Risk managers must be stakeholders in cyber risk management

Cyber risk is high on the list of the most significant risks that organizations face and requires that risk managers be stakeholders in its management, says Julia Graham, a board member of the Federation of European Risk Management Associations (FERMA).

“There is a tendency in my experience for risk managers to step away from this subject, ceding it to the domain of the chief information officer or his or her equivalent,” Graham notes in an article posted Monday on the website for FERMA, which brings together 22 national risk management associations in 20 European countries.

“Yet, this is not only an IT risk. It is an enterprise risk, and risk managers must step up and be stakeholders in its management,” she suggests of cyber risk.

Cyber-security “should be integrated into the enterprise risk management (ERM) system, and boards should play a critical oversight role. They should ask more detailed questions about cyber-security threats and responses than they have in the past,” Graham advises.

“Cyber threats are exceeding the pace of enhancements in information security. The management of cyber risks should be a continuous process and part of the way an organization manages all risks,” she emphasizes.

The scope and limits of cover and entrants to the market for cyber insurance have improved considerably over the past 24 months, Graham comments. She welcomes a trend toward bundling the insurance cover with appropriate value-added solutions, including support for breach detection and response.

That said, Graham argues that before insurance is considered, the risk should be assessed, controls understood and, where appropriate, improved. There should then be a gap analysis against existing insurance programs (some cyber risks will already be covered) and the residual risk evaluated. 

This will help determine if what risk remains should be insured.