Other parts of this series:
- P&C insurers will need to overhaul their risk management to seize platform business opportunities
- Clear risk-management guidelines enable P&C insurers to bolster their business resilience and cyber-defenses
- Staff training and skills development are strong defenses that P&C insurers can deploy in the fight against cyber-crime
- New digital technology provides P&C insurers with powerful tools to counter escalating cyber-threats
P&C insurers often lack proper guidelines that identify the roles and responsibilities of employees when responding to a cyber-attack. This can cause confusion and delays that hinder an effective response.
When a cyber-attack strikes your company who takes charge of the response? The chief information officer (CIO)? The chief risk officer (CRO)? The chief data officer (CDO)? Or, perhaps, the chief information security officer (CISO)?
Clearly-defined responsibilities, backed with proper authority, are vital to quickly stem the damage caused by a cyber-security breach. Yet many property and casualty (P&C) insurers don’t have proper guidelines that identify the roles and responsibilities of executives and other employees when responding to a cyber-attack. Often roles are vague and responsibilities ill-defined. This can cause confusion and delays when clarity and speed are essential.
P&C firms, as I mentioned in my previous blog post, should strengthen their defenses and reinforce the resilience of their businesses by aligning their management of cyber-risk and operational risk. Cyber-risk can no longer be the sole preserve of the IT business unit. Instead, it should be integrated within a comprehensive enterprise risk management strategy. A holistic approach to risk management is vital to ensure a rapid, comprehensive and effective response to a breach of an organization’s cyber-defenses.
To successfully consolidate cyber-risk and operational risk several key steps are essential. They include:
Define the problem. Establish a clear definition of cyber-security that fits your organization. Broad descriptions tend to cause confusion and an overlap of responsibilities. Narrow definitions often result in risk-management siloes that can hinder a unified approach to cyber-risk. A good cyber-security definition addresses all the main potential risks but also clearly demarcates responsibilities.
Establish a clear governance framework. Precise lines of responsibility need to be entrenched throughout the organization. All employees, from C-suite executives to entry-level workers, should know what is expected of them when a cyber-security breach occurs. Furthermore, they must also understand their responsibilities for ensuring the on-going protection of the business and its employees as well as its partners and customers. Cyber-security and operational risk responsibilities should be aligned across a three-tier defense strategy as illustrated below. This begins with risk assessment, detection and control; incorporates a comprehensive cyber-security control framework; and is maintained with regular internal and external audits.
Select common taxonomies and methods. A standard vocabulary and approach are essential to bridge the traditional gap between the oversight of cyber-risk and operational risk. Chief information officers and chief risk officers, for example, need to speak the same language when devising, implementing and maintaining a comprehensive enterprise risk management strategy. The International Standards Organization and the U.S. National Institute of Standards and Technology are useful sources of guidelines and definitions.
In my next blog post I’ll discuss a further important step that P&C firms should take to align their management of cyber-risk and operational risk – staff training and skills development. Until then, have a look at these links. I’m sure you’ll find them useful.