Making digital risk a board-level concern

Wed 01 Dec 2010

Security Lloyd’s latest 360 Risk Insight report on digital risks suggests businesses are more vulnerable than ever to attack.

A key part of the UK Government’s National Security Strategy for 2010 focuses on the increasing risks of cyber attack. “The revolution in global communications and increased movement of people, goods and ideas has also enabled the use of cyberspace as a means of espionage,” it points out.

If politicians are making cyber risk a priority, then so too should businesses. This is the compelling case put forward by a new digital risk report produced by Lloyd’s in co-operation with HP Labs.

With businesses increasingly reliant on technology, attacks becoming more sophisticated and more widely targeted, regulators threatening to levy fines for data breach, companies have a multitude of reasons for pushing digital risk up the board room agenda.

Growing exposures

The rich and evolving threat environment is making it increasingly difficult for the business world to keep on top of digital risk, with organised cyber-criminals behind a growing number of attacks. At the same time, the way companies use technology is also changing rapidly. 

Phishing, viruses, malware, worms and hacking may sound like the stuff of Hollywood movies, but they are a very real threat to individuals, businesses and governments. The report details numerous real-life examples of victims of cyber attacks – ranging from supermarkets and banks to nuclear facilities. 

“Risk managers need to pay attention to both future threats and future uses of technology, moving beyond today’s largely reactive approaches,” the report advises.

Companies face numerous exposures as a result of digital risk and are “increasingly vulnerable to system failures, data losses and cyber attacks”. This includes operational, financial, intellectual property, legal, regulatory and reputational risks.

“It’s not only financial information people are looking for,” says Iain Ainslie, technology and cyber liability underwriter at Ace European Group. “It could be critical business information such as plans, new product

Recommendations for Risk Managers:

  • Set up a working group to monitor and review the exposure of the business to digital threats and keep their boards regularly informed. The working group should be made up of technology experts and key stakeholders across the business and should review the appropriateness of current risk management strategies.
  • Become more involved in IT governance and strategy, and major technology transformations. Most digital risk mitigation is managed through IT governance and many significant changes in business technology are driven by the IT department. This means risk managers should work closely with IT stakeholders and decision makers within the company and get more involved in helping shape IT governance and strategy.
  • Ensure best practice and applicable standards and frameworks are used to help manage digital risks. There are many standard and best practice approaches to assessing digital risks and risk managers should ensure business and IT stakeholders are aware of and using these approaches when digital risk decisions are taken. They should look for any new best practice guidance for more unusual problems.
  • Consider risk transfer solutions as part of their overall digital risk management strategy. Risk managers should be aware that most traditional insurance policies will not cover digital risks. However, there are a growing number of cyber risk insurance products becoming available for risk managers to consider.
  • Play a role in shaping research around digital risks, helping researchers to understand the challenges in making effective and practical decisions around cyber risk. As business technology becomes more complex it will be harder to make good digital risk decisions. Researchers are developing better techniques but they will need expert input and encouragement from risk managers.

information – so anyone in the design and manufacturing arena is potentially a target.”

“In the US market there’s a big growth in trying to steal people’s medical information – so personal information is a massive growth area for hackers.”

While people may think an obvious target for digital attacks is online retail, this industry sector (along with financial services) are generally well-versed in the digital risks they face, implementing necessary control systems. It is the traditional “bricks and mortar” businesses which have moved into the online space who may be more vulnerable, thinks Ainslie.

It is not just the risk of data theft that is of concern. System failures caused by cyber attacks can bring down whole supply chains.

“Companies do need to raise the profile of digital risk,” says Ainslie. “It’s becoming unfair for the head of IT to be burdened with the risk of an organisation.”

“The actual decisions made regarding the risk of a whole organisation should be made at a much higher level.”

Risk transfer

With many traditional property and commercial liability insurance policies excluding cover for digital risks, there may also be a gap in cover that companies are not aware of. Traditional business interruption policies focus on damage caused by fire or flood but not on non-physical damage, such as denial of service attacks.

“There are two or three areas starting to converge and perhaps as insurers, it’s easier for us to see those different areas coming together, Ainslie says.

“This is why we’re trying to get the information out there as part of the learning process but also to raise the profile of the market that we’re able to provide that kind of cover.”

Various types of insurance cover for cyber risk are now available, covering online fraud, data theft and other forms of cyber risk. Some cover the reputational damage caused by an attack.

Risk transfer for digital risk may not be considered by many firms because the motivation of IT managers differs from that of risk managers. It is natural for IT professionals to want to reassure their employers that systems are adequately protected - risk managers are more likely to take a realistic view of the exposure.

“Today most digital risk mitigation happens within the IT department,” the report concludes. “We advise that risk managers are involved, and bring broader business perspectives to decisions.”

Tags: digital and cyber risks , emerging risks

Digital Risk Report

See Also

Gathering harvest in Vietnam

Microinsurance: Spreading the word

Reaching a potential market of four billion requires innovative products and distribution methods.

Building Blocks

Future risks take shape in 2011

Risk practitioners have some truly 21st century exposures to grapple with in the coming year.

Laptop

Reputations on the line

The theft of confidential information through IT security breaches can prove costly in a number of ways.

Athlete on starting block

Olympics face digital bombardment

With an estimated 12 million cyber attacks a day during the 2008 Beijing Games, the London Olympics is a major target.

Small steps to tackle climate change

At a UN summit in Cancun, governments agreed a modest deal to combat climate change and to set up a fund to help poor countries adapt to the effects...