Global insurer AIG has released a free Cyber Risk Oversight Handbook specifically designed for corporate boards. The handbook, produced in partnership with the non-profit Internet Security Alliance (ISA), aims to help combat what AIG describes as the fastest growing security threat facing companies today.
The Australian Criminal Intelligence Commission says cybercrime costs the Australian economy up to $1 billion annually in direct costs. According to the insurance broking and risk management company Marsh, current cyber insurance policy renewals have seen premium increases of up to 60%.
Read next: Marsh head on “scary” number of cyber claims
“Against the backdrop of a changing risk landscape and growing compliance burden, the demand for effective cyber risk management and security will continue to grow, as will the liability for an organisation and its directors,” said Liam Pomfret (pictured), AIG’s cyber and professional indemnity lead across APAC.
However, one positive trend, said Pomfret, is the growing recognition that cyber resilience is no longer the sole responsibility of IT departments or information security officers.
“It has become an enterprise-wide imperative with the buck stopping at the very top of the organisation,” he said.
Despite this, said Pomfret, the complexity of today’s cyber threats can leave even the most experienced directors feeling out of their depth.
“With this insight, AIG developed the Cyber Risk Oversight Handbook in partnership with Internet Security Alliance to provide a simple and coherent framework for board members to understand cyber risk.”
The detailed 60-page guide aims to support the development of a solid cyber security program and a cyber-resilient culture for employees. It also includes questions for boards to ask management to verify that their organisation is properly addressing its unique cyber-risk posture.
One issue that organizations need to keep abreast of is new cyber security standards.
“Legislation in this space will continue to evolve both here in Australia and in other jurisdictions around the world and will see organisations being held to higher standards than ever with the potential of fines and penalties for non-compliance,” said Pomfret.
Perhaps the most relevant and recent legislative change is that board members, as directors, are now potentially liable for cyber security events, said Pomfret.
“Whilst it is critical that board members are across existing cyber legislation in order to properly exercise their duty of care, they might not be equipped to effectively direct management in the complex area of cyber risk,” he said.
The guide presents five principles for effective cyber risk oversight together with practical ways to implement these standards.
For example, Principle 2 explains how directors should understand the reputational and legal implications of cyber risks as they relate to their company’s particular circumstances. Principle 4 discusses how boards should ensure that management establish an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective and response capabilities, monitoring and communication at all levels.
“It highlights the responsibilities of senior directors in how they understand and approach cyber security issues and the importance of implementing the right frameworks to best protect systems and data,” said Pomfret.
AIG’s cyber lead said the handbook would be helpful for many corporate boards.
“The guide would be helpful for first-time directors or boards just starting their cyber resilience journey, with guidance on establishing a framework for cyber security and integrating cyber risk management by driving accountability, culture, awareness and communication,” he said.
The handbook’s emphasis on developing flexible and adaptable enterprise-wide cyber security measures makes it a useful benchmarking tool, he said.
“Cyber security is a continuum, not an end state, therefore the guide would also be useful to boards wanting to benchmark their current strategies and define their risk appetite, including risk mitigation and transfer through insurance,” said Pomfret.
The guide is also useful for brokers. Pomfret said it will help them stay up to date with the changing cyber risk landscape and equip them to recommend the right insurance programme to clients.
“Having the Cyber Risk Oversight Handbook as a resource equips brokers with the latest information and guiding principles on cyber security for directors, meaning they can confidently approach their D&O clients on the topic to ensure their insurance coverage is sound,” he said.
The handbook follows the release in March of ISA’s Principles for Board Governance of Cyber Risk. That report aimed to provide “a cohesive, global, cross-border approach to cyber-risk governance” for corporate boards. The document detailed six principles based on consensus views developed by security and industry leaders.
The AIG/ISA’s new guide is available for free as a downloadable pdf document on the AIG Australia website.