and we dialogue with them all the time.”

“My first bit of advice–and its part of my platform for the yearthat Im president of RIMS–is that everybody needs to step out andsign up for that broader application of the risk management modelfor their enterprise,” he said. “You can call it what you want, butin my view, the future for us is getting outside of thathazard-risk realm and getting involved in any and all materialrisks that could affect the enterprise.”

RIMS, he added, “recognizes the value of putting more attentionand resources to the effects of cyber-crime. But when you deal withrisks on an enterprise-wide basis, you deal with so many things,its only going to get so much of our attention going forward. But Ithink in the future, more of our members will have that as a partof their list of exposures that receive an allocation of theirtime.”

Mr. Barr expressed concern that e-threats have not been includedin the threat assessments of some companies, and have “not woundtheir way into proactive and reactive programs to minimizethreats.”

In the proactive area, he said, some companies have failed todevelop “a corporate culture among the employees to make sure thatthe employees know how to respond to security issues, particularlyas they respond to the cyber-threats.”

While the technical firewall–the software–is extremely importantand is the first line of defense, he said, if “you dont have aknowledge firewall on the employees side, then you have significantgaps in your program.”

He further recommended that companies analyze interdependencies,or what would happen if an unprotected supplier, business partneror customer were to experience a business interruption or go out ofbusiness due to a cyber-disaster. Its important to determine whatmeasures these firms have taken to protect themselves, heemphasized.

Reactive programs include the development of contingencymanagement and disaster recovery plans that address cyber-crimeincidents, as well as other disasters, he noted.

“Most traditional disaster recovery plans have ignored ordownplayed cyber-threats,” Mr. Barr said, noting that any properplan has to address e-threats and has to be constantly reassessedand tested for flaws.

The majority of a corporations e-threat vulnerabilities aresoftware-related, he said. “The baddies out there are opportunisticin the way they come at you. They count on you not fixing thoseproblems on a timely basis,” he noted.

However, he added, there are also organizational flaws thatallow these problems to exist. Mr. Barr cited the example ofassigning untrained people to do security, not authorizing any fixat all, or authorizing a short-term fix when a long-term solutionis required.

“Of course, then there is the ostrich syndrome–putting your headin the sand and hoping it will go away; hoping if it bites you, itwont bite you too hard,” Mr. Barr contended.

To effectively address the e-risk problem on a macro level, Mr.Barr encouraged corporate insurance buyers to partner with lawenforcement officials (who can put cyber-criminals behind bars),government officials (who create the laws and regulations requiredto arrest them), and other industry peers (to create bestpractices).

Marylu Korkuch, vice president and federal affairs director forChubb, said that to combat e-threats, the Warren, N.J.-basedinsurer is emphasizing the importance of teamwork within a companyand across an industry, as well as with government and lawenforcement.

“I dont know too many risk managers outside of the high-techindustry who on a regular basis meet with and communicate withtheir IT counterparts,” she said, noting that its important toalert companies to the problems this lack of communication cancause. “I also will tell you that not too many people in the ITworld will go and seek out their risk managers,” Ms. Korkuchaffirmed.

She speculated that not too many IT people talk to the peopleresponsible for a companys physical security, or even know who theyare, even though theyre the eyes and ears of the company.

Security people are often treated as second-class citizenswithin their organizations, even though most physical securitydirectors for organizations are former law enforcement officials,she observed. “A lot of people dont give them the credit that theyshould get for the fact that on their shoulders rests the entiresecurity of a plant, of a campus, of an operation,” she said. “Theywould be such great allies of the IT people if you could break thatbarrier down and get them talking to each other.”

In addition, its not just the security people who are left outof the inner circle of a company–sometimes this is also the casefor risk managers, she said.

Sometimes the risk manager reports up the line to humanresources or to administration, rather than up to the financialside of the house, she said. When that happens, its more likelythat the chief financial officer or the CEO is not as aware of thefact “that a lack of teamwork can really compromise the integrityof the organizationin terms of bottom-line security,” she said.

“Every company is a high-tech company, whether they realize itor not,” she emphasized, because theyre all relying on computers toconduct daily transactions.

Reproduced from National Underwriter Property &Casualty/Risk & Benefits Management Edition, January 6, 2003.Copyright 2003 by The National Underwriter Company in the serialpublication. All rights reserved.Copyright in this article as anindependent work may be held by the author.