Cyber Benefits from Shift to Enterprise Risk Management

Flipping through the 150-page 2012 RIMS Benchmark Survey, in preparation for an interview on the study’s findings (see Social Media Risks: Weigh Pros, Cons), I noticed lots of figures on payouts for auto, aviation, fiduciary, marine, malpractice, worker’s compensation policies and so on, but not much on cyber.

In the section about IT industry liability, RIMS reported 32 data breaches with insurance payouts totaling $91 million in 2011. In the telecom sector, the study reported 10 cases of unauthorized data distribution and $170 million in payouts. Otherwise, the survey by the society of risk managers didn’t provide much else on cyber insurance. Why so?

 More and more companies are creating committees that span the organization to address data security issues, and increasingly that includes the risk management department. 

“Cyber exposure is increasingly a part of the concerns of the risk managers, but that is actually a relatively recent development,” says David Bradford, the benchmark survey’s editor. “Until just a few years ago, cyber exposure was conceived pretty much in the domain of the IT department, and risk managers didn’t have a whole lot to do with it. In the past few years that has changed, but only about a third of large companies buy cyber-insurance polices.”

Fifty-six percent of survey respondents said their organizations had not yet purchased cyber insurance, while 38 percent said they had a policy and 6 percent didn’t know.

The survey results are indicative of what’s occurring in the marketplace but don’t purport to show exact amounts being paid out by cyber insurers. But Bradford predicts more organizations will purchase cyber insurance in the years to come – and risk managers will become more involved in buying the policies.

Taking a Broader View of Risk

Organizations have been assessing risks in silos rather than enterprisewide. Risk managers have viewed risk narrowly, for example, by assessing liabilities resulting from fiduciary responsibilities separately from, say, workmen’s compensation. Not that they aren’t and won’t continue to be assessed independently, but over the past decade or so, enterprise risk management – has been gaining momentum. And because information technology deals with nearly every aspect of an organization’s operation, assessing cyber risks fits neatly with the trend toward enterprise risk management.

“As far as data security goes, increasingly companies are looking at it as an enterprisewide problem and not just something that sits on the servers in the IT department,” Bradford says. “And, it’s especially the case now that more and more companies have employees with mobile devices that are connected to the system that could be lost or stolen. More and more companies are creating committees that span the organization to address data security issues, and increasingly that includes the risk management department.”

The movement toward assessing cyber risks as part of enterprise risk management is just one more piece of evidence that supports the contention that information security is becoming too strategic for organizations to be ignored by anyone – including risk managers.