Philippe Cotelle, the head of insurance and risk management for the defence and space division of Airbus, has said the governance of cyber risk is “not rocket science”.
Speaking on a webcast organised by the Federation of European Risk Management Associations, he acknowledged that there was a technical aspect to cyber exposure, however he said that was only “one dimension” of the risk.
“We have seen over the years a certain layer of regulation and compliance,” Cotelle noted.
He said authorities all over the world had put in place new regulations to address some cyber risks. The risk expert pointed to GDPR, the new data rules put in place across Europe, as one example.
But the list does not stop there.
“Even if you have put in place every technical aspect of security, even if you have put in place all compliance to new regulations, there is still a new dimension, which is a strategic dimension,” he explained.
He argued that the technical aspect, regulatory risk and strategic component should all be grouped together and considered as a single area of risk governance.
He said governance of cyber risk was “not rocket science”, adding that it involved gathering the right information to allow management to make the right decisions.
“Through that process we will identify all of the key stakeholders that have an influence on cyber risk.”
“What is specific to cyber risk is that it’s really transverse,” he said. “Therefore, you need to make sure that you gather all of your different stakeholders together in order to have a global view of the exposure.”
He suggested that companies form cross-function teams headed by their risk manager to identify and mitigate cyber risk. He said those teams should include multiple lines of defense as well as working to determine the exposure in financial terms and design possible mitigation plans.
He argued that it was important to bring in people from across the business who have specific subject and organisational knowledge, enabling them to identify the most harmful cyber risks for the organisation and then list suitable responses.
He said the structure would enable the group to identify the key scenarios that could affect the company and give an estimate of the costs involved. Secondly, he noted that putting a working group in place enabled companies to then mitigate those risks and reduce their exposure, benefitting the company.
Further, he said it was important to involve auditors in the process to make sure that the systems that have been put in place are measurable.
Three quarters of people on the webcast responded to a poll saying they believe that firms need to have a specific risk governance protocol for cyber risks.
To access a recording of the webcast, click here: https://bit.ly/2NAYKln