When it comes to cybersecurity, a CISO and risk manager need to share the common goal of protecting their organization’s interests. They’re more likely to achieve that goal by working together. Tracie Grella, Global Head of Cyber Risk Insurance at AIG, explains why this relationship is so critical to companies—and their boards.
You’ve said that when it comes to cyber security risk management, the relationship between the chief risk officer and the CISO is critical. Why?
The relationship between the CISO and the risk manager is critical to the success of a cyber risk program. Each role brings a different skill set and knowledge base that is vital to the other’s understanding of the threat landscape as well as mitigation and transfer solutions. Establishing a relationship and maintaining open lines of communication are among the most important steps both can take in addressing the cyber challenge.
The risk manager, or the treasurer, general counsel or whomever is responsible for an organization’s risk management, can and should communicate closely with the CISO to better understand where cyber vulnerabilities exist for their organization, what is being done to prevent them and what the likelihood and potential impacts are of a cyber event, should those prevention efforts be circumvented.
Similarly, the CISO can and should communicate closely with the risk manager to better understand how cyber risk transfer can complement the CISO’s efforts to prevent cyber attacks. The CISO should also be aware of additional value in their insurance policies. Insurance companies are offering preventative tools and services, analytics and boardroom reports, and may help with table-top exercises.
Operationally, what needs to happen between these two people?
The CISO and risk manager should have a common understanding of the organization’s specific threat landscape and work together to develop real scenarios of what could happen if their systems were compromised. Some examples of these scenarios include what could happen to their data; what is the most valuable data; what could lead to business down time; what ransom scenarios could occur; how a third party could access their system; what companies they rely upon most to operate their core businesses; how frequently critical data is backed up and how long it would take to restore it; and how long it would take to get up and running if their systems were down.
They should then measure the scenarios against a gap analysis of their insurance program so the risk manager can close the gaps and construct a cyber insurance program that addresses their needs based on downtime, time to recovery, amount of data collected that can be lost and more.
Table-top exercises are a valuable way to bring all of these decision-makers together to work through potential incidents, answer each other’s questions and explore broader strategic decisions that must be made.
What role should the board be playing in this?
Boards of directors are becoming increasingly more responsible for cybersecurity oversight and therefore need to fully understand the complex relationship between risk mitigation and transfer in an ever-changing landscape. A board should be presented with a clear view of the organization’s most significant cyber risks. With this, the CISO and risk manager should detail how the organization is addressing cyber exposures, including remediation actions, risk elimination and determining how much of the remaining risk they are willing to accept. The board can then ensure the organization uses cyber insurance to transfer the remaining risk above the acceptance appetite.
What questions should the board be asking?
From an insurance perspective, the board should be asking questions about how the organization is monitoring the legal and the regulatory landscapes, what is changing across each and how the changes may impact liability and eventually insurance purchases.
The board should ask about how the organization’s entire insurance portfolio, including traditional property and casualty lines, will respond to a cyber incident and be sure that those coverages will work together to address the organization’s cyber risk scenarios. How an existing directors and officers policy could respond in a cyber event should also be discussed.