How many CIOs are in the audience, and how many board members have they brought with them?
That was the thought going through my mind as I sat listening to presentations at the Cyber Liability Risk Spring Event presented by the NAIC’s Center for Insurance Policy and Research (CIPR) in Orlando days after news of the Heartbleed virus broke.
We have seen major changes in corporate governance in the recent past. The role of the chief financial officer (CFO) has changed from one primarily concerned with reporting results to that of a forward-looking adviser intimately involved in and partnered with every aspect of the business. The role of the chief risk officer has similarly enlarged as enterprise risk management has become recognized as a key to success in business.
Now it is time for CIOs to make sure their role expands, and take with them their board members — many of whom may be as complacent about cyber risk as I once was. Board members need to know what CIOs already do: the finest technical capabilities in the world — the best programmers, the most effective cyber defenses, the most detailed risk management — is not enough to protect against cyber risk. We need to find new tools.
Insurance company CIOs are wonderfully positioned to lead this transition. Not only are insurers on the front lines in the cyber risk fight themselves, they can also help clients discover and leverage best practices across industries.
Doing this is just good business, because otherwise, insurers are going to be the ones paying out as courts evolve to recognize data, privacy and other damages — as well as already recognized concerns like supply chain damage — that often evolve from cyber-attacks.
There is no completely safe cyber interaction. If your company has cyber relations with another — and who doesn’t these days — it is also having cyber relations with everyone that company has had cyber relations with. And so on, and so forth and no barrier can keep you completely safe.
Also see: 10 Cybersecurity Tips from the FCC
The scary part is this is just with the connections we have today. What happens as the Internet of Things develops? We’ve seen with mobile devices that consumers don’t want walls. What happens when a customer’s refrigerator becomes the way into your network?
Professor Lance Hoffman of George Washington University shared one possible answer at the event. He suggested a consortium of stakeholders — including the insurance industry, government and academia — would be one way to figure out the best approach to security in the future.
As the Internet of Things expands, such a consortium could begin to set standards instead of having unreasonable or unworkable standards built in. In the absence of insurance industry leadership or involvement, tech firms could build their own devices with little or no privacy, security or audit logging built in.
As an alternative to that anarchy, a consortium could move toward the establishment of a research agenda that would examine policy management and technology questions, including the potential of a global cyber loss database with proper privacy controls in a business model that would make such a database viable and sustainable.
Perhaps this is not the only alternative, but it is one route to consider. It seems obvious to me that we need to start considering something. That means that CIOs must take the lead, even if it means having to give a wake-up call to board members who, like me, may feel pretty good about all we have already done to keep our systems secure.
This blog was exclusively written for Insurance Networking News. Published with permission.