The risk manager’s guide to educating stakeholders and collaborating with the CISO
Tackling an organization’s cyber risk challenges has often been left to an organization’s chief information security officer (CISO) and IT leadership. As cyber risks continue to grow in severity and frequency, risk managers should also enter the conversation, creating a dynamic partnership that can truly help create a holistic approach to mitigating a business’s cyber exposures.
That’s because many companies are realizing that cyber security is no longer just a technology concern confined to IT professionals; cyber risk is enterprise risk that can impact every corner of the organization—and its bottom line. A cyber attack can threaten intellectual property, mergers and acquisitions, retirement plans, executives and more,1 and has serious implications for business continuity, brand and reputation.
Increasing cyber losses – especially growing ransomware losses -- have led to record insurer loss ratios and a hardening insurance market, with increasing rates and tighter terms and conditions.2 And with the risks growing and evolving rapidly, many organizations still have work to do to pass the scrutiny of insurers in an increasingly challenging risk environment. Often as soon as an organization has made moves to shore up their cyber strategy, another challenge emerges.
It’s important for risk managers to remember cyber insurance is just one element of a multi-faceted cyber resilience strategy, which also includes cyber risk assessment, cyber awareness, quantification and incident response readiness3 – and that the plan must be practiced and updated to be effective. Further, successful cyber risk management needs to cascade down from the top. That means risk managers must understand their evolving cyber and technology risk exposures and communicate the importance of cyber resiliency to leadership, in tandem with the CISO.
Use these tips to help lead an effective and collaborative cyber conversation and proactively take control of your company’s cyber risks:
In many organizations, the primary stakeholder for cyber security is still in IT. Risk managers, as insurance professionals, manage risk and its impact on the balance sheet, while IT professionals are tasked with protecting the organization by mitigating security vulnerabilities in its network. A fruitful cyber risk conversation can bridge the gap; it brings the risk manager and CISO together to best protect the company, working together to communicate to a C-suite and board of directors that may not be cyber savvy.
The companies with best-in-class cyber resiliency foster collaboration between IT and risk. No one area can protect the company on its own, especially with a risk as pervasive as cyber. Risk managers also must sell the idea—and high costs—of cyber insurance to leadership and the board, so you need a good grasp of the company’s cyber position and what could go wrong. The CISO is best positioned to provide the necessary detail on the cyber strategy, where the vulnerabilities lie, and what the impact of a breach or other event would be.
Cyber liability and intellectual property risks rank in the top 10 of all business risks facing companies. But awareness of the economic and legal consequences from an international data breach or security exploit is low.4 Getting a handle on these numbers is especially important for getting leadership buy-in—starting the conversation with data is critical.
To understand your full cyber exposure and the associated metrics, sit down with the CISO and discuss all the scenarios your organization may have to face, including the possibility of the whole network going down. Even in the face of high stakes, approach cyber risk with curiosity, not fear.
A loss quantification study will help you figure out the potential balance sheet impact and what proportion of the risk you may want to transfer using insurance. Because insurance rates have risen, your cyber budget will go further if you spend more on quantifying your risk and training your staff to identify and prevent potential attacks. The data from loss quantification will also help the board understand the need for increased cyber budget, more so than simply benchmarking insurance limits against past years.
Joining the cyber conversation with IT depends on your personal network within the company. Asking questions about what different divisions are doing to protect themselves from cyber risk may bring adverse reactions, so approach the conversation with humility.
Your broker can facilitate a cyber impact analysis, a workshop that brings various stakeholders into one room to discuss each of their worst-case scenarios in the event of a cyber break. Different stakeholders come at cyber from different perspectives, so it’s likely that they’ll give different answers. Those insights add up and having the broader view will help you understand the critical assets from a balance sheet standpoint. While it can be a challenge to get time with leaders, invite as many stakeholders as possible, including the CISO, CEO, CFO, Chief Legal Counsel, Chief Communications Officer, Compliance Officer, Chief Privacy Officer, Head of Business Continuity/Disaster Recovery and the board.
Risk managers and the CISO have limited opportunities to get in front of the board—but that’s starting to change as many organizations seek to elevate both roles. The key to ensuring that happens, and board members continue to see the value of that move, is to prepare and keep the conversation focused on their priorities. It’s wise to spend more time preparing than you’ll spend in the meeting. Your broker can also prepare you to overcome the perceived objections from your stakeholders and anticipate questions.
When it comes time to meet with the board to propose cyber insurance and ask for budget, it’s critical for the CISO to be there. For the greatest chance of success, they’ll need to speak the language of the board, and in laymen’s terms. This is where you come in as a collaborator: you can speak broadly about the company’s exposure and the strategic element, and the CISO can answer specific questions. The same goes for conversations with insurance underwriters.
Be prepared to present the impact of a cyber attack from a financial standpoint and its potential impact to the balance sheet. Data breach calculators won’t give you sophisticated enough metrics for today’s cyber exposures; instead, present the findings from loss quantification studies. Position your organization’s cyber protection as a combination of cyber security technology and cyber insurance. It’s also important to talk about cyber as a potential personal exposure for directors and officers, and how cyber and D&O coverages can mitigate that risk.
One challenge in getting the budget for cyber insurance is increasing rates. Instead of only talking about what could happen if the company doesn’t have cyber coverage, talk about the benefits to the company if it does. Position coverage less as an expense and more as a value-add. Cyber insurance carriers will typically give you access to pre-vetted vendors, a major benefit in the event of a breach. Make sure the board knows that cyber coverage extensions that may have been available on the organization’s other Property and Casualty policies will likely be removed as carriers seek to exclude cyber risk under non-cyber policies. The landscape is changing—and risk managers can navigate it best.
Boards are also focused on reputations, and a cyber breach or other event has significant reputation implications. And it’s not just risks faced directly by the organization; if an attack hits a vendor or partner in your supply chain, and you get compromised downstream, customers and the public may associate the breach with your brand for years into the future.
And finally, give the holistic view. Frame cyber insurance in the context of the many steps your company is taking to understand and plan for a cyber breach.
Cyber attacks are unfortunately becoming less of an “if” and more of a “when”—51% of companies had a security exploit or data breach one or more times in the past two years, with an average total financial impact of $4.5 million.5 Due to the likelihood of an attack, if you don’t buy cyber insurance as a large, publicly traded organization, a claim could come against you that the board breached its fiduciary duty.
Insurance can reassure the board because it’s a strong backstop. But the mistake some companies make is to buy cyber insurance and not invest in a cyber strategy beyond that. The most prepared organizations don’t treat cyber insurance as a panacea; they treat it as a safety net when they’re already investing in assessment, quantification, training, and business continuity management (BCM), incident response and disaster recovery.
Plus, when you go into the insurance market, you want the best possible risk profile. The rates you’re offered will reflect the maturity of your cyber strategy.
If you don’t receive funding from the board for cyber insurance initially, don’t give up. It can sometimes take several years of conversations with key stakeholders to help them understand the exposures and gaps the organization faces. Do more risk quantification studies and let the data prove your point about the company’s exposure. During that time, the market may change, and it often happens that when the board finally chooses to invest, it will wishes it would have done so sooner and gotten a better price. Whatever happens, be resilient and keep at it, because cyber risks aren’t going away anytime soon.
It’s undeniable that cyber risk is growing. But with a smart strategy, a focus on collaboration, and the right conversations with the right stakeholders, risk managers will be well positioned to manage and insure the risk.
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.