Enterprise Risk Management
The forgotten risk
RIMS guide helps organizations contend with cyber risks
By Michael J. Moody, MBA, ARM
Today's risk managers are finding that new risks to their corporations are coming faster than ever. Emerging risks are changing the risk landscape daily, with even greater concerns just around the corner. While many of these emerging risks are industry-specific, some are common to all companies. It's these universal risks that can have a devastating impact on the entire economy. Such is the case with cyber risks. For most corporations, cyber risks by their very nature represent a perfect example of a risk that can be best handled by taking an enterprise risk management approach that provides a holistic view of all related issues and how they impact the various corporate functions.
While some may disagree with classifying cyber risks as an emerging risk, since they have been around for years, the scope of the problem has taken a dramatic step forward. Computer hacking is really nothing new; the problem is really about as old as IT itself. However, 2011 was a watershed year with respect to cybercrimes.
Scope of the problem
One of the most difficult aspects of determining the actual scope of the problem is a lack of credible statistical data. Obviously, this will not surprise anyone. No business wants to be associated with cyber losses because they can affect many areas of their business. Despite this general lack of publicly available information, Deloitte, in a recent report on cyber threats provides some insight into the size of the problem:
• Fifty businesses participating in a 2011 study on cybercrime experienced an average of more than one successful cyber attack per company per week—a 44% increase over the 2010 rate.
• In November 2011, a leading cyber security company reported detecting four times as many "targeted" cyber attacks as it detected just 11 months earlier, in January 2011.
• One 2011 study reported a median annualized cybercrime-related cost of $5.9 million among participating businesses—a 56% increase over the previous year.
Carnegie Mellon University in conjunction with CyLab has provided some additional insight into the extent of this problem. In their recent Governance of Enterprise Security: CyLab 2012 Report, they note how boards and senior executives are governing the privacy and security of their organization's digital assets (network, system, and data). The report indicates, "Cyber attacks have moved to a new level and, as a result, corporate data is at a higher risk of theft or misuse than ever before." Further, it points out, "The systemic nature of recent attacks have alarmed both industry leaders and government officials around the world."
The above noted numbers are quite disturbing when taken in totality. However, an even more disconcerting fact, according to Deloitte, is that 86% of the data breaches examined in the last bullet point item from the above list "were discovered, not by the victimized organization itself, but by external parties such as law enforcement or third-party fraud detection programs." Is it any wonder that this risk has now managed to start making it way on to the agenda of the boards of directors of some companies?
Help is on the way
In order to assist its member companies, the Risk and Insurance Management Society (RIMS) recently introduced a 29-page "how-to" guide designed to assist corporate risk professionals successfully manage cyber risk through an enterprise risk management approach. The guide, ERM Best Practices in the Cyber World, "explores the best data risk management practices, concepts, and challenges." Carol Fox, director of the Strategic and Enterprise Risk Practices at RIMS, also indicates that the guide provides information regarding the "advantages and potential pitfalls of data assessments, steps to undertake an assessment project, practical solutions for weathering the cyber storm, as well as possible coverage opportunities under existing or newly available insurance policies."
The first part of the guide considers data risk fundamentals and explains why it can best be managed via an ERM approach. This section of the guide discusses how to incorporate ERM into cyber security, since the entire issue of cyber risk is a perfect example of risks that involve, in one way or another, most operational areas of a corporation. This section of the guide explores data risk management concepts and practices, while providing descriptions of the various challenges corporations face when integrating a data risk management approach.
Part 2 of the guide provides an excellent presentation of the entire data risk assessment issue. In addition to general reasons for providing the assessment, a multitude of specific data protections and safeguards must be attended to. Included in this group of legal protections are:
• Health information—Health Insurance Portability & Accountability Act (HIPAA)
• Financial information—Gramm-Leach-Bliley (Section 501) and Sarbanes-Oxley Act
• Employment-related information—The Fair & Accurate Credit Transactions Act of 2003
• Consumer information—Identity Theft Rules (Red Flag Rules)
• Contractually restricted information—USA Patriot Act
• Privacy laws—various state data breach notification laws
While a key initial step in this process is to develop a comprehensive risk assessment, concern has been growing regarding the protection of written assessment reports from unwanted discovery during potential litigation. While some states have enacted laws limiting access to these sensitive reports, RIMS suggests that the most appropriate course of action is to utilize an attorney-directed data risk assessment project, thus preserving the attorney-client privilege.
Part 3 moves beyond the theoretical aspect and provides practical solutions for "weathering the cyber storm." In addition to touching on the best practices for dealing with various cyber-related risks topics, this part of the guide offers a comprehensive overview of how organizations can "become more resilient to data risk through people, process and technology solutions." Also addressed in this section of the guide are possible insurance coverage "opportunities under existing or newly available insurance policies."
In addition to the guide, RIMS is offering several specific cyber-related sessions at its annual conference in Philadelphia, Pennsylvania. They are also hosting a workshop, "Cyber Risk: Privacy and Data Security Risk Management," which will be presented at three locations during 2012: San Francisco (June 20-21), Winnipeg (August 13-14) and Washington, D.C. (September 20-21).
Bottom line, things have changed so rapidly in this area, few can keep pace. Despite the fact that this is a rapidly changing environment, corporations are none the less responsible. As a result of possible catastrophic effects for the organizations, it is imperative the board of directors and senior management need to closely monitor and oversee this situation. Unfortunately, according to the Carnegie Mellon University study, 70% of the top level executives fail to examine policies and procedures regarding IT security and privacy risks. "They're just not closely involved," the study found. As a result, the study concludes, "Boards and senior managers still are not exercising appropriate governance over the privacy and security of their digital assets."
To further the point, the study notes that recent activity by the U.S. Security & Exchange Commission (SEC) "supports the view that cyber threat risks merit board-level consideration." An October 2011 SEC public release provides guidance intended to "assist in assessing what disclosures should be provided about cyber security." While this does not constitute an actual reporting requirement, it does give some insight into the scope of the problem, as well as where the SEC believes this is headed. Even at this early stage, "It is clear that the SEC believes that corporate Boards of Directors need to determine, for disclosure purposes, the likelihood, impact and vulnerability surrounding cyber risks."
Agents and brokers need to be keenly aware of this rapidly growing and evolving situation and continually monitor the insurance industry's response. First, this situation represents a potential agents and brokers E&O exposure as the industry continues to introduce new and improved insurance products to deal with cyber risks. Keeping current clients apprised of innovative insurance products must be the first order of business; however, this same information can also represent a value-added service to promote to prospects.
As 2012 unfolds, cyber-related risks will continue to represent a growing flash point for corporations around the globe. Forward looking agents and brokers will see the value in maintaining an up-to-the-minute working knowledge of this important area and the value of an ERM approach to dealing with the problem.
Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.