Head of Airbus Defence and Space Insurance Risk Management, Mr. Philippe Cotelle’s speech at 2017 Advisen Cyber Risk Insights Conference in London on 7th March:
Digital revolution is underway at all level of the economy. New opportunities are developed supporting new strategy of companies and organization in order to generate growth and progress. However we identify a lack of focus on risk governance in order to address exposure related to those opportunities, evaluate risk appetite choice impact and compliance risk to the change of regulations effective rapidly in Europe. It is of utmost importance to develop right methodologies allowing the Board and Top management to take the right decisions regarding the challenges embedded with digitization. This is the reason why Ferma (European federation of risk management with 22 national member associations representing almost 5000 risk and insurance managers in Europe) and ECIIA (European Confederation of Institutes of Internal Auditing) have decided to develop a new initiative by creating a common working group. This delegation group is composed of 10 people (5 risk managers and 5 internal auditors) representative of 8 EU countries and 6 economic sectors considered as essential services (energy, transport, healthcare, digital, water supply). We all agree in this room that cyber risk is more than an IT risk and a consequence shall be treated as an enterprise-wide risk with an adapted governance. What does it mean governance? It’s a framework whose objective is to increase cyber resilience. It’s also a clear identification of the most important stakeholders who can influence and affect the decisions on cyber risk (role of the Board, IT, legal, finance..etc).
This working group will be producing a report to EU Commission in June. The key question which will be addressed is whether there is an optimal or recommended governance processes that would help organization manage cyber risk across their operations? The goal is to obtain recognition by European Institutions that the proposed cyber risk governance is a key element to increase the level of cybersecurity for EU organisations.
The fact that those two highly representatives organisations decide to team up and jointly present their conclusion demonstrates the importance of this issue and of this document. It will address cyber risk management framework, very concretely describe how to insert GDPR and NIS requirement in global ERM, the DPO function and the role of cross disciplinary teams. This shall support the integration of cyber risk governance within the development of the organisations objectives.
So as you can see Sarah, we are pretty active !
2 Insurance Market offer
I think that it is important to point out from a buyer perspective, the current debate and uncertainty on the way the insurance offer is developing. As you know cyber risk ignores the frontier, nevertheless there is a clear discontinuity between the continental Europe and UK market regarding cyber insurance. On one side, in continental Europe, cyber insurance is composed not only of dedicated cyber policy but also is included as part of the conventional traditional insurance coverage. In UK, the offer is more to strictly exclude cyber from conventional insurance in order to provide a dedicated cyber policy.
I can understand this latter position and there are many arguments supporting it. For example it is probably better to have a clear common agreement on the intention of the insurance coverage instead of relying on some interpretation that such cyber risk not being explicitly excluded from this traditional coverage would be therefore covered with the same limit and conditions. Told or untold this ambiguous situation may generate in itself conflict and dissatisfaction on both parties. I can also understand that insurance companies as regulated enterprises need to face some challenges by their regulators or rating agencies when asked to clarify the extent of the exposure of their portfolio on cyber risk. Cyber can be exposed to catastrophic accumulation scenarios and it is important that the insurance companies are able to identify, quantify their exposure and secure the necessary capital for the benefit of their commitment towards their customers. As such an approach which consists in creating a specific risk category and excludes cyber risk from all other policies is a robust and rigorous way for insurers to control their exposure and respond to their regulators questions.
However I believe that insurers shall also make sure that their proposal does fulfill their customer’s need. As I did say, digital revolution is underway in the companies. But surprisingly we do not have a new business activity called digitization! In fact digital is spreading everywhere in the organization, from process to engineering, marketing, and manufacturing. A digital factory is an adaptation of our current factory to the digital technologies, embedded in our machines, and our sites. As a consequence our cyber risk is fully embedded within our traditional risk, be it on property or casualty. Our exposure to cyber risk is complex, I would probably come back to this point later if I may, but a catastrophic scenario combines usually cyber risk with other risks in a succession of occurrences. How would we as risk managers be able to manage those different policies which, by the way could be subscribed by different set of insurers, and still make sure that our claim is fully covered. I think that the market shall also take into account the insured’s reality and it is a challenge on our side to progress as well in the clarification of our exposure, of our needs and the value that we attach to the transfer to an insurance solution.
3 Risk Assessment
One of the main driver for this improved cyber risk governance is to put the Board in a situation to take strategic decision regarding cyber risk. Board shall be able to answer to simple questions such as “do you know the exposure of your company to cyber? Can you explain the rationale of the decision you took on cybersecurity to preserve the interest of the company?”. To achieve this clear risk assessment process is key. It shall be considered in 3 different steps:
First there is the operational cyber security management, which is mainly technical and under the authority of the IT department. It consists of securing the company against typical attacks, disseminate good practices and develop constant monitoring of the IT network, regularly tested against latest new cyberattacks.
Secondly there is the compliance risk to the new set of regulations which are applicable. This is in this category, that legal shall be involved, new position shall be created like data risk officer and cybersecurity measures shall be taken as a consequence of regulatory obligations
Thirdly, once those mandatory steps are fulfilled, comes the enterprise cyber risk management. There, the awareness of business stakeholder is necessary because the approach is the opposite. The catastrophic scenarios which would affect significantly the future of the companies are elaborated by the business and the management. Cyber expertise is then necessary to articulate among those scenarios, the one that are compatible with mindset and effort to develop them through a cyber attack, and then IT is required to analyze the potential weakness which would render eventually this attack successful. Such scenario is then worth quantifying financially and over time the consequences for the business until full recovery.
Probability associated to this catastrophic scenario is complex to measure; First because those events are of course rare, but 3 dimensions shall be considered to provide support for decision: the threat, first which is the technical capacity available for an attack, the exposure secondly, or how this company differentiate from others to be an identified target and finally the maturity of the company, how the company would be equipped to respond to a potential threat.
Mitigation measures able to respond to those catastrophic scenarios can be developed by IT cybersecurity. Managers have then the ability to arbitrate and prioritise among the proposals and allocate the right ressources.