Risk Insider: Martin Frappolli

Cyber Risk is Not a Technology Problem

By: | May 5, 2015

Martin J. Frappolli, CPCU, FIDM, AIC, is Senior Director of Knowledge Resources at The Institutes, and editor of the organization's new “Managing Cyber Risk” textbook. He can be reached at [email protected].

Cyber Risk: the possibility that computer data will be obtained by unauthorized parties who might use the data in a way that is harmful to the data’s owner.  What does that mean to risk managers, insurers and every organization?

This scary term may make us think that cyber is an IT issue. But we can do much better to see cyber threats within an enterprise risk management (ERM) framework.  Cyber threats — much like fire, flood and theft — are simply risks that we must manage.

Headlines emphasize cyber liability regarding compromised customer data. That is a legitimate risk, but third party liability cyber losses are less common than those following first party exposures. Following a breach, an organization faces fines, forensics, notifications and the repair or replacement of damaged data and systems.

The biggest threat may come from lost income due to business interruption.

In one case, criminals entered the premises of a large corporation and left USB memory sticks on restroom counters. The USB sticks were labeled “confidential salary information.”

Organizations can take an ERM approach to measure cyber exposures and find ways to mitigate risk. In that sense, cyber is not a tech issue — we can manage the risk just as we do with the better known traditional risks.

For fire, we build safe buildings, install sprinklers and fire extinguishers, and conduct fire drills. We do so before we transfer the risk by insurance. We should do the same with cyber risk.

Adopt good cyber hygiene to reduce cyber loss frequency and severity. Have a plan and have experts on speed dial. If you are scrambling to address the media in the wake of a cyber breach, it is like buying an extinguisher after the fire has started.

Many cyber incidents occur by employee misbehavior or through social engineering.

In one case, criminals entered the premises of a large corporation and left USB memory sticks on restroom counters. The USB sticks were labeled “confidential salary information.”  Naturally, employees inserted the USB drives into their own PCs. That allowed the launch of hidden programs that transmitted sensitive data to the criminal organization.

What is special about ERM? Traditional risk management focuses on managing safety and assuring financial recovery from losses generated by hazard risk.  A hazard is any condition that makes it more likely for a peril — such as fire, lightning, flood — to occur. Fire is a peril; using candles is a hazard that increases the chance of fire. Basic risk management addresses such hazards.

ERM builds on those fundamentals, but also considers loss exposures related to speculative (business) risk.  When you engage in electronic commerce, you encounter cyber risks by network connections. When your records contain sensitive customer data, you have a serious cyber risk to manage.

Organizations that prosper over time have mastered traditional risk management. Top shelf organizations also practice ERM.

One might argue that cyber risk — with its criminal element — falls under traditional risk management, but either way, organizations cannot afford to ignore this threat. Don’t leave cyber risk to your IT or legal staff; it’s a risk management issue.

More from Risk & Insurance