FIVE TOP CYBER TIPS FOR RISK MANAGERS Ryan Clark, financial lines manager, AIG Insurance NZ
ophisticated risk managers are well aware of the increasing level of risk posed by cyber crime. Add to this a dynamic background of legislation and regulation, privacy protection and consumer skepticism, and even the most forward-thinking of risk managers may need to pause to catch their breath. These exposures are now too extensive and serious for risk managers to tackle on their own; they require full engagement of senior management and, more critically, the board of directors. Brokers can also play a key role in helping their customers manage their cyber risk if they are aware of the areas that need to be addressed. So where should businesses start mapping and managing cyber exposures? At AIG, we believe that there are some simple steps risk managers should take to manage the exposure and mitigate the potential impact of a cyber-attack. The first step is to understand the company’s exposure. What information does the company hold that is critical in the day-to-day operations? Where is it stored and with what security? If the company uses “cloud” computing, where is the “cloud” physically located? Does the company keep personal information about customers and staff? What about credit card details? Now that we know what the exposures are, we need to lessen the risks where information can be compromised. The second step is to get buy-in from employees. They can be a company’s greatest defence or their Achilles Heel. Employees are still one of the most common sources of a data breach. Educating employees on the responsible and effective management of data and how to recognise cyber threats will be one of the best investments a company can make. The third step is to do the basics. Make sure the company is not the “low-hanging fruit” for opportunistic attackers. Anti-virus software should be deployed and firewalls installed and –more importantly
CYBER THREATS DEMAND VIGILANCE, EXCELLENCE AND IMAGINATION FROM RISK MANAGERS. – kept up to date. All data, particularly mobile data on laptops and smartphones must be encrypted. These steps should be as natural as locking the front door when you leave home. The fourth step is to instigate a business continuity plan. How would the business perform if it could not access its data? What processes would need to occur to get the business back on its feet? Once a business continuity plan is built, it should be tested, then refined based on the results and tested again. Finally, the fifth step for risk managers is to speak to their insurance broker or adviser. The proliferation of cyber liability policies in the market and the broad covers they provide are an excellent safety net in the management of cyber exposures. They will help ensure that any weaknesses in systems are identified, provide the immediate support needed should an attack occur and help get the business back up and running at full capacity as quickly as possible. Cyber threats demand vigilance, excellence and imagination from risk managers. In our experience at AIG, the best approach is to go back to one of the fundamental lessons we learnt at school in the classroom and on the playing field. Get the basics right. Ryan Clark is AIG New Zealand’s Financial Lines Manager. For more information on AIG and its products and services, visit www.aig.co.nz.