DLA Piper’s chief risk officer says Prism scandal is another reason to “take cyber risk seriously”

Cyber risk is a growing threat

The Prism scandal is a wake-up call for risk managers and business leaders to focus more seriously on cyber risks, said law firm DLA Piper’s chief risk officer.

Revelations by US National Security Agency (NAS) whistleblower Edward Snowden – that the NAS has been running top secret mass surveillance programmes – serves as a stark warning for businesses of the harsh realities of cyber risk.

But despite that recent revelations have caused concern among risk managers and businesses alike, DLA Piper chief risk officer Julia Graham adds that the risk should always be taken seriously regardless of whether a government is involved in a cyber-related incident.

Speaking to StrategicRISK, Graham says: “The Prism scandal is just another reason why people need to take these issues seriously. I don’t think that it is any different because a government is involved. Companies need to take these issues seriously, full stop.”

Graham, who is also vice president of Ferma, explains that understanding the real face of cyber risk can be difficult with intangible risk like data: “With cyber risk, you don’t always know where or what the risk is. With other risks, you can touch them and feel them but with cyber you don’t. You know what is at risk, but you don’t always know where a threat might come from.”

Risk managers need to make ground level changes

She says that risk managers should make changes at ground level to help them understand what is at stake. “One of the first things that risk managers should do when devising a strategy is to look at what information is at risk, classify their information and prioritise what they need to protect the most. Whether it is a government putting your information at risk or someone else, it doesn’t matter. Treat your data like it could be compromised anywhere, anytime by anyone.”

European leaders have reacted angrily to the findings leaked by Snowden and have called on European government to step in.

In a letter to European Commission Vice President Viviane Reding this month, the Commission’s Data Protection working party which acts independently, said: “The recent Prism controversy and related disclosures on the collection of and access by the American intelligence community to data on non-US persons are of great concern to the international data protection community…

“Especially alarming are the latest revelations with regard to the so-called XKeyscore, which allegedly allows for the collection and analysis of the content of internet communication from around the world. Even though some clarifications have been given by the United States’ authorities, many questions as to the consequences of these intelligence programs remain.”

It also said that the joint EU-US working group has a duty to “assess independently to what extent the protection provided by EU data protection legislation is at risk and possibly breached and what the consequences of Prism and related programs may be for the privacy of our citizens’ personal data.”

A spokesperson for the European Commission said Reding had already proposed new regulations in January 2012 to modernise current directives in relation to cyber risk.

“For businesses, it will make it simpler to operate as there will only be one set of rules across the whole European Union, instead of having to deal with all 28 individual authorities.”