Breaking barriers: risk managers and information technology managers need to work together to protect their companies from cyber-crime. (Cover Story: Risk Management).
The St. Paul Cos. also released an independent study in 2002 about the preparedness of U.S. companies to deal with cyber-risk issues. The survey found a lack of communication and collaboration between the information technology and risk management departments-a big stumbling block to the proper management of cyber-risks.
Although cyber-crime may be the buzzword, businesses don't talk much about how to manage this risk.
View From the Enterprise
To have the most success in managing and containing cyber-risk, companies should employ an enterprise wide approach to risk management.
Many businesses guard against cyber-risk exposures by relying primarily on "black-box" technology tools and solutions. For example, companies might purchase and update firewalls, routers, secure servers and anti-virus software to protect themselves from the risks that technology creates. While these technology tools are critically important, they are only part of a total cyber-risk management program.
A company must shift its thinking from a "black-box" approach to an enterprise wide approach to best address its cyber-risk exposures. There are three key principles to this approach:
* The integration of IT management and traditional risk management with respect to cyber-risks;
* Senior-level management involvement in and commitment to cyber-risk management;
* Advocating employee awareness and employee training programs at all levels of the company
Companies will probably differ on the implementation of these principles, depending upon their size and their business strategies. Commitment to and implementation of these principles, however, should be ongoing.
Insurance companies also should evaluate and manage their own cyber-risks and consider implementing an enterprisewide approach to risk management. Although this type of risk management approach is gaining popularity among insurers, it is not yet widely used. Many insurers have begun to recognize that their policyholders are not properly managing cyber-risk exposures. One way to combat this problem is to educate policyholders and agents and brokers on the importance of an integrative, enterprisewide risk-management approach.
A United Front
An enterprisewide approach to risk management seeks to break down the traditional barriers that exist between IT management and risk management. In most companies, these two departments operate independently of one another. The IT department focuses on the day-to-day operations to ensure that the company s IT systems function smoothly. Risk managers focus on issues such as worker safety, vehicle safety, product liability and recall matters, insurance programs and employment-practices concerns.
Historically, risk managers tend to view the understanding and management of cyber-risk as the responsibility of the IT department. As a result, risk managers and IT managers miss potential opportunities to work together on the topic of cyber-risk. An enterprisewide approach to risk management calls for committed and regular collaboration between the two areas. This collaboration involves the following:
* Identification of the company's specific cyber-risks;
* Selection of technology-based tools and resources to manage those risks;
* Selection of nontechnology tools and resources to educate all company employees;
* Implementation of the chosen risk-management strategies; and
* Forecasting new risks the company will encounter as business practices and strategies change in the future.
Because IT managers and risk managers have different jobs, training and reporting responsibilities, they must develop a better understanding and appreciation of each other's jobs and pressures. A good relationship involves mutual understanding and appreciation for their primary roles, as well as a commitment to collaborating on common goals.
Twenty-first century business risks do not respect traditional corporate boundaries. Collaborative work to identify and manage ever-changing technology risks is the best way for IT managers and risk managers to get their jobs done. A good relationship between IT managers and risk managers helps ensure that the company's expertise is channeled toward the goal of protecting the enterprise against losses.
Typically, the senior management of most U.S. companies are not involved in their companies' cyber-risk management. But, their involvement and commitment are essential to making the process work.
By helping to better identify and manage risks, businesses can better protect themselves against risks that could have devastating consequences. Few companies buy specific cyber-risk insurance products, and those that haven't, might find that a catastrophic cyber-event is uninsured.
Unfortunately, it often takes a well-publicized catastrophe, such as the "I Love You" and "Melissa" viruses, to bring about a change in how business is done. It's been said for years that companies should develop and test disaster-recovery plans. Yet, the events of Sept. 11 revealed that some companies had failed to test their disaster-recovery plans--only to learn at the moment of implementation that problems existed.
Insurers can encourage their policyholders to implement enterprisewide risk-management strategies by increasing public awareness of cyber-risks; educating IT managers and risk managers about cyber-risks and stressing the benefits of integrated approaches; instructing the companies' insurance agents and brokers to focus on the issue; and scrutinizing management practices.
Benefits from these up-front investments will result in a fundamental return--even though quantifying this return is not always easy. The CSI and FBI seek to quantify company losses by conducting annual surveys about computer security breaches. Over the years, the CSI/FBI surveys show that both the number of cyber-risk losses and their financial impact are on the rise. Development of a cyber-risk management strategy can help to minimize potential financial losses.
Employee Training Essential
While it's important that IT managers and risk managers forge a better working relationship and that senior managers commit to implementing an enterprisewide approach to risk management, it's equally important that all employees receive training on understanding and identifying cyberrisk issues.
Employees are a company's frontline defense against cyber-risks. The recent survey conducted by St. Paul Cos. about cyber-risks showed, however, that employees--often those who handle sensitive data or have access to corporate resources and databases--get low marks for understanding Internet risk.
Employees need to be educated about cyber-risk issues. The St. Paul survey found few companies have developed employee awareness and training programs for Internet risk. Now, more than ever, companies should see that all employees are armed with the proper tools to deal with these risks. Training programs should cover areas such as proper Internet and e-mail usage, password use and management and workstation security and access control.
Use an Enterprisewide Approach
So, how should businesses establish an enterprisewide approach to risk management? The following steps are important:
* Senior management needs to take an active and continuing role in directing the identification and management of cyber-risk.
* Senior management should set the expectation that corporate groups will systematically work together to identify and manage cyber-risk by setting up in-house committees to work on these issues.
* Senior management and chief financial officers should consider sharing certain portions of IT, risk management and insurance budgets to create a broader and more effective approach to risk identification, management and transfer.
* Corporate communications or public relations departments should work with IT and risk management departments to understand potential cyber-risks and to develop response plans in the event of a cyber-incident.
Fighting for Future Protection
There's no doubt insurance cover-ages should and will play a greater role in the management of cyber-risks in the future. The federal government, in its 2002 draft report on the "National Strategy to Secure Cyberspace," calls for the development of a bigger marketplace for insurance products to protect companies from cyber-risks. Insurers support this recommendation. Risk transfer through insurance is not enough, however. Companies need to implement an enterprisewide approach to risk management. By bringing all parties to the table--IT, risk management and senior executives--businesses will have taken an important step toward fighting cyber-crime.
Bill Rohde is president of Global Technology Underwriting for The St. Paul Cos., St. Paul, Mtnn.
|Printer friendly Cite/link Email Feedback|
|Date:||Apr 1, 2003|
|Previous Article:||Hard times: the economy is not the only worry for risk managers, who play an increasingly vital and difficult role in the overall security of their...|
|Next Article:||For your eyes only: this month insurers face the first of three federally mandated privacy compliance deadlines. (Industry Strategies: Privacy).|