Collaboration between the CFO, IT and risk functions is needed to combat cyber risks, according to an Airmic ERM panel debate

Boards, risk managers and other stakeholders are going to need to do a better job of collaborating to combat cyber risk.

That was the message from a cyber risk panel at Airmic’s Enterprise Risk Management (ERM) Forum 2017, held in London this week.

Too many boards – lacking understanding – shirk their responsibility to provide leadership against cyber risk debate, entitled “Cyber security remains centre stage: a case for integrated risk management and response”.

Peter Cheney, a partner at security advisory Control Risks, described “a divide” between the board, who “shift uncomfortably” at the mention of cyber risks, and are too keen “to leave it to IT”.

For some boards, their lack of enthusiasm to grapple with cyber is a generational problem of failure to engage with technological questions, he suggested.

Chief security officers, while concerned about cyber risk, have a major role to play in communicating the risk to the board – and the need for board involvement in strategy, he suggested.

“Those two entities have got to work together or else they risk becoming unstuck,” said Cheney.

Peter Erceg, a senior vice president of global professional and financial risks at insurance broker Lockton, noted a similar educational problem among the insurance broking community.

“We need to educate brokers about cyber,” he said. “As a consequence of that they will have better conversations with their clients about cyber.”

He added that from an insurance intermediary’s perspective: “Those clients saying they’re 100% secure are the riskiest ones.”

Robin Oldham, the head of defence engineering firm BAE Systems’ security consulting practice, advising on cyber security, emphasised “prepare, protect, monitor and respond” as the cornerstones of cyber defence.

He noted too many boards see ERM and supporting functions as a barrier to achieving greater success, using an analogy of risk management and security as providing reliable brakes on a car.

“We see security as an enabler for what they want to do as a business,” he added.