Every business needs leadership, planning and training that extend beyond IT to encompass every stakeholder who owns information assets if they are to manage their cyber risks. This is one of a principal recommendation from a research collaboration between FERMA, Harvard Business Review and Zurich Insurance.
The project involved a survey of FERMA members and an expert panel discussion in which FERMA board member Julia Graham participated. The final report including an outline strategy for managing digital risks will shortly be available on the FERMA website.
The study says that given both the incidence of attacks and the severity of penalties for data breaches, companies need to take an enterprise risk management (ERM) to deal with cyber risks. Implementation should range from incorporating cyber security as part of a board-level corporate strategy to IT-oriented tactics that permeate the organisation. “ERM should involve every department, stakeholder and partner that owns information assets,” the report advises.
These include:
- human resources (employee data, including salary, health and performance)
- finance (accounts)
- marketing (product information and plans)
- legal (contracts)
- compliance and audit teams
- third-party channel partners (trade secrets)
The study found that many companies still do not devote sufficient strategic attention to cyber risks, despite an increase in frequency, and severity of the threats and harsher regulatory penalties for compliance and loss of sensitive data. It concludes: “They must improve their institutional preparedness to combat cyber threats and losses, which are inadequately covered by traditional liability insurance.”
The webinar of the panel discussion is still available here