The Challenges to Effective Cyber Risk Transfer: Guest Blog from Towne Insurance

Post # 1 C-Suite Engagement

Guest blog by Danny Plante, EVP, Towne Insurance

Hedging cyber risks within the government and commercial sectors has matured significantly in terms of framing how and where they are manifest, what constitutes ordinary diligence for their mitigation, and the options available for financing or transferring them.

What at one time existed as an emergent inconvenience now exists as a conspicuous menace capable of imparting catastrophic loss, and a cascade of consequences: ignorance of the hazard, and deferral of responsibility is a luxury long past its prime.

Private enterprise would do well to consider the best practices and compliance driven frameworks of publicly traded companies and government contractors both of which have needed to impart substantive doses of rigor in their cyber loss control regimen due to the expectations of regulators.

To this end, contractors to the government have more recently needed to comport their electronic infrastructure with the National Institute of Standards and Technology framework, (NIST), and Federal Risk and Authorization Management Program (FedRAMP). Although the details of these protocols are beyond the scope of this post, they are familiar to many, and represent both aspirational and foundational guidelines for certification as an acceptably secure internal network in the former or those reliant on services from the cloud in the latter.

These same security measures adopted by the government, and contractors to it, offer an excellent context from which publicly traded companies can evolve policy toward their Enterprise Risk Frameworks (ERM) on matters related to cyber security. An important part of Sarbanes Oxley legislation, (passed in the wake of a systemic financial crisis with imputed elements of fraud), was to re-establish and secure the public trust through greater rigor and legally enforceable accountability of executive management. The notion of an “enterprise” wide view reinforced expectations that executive management would have greater engagement in all aspects of company operational risk, and as a consequence, a higher degree of expectation for those managing operating units, and that these operating units would not work in a short sighted, potentially detrimental fashion to the company itself (or the public generally). Over the years, and through the cooperative efforts of CPAs, Auditors and Financial Executives such an expansive expectation has been evolved into a well-conceived management sensibility. Understandably, cyber risk management is conspicuous among such operational risks.

What has been gained as a consequence of those working on behalf organizations most accountable to the public trust…those in government and corporate industry…is a minimum standard around which conclusions can be drawn about cyber negligence and reasonable diligence to prevent it…a useful precedent for the rest of us…

Whereas technological stewardship and employee behavior were at one time less related to one another and existed as responsibilities within unrelated operational functions, the notion of company culture and an enterprise wide view of how these distinct exposures conspire with other hazards, is required to understand the extent to which a company is vulnerable to hardware failure, media obsolescence, employee whim/indiscretion/negligence or the malice of third parties. It is within such context that the CIO of today needs to view the responsibilities of the job, and likewise be held to account by other members of the executive team with a shared sense of urgency.

If you would like to get in touch with Towne Insurance, please email cyber@towneinsurance.com.