Tag Archives : cyber

Risk managers are developing strategic role and wider view of risks, survey finds

European risk managers are taking a more strategic role in their companies with increasing access to top management levels and the board. Against this background, they have a wider vision of the risks that could affect the ability of business to achieve its objectives.European Risk & Insurance Report 2016

These are the key conclusions of the 8th European Risk and Insurance Survey conducted by the Federation of European Risk Management Associations (FERMA) and reported in the FERMA European Risk and Insurance Report. The report was published on 4 October 2016 on the occasion of the FERMA Seminar taking place in Malta.

More than half the 634 respondents to the survey are becoming:

  • involved in implementing risk culture across the organisation (68%),
  • developing risk management as a part of business strategy (62%) and
  • developing business continuity and other crisis response (59%) programmes,
  • and two-thirds report to the board or top management level.

The survey shows rising concern among risk managers about economic conditions and business continuity disruption since the previous FERMA survey in 2014. Together with political and country instability, these are regarded as the three top risks to businesses. Digital risks – cyber-attack/data privacy and IT systems and data centres – also increased in importance in 2016.

Jo-WillaertThe President of FERMA Jo Willaert commented: “From this survey, we see that risk managers are moving into a position where they are helping embed risk management into the business model and culture of their organisations. They are taking an enterprise wide vision of risks, including the wider business environment, and the majority report to a chief officer or the board.

Respondents also indicated they want additional expertise and techniques, such as scenario analysis and post-event lessons learned, to enhance insight into the nature of the complex risks facing their companies. As a result, they are looking for their advisers, brokers and insurers to go beyond transactions and provide support in such activities. For example, risk control and transfer remain a day-to-day responsibility for the great majority of risk managers (86%), but loss prevention has become the top priority.

Digital and cyber risks are, not surprisingly, a rising concern and risk managers are looking for a greater partnership with insurers on loss prevention and incident management. The purchase of standalone cyber risk coverage has grown since 2014, but two-thirds of companies still do not buy such protection.

There is work to be done here in strengthening our resilience to these constantly evolving risks. FERMA has always emphasised that they are enterprise risks, and the survey shows that we need closer relationships between the risk management and IT functions. We are also looking for a partnership with our advisers, brokers and insurers to strengthen our resilience and management of incidents,” said Jo Willaert.

In terms of risk managers’ European objectives, the survey revealed three clear priorities for FERMA: establish official recognition of the risk manager, advise on data protection regulations and present risk managers’ views on increased corporate reporting and transparency requirements.

Said Jo Willaert: “The findings of this report, combined with FERMA’s mission and strategy adopted at our general meeting in June, will shape our activities over the next two years, including the continuing development of our professional certification programme rimap®.

The full European Risk and Insurance Report and supporting documents are available on the FERMA website at http://archives.ferma.eu/about/publications/benchmarking-surveys/benchmarking-survey-2016/ and also on Slideshare here below:

Press contacts:

4th webinar: EU/US boards’ approach to cyber risk governance: towards a common view?

Time: Friday 14 October 2016 at 15.00 CET, 14.00 GMT


Click above for more details and complete biographies

With the exclusive presence of the Honorable John Carlin, US Assistant Attorney General for National Security.

A unique chance to get insights on the way the US federal government is supporting businesses to mitigate cyber risk.

Philippe Cotelle (Head of Insurance and Risk Management of Airbus Defence & Space, member of AMRAE) will complement the discussion with the Risk Manager’s’ perspective and the necessity to provide organisations with decision-support tools for mitigation and recommendations for risk transfer.

Other speakers include Mark Hughes (CEO BT Security), Mark Camillo (Head of Professional Indemnity & Cyber, AIG) and Roger Barker (IoD/ecoDa) to moderate the debate.

Presentations are available here below:

Cyber awareness challenge


How cyber aware are you? Here are some questions that will provide food for thought. The answers are a mixture of fact and judgement.

When will the EU Data Protection Regulation start to apply?

A. 25 May 2018
B. 25 March 2017
C. 1 June 2017
2. How quickly do you need to notify a data protection breach to your supervisory authority under the EU Data Protection Regulation?
A. Within 24 hours
B. Within 72 hours
C. It’s voluntary
3. What is the maximum fine a business can face for a breach of the EU Data Protection Regulation?
A. 2% of global turnover
B. 4% of global turnover
C. € 20 million
D. €10 million
4. What digital risks are you most concerned about?
A. Theft of personal data
B. Loss of intellectual property
C. Hacks for ransom
5. What is a bit coin?
A. A euro cent
B. Something left over from your holiday
C. A unit of digital currency
6. How does your organisation cover the cost of cyber risks?
A. Through existing property/casualty policies
B. Stand-alone cyber insurance in addition to existing coverages
C. We don’t think any insurance will make enough difference to a big data breach or hack
7. How satisfied are you with your organisation’s procedures for dealing with data breach and cyber attack?
A. Reasonably satisfied but it needs updating
B. Satisfied, but it can always be improved
C. Something I worry about


  1. A
  2. B.
  3. B: but all are possible, depending on the circumstances;
  4. Data breach is the most likely but all are possible.
  5. C.
  6. All are possible.
  7. B, hopefully.

All the answers correct? Share and consolidate your knowledge by attending the digital risks roundtable and interactive cyber security workshop at the FERMA Seminar on 4 October.

Most of the answers right: The FERMA Seminar on 4 October is a good place to build your knowledge.

Less than half the answers right: You definitely need to come to the FERMA Seminar digital risks roundtable and workshop on cyber risks on 4 October. Bring a colleague.


“Battling a Common Enemy” – conference at the European Parliament on how to tackle cyber threats

The following speech was delivered at a conference on cyber risks at the European Parliament on 23 February 2016.

Jo Willaert

Jo Willaert, FERMA President

“Honorable Members of the European Parliament, representatives of the European Commission, ladies and gentlemen,

As President of the European Federation of risk management associations, and myself as Risk Manager for Agfa-Gevaert for 15 years, it is my privilege today to be a guest in the European Parliament, the heart of the European Union.

I want to thank Mark Weil, CEO Marsh UK and Ireland, for inviting me to speak at this conference.

Earlier this month, a Los Angeles Hospital, the Hollywood Presbyterian Medical Center was a victim of a cyberattack called a ransomware. On 5 February, hackers took over the medical records and shut down the hospital’s computer servers for more than10 days.

Even patients had to move to other hospitals because key software was locked.

I understood that last Wednesday, the hospital announced they finally paid the hackers to regain control of its computers.

Hospitals and all businesses are going to have to invest in cybersecurity and it’s not cheap.

You might know that the risk manager function in the financial sector is already well defined. In the “real economy”, however, it isn’t the case. Companies are free to decide whether or not  they want to hire a risk manager.

Today, I would like to draw your attention on three key elements for FERMA when we speak about cyber security:

  • First, I’ll express our concern regarding the new systemic nature of cyber risks. The possibility that cyber-attacks at a company level could trigger severe instability or collapse an entire industry or economy.
  • Second, I will outline how businesses, governments and insurers should collaborate to protect our critical infrastructures. Increasing the resilience of our industries should be our common objective
  • Third, I’ll try to convince you that we need a new corporate governance to respond to cyber threats in which the risk manager has a central role.


1. Cyber risk is today a risk that every company is faced with.

Let’s be clear; the inter-connectivity between machines in the supply chain and cloud computing is a source of systemic risk.

This is similar to what we faced in 2008 when the banking sector almost collapsed because of the size of institutions that were “too big to fail”.

The failure (provoked or not) of one major digital provider could today put a stop to thousands of organizations or at least disturb seriously their activities.

For example, the healthcare and the financial sectors deal with very sensitive data. Data of thousands of organisations are more and more stored outside the company in the cloud. They are hosted by a handful of digital providers like Amazon, Microsoft, IBM and Google. This is already a reason to worry about a systemic risk.

It’s a challenge for companies to assess these risks because it raises issues of confidentiality and reputation. This is preventing a clear and open analysis of cyber risks.

Disclosing a cyber-attack or admitting a potential vulnerability endangers the reputation of a company towards its stakeholders.

As a response, the EU legislator has taken action with the adoption of the NIS Directive for critical infrastructures and the Data Protection Regulation for personal data.

These laws will require organizations to prepare themselves for the notification of incidents and data breaches to their local supervisors.

FERMA welcomes this legislation. But it must be recognized that the increased use of personal data will generate more claims for the emerging cyber insurance industry.

We can already anticipate that the European laws for cybersecurity will:

  1. increase the demand for cyber security solutions.
  2. will become obviously a matter of compliance and a condition for doing business
  3. and will finally have an impact on claims. Although it is still unclear, probably too soon, to see how insurers will price and deal with these threats.

2. Considering what has been said, a major incident, that would disrupt European industries, would require collaboration between governments, companies and insurers to protect critical infrastructures and increase resilience.

In case of catastrophic cyber losses, it will not be possible for the private sector to indemnify alone the liabilities that could arise from a critical infrastructure.

In our response to the Commission consultation on cyber security, FERMA has listed catastrophic cyber losses as one of the 3 main cyber security challenges by 2020.

FERMA recommends setting up a structured dialogue between the private and public sector.

We need comprehensive solutions inspired by certain types of insurance pools or state guarantees, as is already the case to cover terrorism or nuclear risks.

3. The management of cyber risk is too often seen as being the responsibility of the IT-department only. However, the exposure to cyber threats has a potential business impact on the company as a whole.

Cyber risk is not only an IT risk; it’s an enterprise risk.

In that respect, we advocate a central role for the risk management function as regards cyber security in the company.

The risk manager should be the risk expert to support board and the CEO. He or she should work hand in hand with the operational units (IT, Legal, Internal audit, others…) without being an IT specialist.

An integrated cyber security and breach response team is crucial to protecting the organization as a whole.

When thinking about cyber protection, management will logically refer to the IT department in the first place, and if occasion arises Legal will be involved as well. In this case, it will most of the time lead to reinforcement of back-ups and emergency procedures.

However in the companies, where risk management is part of the decision-making process, it will naturally lead to global solutions. Stand-alone insurance coverage for cyber security will be one of them.

This has been illustrated by FERMA’s last European Risk & Insurance Report. It showed that 72% of the risk managers are not enough involved in IT related issues. As a result, there is no adequate stand-alone cyber coverage for their company. Later this year, with the next edition, we will see whether this figure has reduced or not.

It is also important to stress that insurers are, in most cases, not in a position to develop adapted insurance solutions. They are usually only in contact with the risk manager, directly or through the intermediary of the broker. The risk manager does not always have the tools to overview the consequences of cyber risk on the whole company. Mostly, he cannot but rely on specialists separately, e. g. IT and Legal. Suppose that:

The ever-increasing and constantly evolving landscape of breach notification laws leads the chief legal officer of company ABZW to ask his colleague risk manager to seek insurance protection.

The systemic nature of the cyber risks of the company, however, has not been tackled. Possible instability, crisis management, communication, reputation, restoration… these are all cyber issues which need comprehensive solutions.

The trigger for a purchase decision is finally the alignment of views between IT, Legal and the Board about the necessity of a cyber cover.

I’m happy to confirm that a lot of initiatives are coming from the insurance market in order to design products which are an answer to the concerns of the industry.

In my personal opinion, cyber risk protection cannot be put in one of the traditional insurance boxes, such as property, professional liability, crime…but should be a specific, stand-alone product, tailored- to the needs of the industry.

As a conclusion today, I would like you to remind these two things:

  • The cyber threats are now of a systemic nature:
    • We need to collectively develop innovative financial solutions to protect not only critical infrastructure but our economy as a whole from a digital 9/11
  • The cyber security laws and all related initiatives should not forget to include a risk governance part:
    • Cyber threats must be understood from the top to the operational level. Here I will again insist on the necessity to give to the risk manager a central place in this cyber risk governance.

Thank you very much for your attention!”

Cyber security is an enterprise risk, FERMA tells the European Commission

Cyber security requires an enterprise-wide approach, and the risk manager’s role is to help the company achieve effective, data-based enterprise risk management, the Federation of European Risk Management Associations (FERMA) has told the European Commission.

Click above to read the FERMA response to the Commission’s consultation on public-private partnerships in cyber security

Click above to read the FERMA response to the Commission’s consultation on public-private partnerships in cyber security

In its response to the Commission’s consultation on public-private partnerships in cyber security concluded last week, FERMA stated: “Businesses have difficulties with reaching a basic level of protection often due to a lack of risk insights and data driven risk mitigation.”

FERMA President Jo Willaert, commented: “The boards of organisations need to understand that cyber risk is not only an IT risk; it is an enterprise risk. In that respect, we advocate a central role for the risk management function. Without being an IT specialist, the risk manager provides expert advice to support the board and the CEO. He or she is working hand in hand with the operational units such as IT, legal and internal audit.”

FERMA stressed that this overview of cyber risks across an organisation, including into the supply chain, is critical especially with the development of the Internet of Things. Using  scenario-based analysis, the risk manager can quantify the overall cyber risk exposure and validate mitigation strategies on an enterprise basis.

FERMA also argues that public intervention is necessary in order to help organisations cope with the challenge of cyber risks. It urges the development of:

  • A framework for the clarification of cross-border liabilities in cyber incidents;
  • A global set of rules for cyber risk assessment that would safeguard confidentiality in incident disclosure and insurance claims;
  • The incorporation of cyber risk governance in legislation and guidance to create an integrated approach to the threats from top to bottom of the organisation.

Jo Willaert said: “Cyber threats are now of a systemic nature. Businesses, governments and insurers, therefore, need to collaborate. We must act now.”

Ms Typhaine Beaupérin, FERMA CEO: typhaine.beauperin@ferma.eu, tel: +32 (2) 761 94 31
Lee Coppack, press contact: lee@coppack.co.uk, tel: +44 208 318 0330/ +44 7843 089904
All FERMA press releases can be found here.

Risk Conversation at Board level: 3rd webinar with ecoDa and AIG

Banner 24 March 2016 v2
3rd joint webinar with ecoDa/AIG and FERMA dedicated to cybersecurity in our series “Risk Conversation at Board level”

PART II – Cyber Security: the mitigation strategies – how to identify, assess and mitigate cyber risks.

24 March 2016 from 10:30 – 12:00

Click on the image to read the speaker' bios

Click on the image to read the speaker’ bios

What level of awareness should Boards have? How much time should Boards spend on cyber/risk management issues?

The Risk Manager must be responsible, as for others risks, for the quantification aspect of cyber security. It is a necessary step towards understanding and managing the exposure of the company. He/she should act as a facilitator between the Board and the operational department (IT, Finance, Legal and other functions).

  • How can Risk Managers bring unique added value in identifying and quantifying risk exposure?
  • When an interrelationship exists between the Risk Manager and the CIO (Chief Information Officer) or their equivalent, is it complementary and symbiotic?
  • To whom should the Risk Managers report the exposures, the liabilities, and the potential correlations or interconnections with other risks?
  • How would they propose relevant mitigation strategies to be endorsed by the operational departments and the Board?

In case of a claim, how should the confidentiality of critical information be managed when it is provided to multiple stakeholders (insurers, brokers, loss adjusters, public authorities)? Are the companies ready to grant access to their confidential systems and processes to those third parties?

This is a key subject to unlock the cyber insurance development and to support the economic growth the Digital world is bringing to Europe.