Public-private push to improve boards’ cyber readiness

By Erin Ayers on July 29, 2014

CYBER-PicThe U.S. Department of Homeland Security (DHS) joined the American International Group (AIG), the National Association of Corporate Directors (NACD), the Internet Security Alliance (ISA) to announce the availability of a new cybersecurity handbook aimed at helping organizations protect themselves and the nation’s digital economy.

Speakers at an event in Washington, D.C., explained that organizations have become more aware of cyber risk – now they need the guidance to guard against it. The NACD handbook, developed in collaboration with ISA and AIG, uses the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) and is available on the DHS’ US-CERT website. The program is voluntary.

Cyber threats have the power to drive up costs and affect revenue for companies, making them similar to any other financial risk, commented Ken Daly, president and CEO of the NACD during the press conference. What organizations need are practical tools to mitigate the risks.

Larry Clinton, ISA president and CEO, told listeners that the groups had “moved beyond our first goal, which was cyber security awareness. Now we’re on to the harder issues.”

Corporate boards are aware of cyber risk, he explained, but they need to know how to incorporate cybersecurity into their business plans.

“We need to connect the dots between the operational issues and the strategic issues which is what businesses focus on,” said Clinton. Boards need to understand the security industry’s language., he noted, adding, “It’s equally important we begin to understand their language.”

Clinton commented, “This represents a substantial evolution in the conversation about cybersecurity.”

Organizations want to reap the benefits provided by innovations such as bring-your-own-device, the Internet of Things and cloud computing. Those same developments can make a company’s security “substantially weaker.”

Mark Camillo, head of cyber products for the Americas at AIG, said that the insurance industry has been a key innovator in this field and has been talking about cyber exposure for 15 years.

“It consistently ranks as a top concern for boards,” he said. “They’re concerned about the human error and hackers. Those are two of the elements we’re trying to help them get their arms around.”

The handbook allows organizations to bring cyber risk into the overall enterprise risk management.

“They’re recommendations that can be picked up and used almost immediately,” said Camillo.

In the insurance sector, companies have shown significant growth and enhancements on the first-party coverage side. For example, Camillo explained, some policies offer coverage for cloud errors or system failures to protect loss of income. Insurers are also working to help businesses to not only pay for cyber damage, but to prevent them entirely with loss control.

Dr. Andrew Ozment, assistant secretary for the DHS’ Office of Cybersecurity and Communications, asserted, “Major companies are facing unprecedented risks. Make no mistake, most companies are targets for espionage or worse.”

The handbook offers a way for management to incorporate cybersecurity into broader corporate culture.

“The front page of a newspaper is raising awareness about cybersecurity everyday,” he said. “One of our goals is to be there with the tools.”

Ozment added, “Whether or not a company thinks it’s critical infrastructure, companies must act.”'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].