Cybersecurity must be ERM issue for directors, AIG, NACD, ISA guide says

By Erin Ayers on June 12, 2014

AIG

American International Group recently collaborated with the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) to produce a handbook for organizations seeking to manage their cyber exposures, emphasizing that cybersecurity needs to be viewed as an enterprise risk management issue, not solely an IT concern.

“Leading companies view cyber risks in the same way they do other critical risk – in terms of a risk-reward trade off,” AIG, NACD and ISA noted in the handbook. “This is especially challenging in the cyber arena for two reasons. First, the complexity of cyber threats has grown dramatically. Corporations now face increasingly sophisticated events that outstrip traditional defenses. As the complexity of these attacks increases, so does the risk they pose to corporations.”

ACCESS THE HANDBOOK HERE

The handbook outlines five principles for proper cyber risk oversight, all of which can be tailored to meet the specific needs of any organization. In addition to incorporating cybersecurity into a firm’s ERM plan, directors of organizations should be aware of cybersecurity and its legal implications, the groups state in their handbook. Ample time should be given to meeting with cybersecurity experts and budgets should include funding for staffing and risk mitigation, they advise. In addition, businesses should be discussing which risks they will avoid, accept, mitigate or transfer through insurance purchase.

“Some estimates predict that between $9 and $21 trillion of global economic value creation could be at risk if companies and governments are unable to successfully combat cyber threats,” the groups warn in the handbook.

The handbook offers advice on striking a balance between profitability for an organization and effectively managing cyber risk, a concern for many businesses.

“It is possible for organizations to defend themselves while staying competitive and maintaining profitability,” noted AIG, NACD and ISA. “Successful cybersecurity methods, however, cannot simply be ‘bolted on’ at the end of business processes. Cybersecurity needs to be woven into corporate processes – and when done successfully, it can help build competitive advantage.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].