When CIO Means Chief Insight Officer
Cyber risk is top of mind for most CEOs, according to a recent survey by Marsh. Heightened awareness and increased risk has led companies to look for more effective ways of dealing with cyber vulnerability, most notably in the guise of new technology and insurance solutions. As a result, CIOs are front and center in organizations’ risk management efforts. Effective management of cyber risks demands CIOs’ unique insights about the vulnerability of critical organizational assets as well as their active collaboration with other key risk-management personnel, e.g. the Insurance Manager and the Risk Manager.
Insurance companies have developed sophisticated solutions to help their clients mitigate the impact of cyber risk, including first party and third party coverages and enhanced traditional insurance lines with minimum cyber coverages. Meanwhile, technology and security companies continue to develop state-of-the-art vulnerability-management, information-protection, and incident-response tools to analyze, monitor, prevent, and/or manage cyber-attacks and events.
Despite advances on both fronts, organizations remain vulnerable to cyber risk. A recent example of continued vulnerability is the ransomware attack on the Hollywood Presbyterian Medical Center in California. The attack confiscated some of the hospital’s networks and caused the hospital to divert emergency room patients to other centers. The hospital claims patient care was not compromised. To resolve the issue, the hospital ended up paying the hackers the $17,000 ransom in Bitcoin. One reason for this continued vulnerability is the fact that too many organizations see their insurance and technology solutions as separate, parallel efforts. Organizations must integrate cyber risk into their ERM programs, leverage the combined strengths of insurance and technology solutions, and create a culture of cyber-risk awareness.
The following three steps are key to this effort:
STEP 1: Measurement – Risk Assessment
Identify, assess, and measure cyber risks with the tools your organization is already using for enterprise-wide risk assessment. The cyber risks should then be included in your organization’s risk heat map, risk register, risk tolerance report, and risk appetite statement. This initial step is critical for several reasons. Doing so creates greater visibility and transparency; promotes organizational ownership of and commitment to managing cyber risks; makes management of each risk a shared responsibility; and allows the Board of Directors to take the lead.
CIOs are front and center in organizations’ risk management efforts
A common challenge at this stage is figuring out how to measure the qualitative and quantitative impacts of each cyber risk. While a thorough discussion of how to measure cyber risks’ impact is an issue for another article, there are a number of approaches ERM professionals apply that are highly effective in estimating the operational and financial impact of cyber risks. Any successful approach considers the following: reported losses (including decrease in value) from cyber risks; reported impact on critical operations and assets; frequency or probability of cyber-attacks or events; and expected payouts insured parties would receive from cyber insurance coverages.
The CIO, Risk Manager, and Insurance Manager would work together in this stage as follows: The CIO would convey to the Risk Manager the assets or operations cyber-attacks or events would potentially affect. The Risk Manager (aided by an ERM professional) would estimate the potential losses on assets or operations associated with attacks/events. The CIO’s scenario analysis would be the foundation for accurate estimates of potential losses.
The Risk Manager would benchmark the estimates to reported cyber risk losses of similar organizations. The resulting amount would serve as the proxy for the organization’s expected cyber risks losses; this amount would then be adjusted based on expected payout(s) from cyber insurance coverages. Initiating and operating a cyber risk assessment program also helps the Board of Directors fulfill their obligations and reduces their liability. By assessing its cyber risk, an organization can get an idea of where its vulnerabilities are and what protective actions would make the economic sense.
STEP 2: Document–Risk Register
The second step for integrating cyber risks into an ERM program is to document key aspects of each cyber risk in the risk register (as illustrated below).
As the in-house technology expert, the CIO must work closely with the Risk Manager to accurately characterize and describe each risk as outlined above. When done properly and with sufficient level of detail, this documentation will provide important insights into your company’s cyber vulnerability and its readiness to deal with potential threats. The CIO is uniquely qualified to take the lead on this step because the CIO understands the organization’s IT infrastructure and architecture. In addition, he or she is in the best position to evaluate the efficacy of the entire IT operation.
Once the risk register is populated, the Risk Manager must ensure it is continuously updated and used by the Board and/or ERM committee. The dynamic nature of the risk register means that the CIO should be available to both the Board and the ERM committee as needed.
STEP 3: Culture of Cyber Security
The final step involves fostering a culture of cyber-security awareness. This includes educating the entire organization and relevant third parties (such as contractors and consultants) about the company’s cyber risk profile and incentivizing all stakeholders to play a part in preventing, managing, and mitigating cyber risk. One successful approach is to conduct cyber risk webinars to educate business leaders every quarter; another is to run cyber risk drills to reinforce the behaviors expected of employees and third parties in the event of an attack. Education is critical for developing not only appropriate solutions but in helping all employees and third parties (such as contractors) understand the role, they play in keeping a company cyber-secure.
The organization should also formulate a cyber security response plan. Having a written cyber security response plan, and documenting the organization’s cyber security program and policies generally, is a great way to formalize its culture of cyber security so everyone is on the same page. Finally, as part of the culture of cyber security, the CIO should work with the Risk Manager and HR to establish incentive programs to reward appropriate behaviors.
The importance of the CIO’s role in an integrated, comprehensive program around cyber risk cannot be over-emphasized. The CIO in effect is also Chief Integration Officer and Chief Insight Officer, providing frontline information on cyber risk and determining best practices for cyber security. The ultimate success of such a program hinges on the quality of insights and level of detail the CIO can provide to his or her risk and insurance colleagues. The complexity of an organization’s technology infrastructure and architecture is directly proportional to the potential impact of cyber risk. The CIO can and should play a disproportionately large role in combating such risk.