Risk managers must address cyber security as an enterprise risk: FERMA

Businesses have difficulties with reaching a basic level of protection around cyber security, often as a result of a lack of risk insights and data driven risk mitigation and risk management must play a central role, the Federation of European Risk Management Associations (FERMA) reported Monday.

The risk manager’s role is to address cyber security – which FERMA recently argued before the European Commission demands an enterprise-wide approach – is to help organizations achieve effective, data-based enterprise risk management, emphasizes FERMA, which brings together 23 national risk management associations in 21 European countries.

“The boards of organizations need to understand that cyber risk is not only an IT risk; it is an enterprise risk,” FERMA president Jo Willaert commented before the commission last week.

“In that respect, we advocate a central role for the risk management function,” Willaert noted, providing advice and support to the board and CEO by working with operational units such as IT, legal and internal audit.

FERMA notes in a statement that the commission’s consultation on public-private partnerships in cyber security concluded last week.

The federation emphasizes that having an overview of cyber risks across an organization – including into the supply chain – is critical, especially with the development of the Internet of Things. “Using scenario-based analysis, the risk manager can quantify the overall cyber risk exposure and validate mitigation strategies on an enterprise basis,” the statement points out.

Arguing that public intervention is necessary to help organizations cope with the challenge of cyber risks, FERMA urges the development of a framework for the clarification of cross-border liabilities in cyber incidents; a global set of rules for cyber risk assessment that would safeguard confidentiality in incident disclosure and insurance claims; and the incorporation of cyber risk governance in legislation and guidance to create an integrated approach to the threats from top to bottom of the organization.

“Cyber threats are now of a systemic nature. Businesses, governments and insurers, therefore, need to collaborate. We must act now,” Willaert emphasizes.