Harry Rosenthal, General Manager, Risk Management Services, Unimutual, on identifying the prominent corporate projects to put risk back in the limelight as a strategic discipline – and how the next opportunity is cybercrime

Risk professionals working in large organisations, such as in government, universities or corporates, can easily disappear against the busy business background. Even though risk management is an important service for the organisation, it can often be perceived as less important when considered against core business operations such as sales, service delivery, strategic planning, and even accounting.

Such a perception is natural since, when things are running well, risk can be almost invisible. Also, risk is seldom taught in business schools, and many stakeholders see risk activities as focused primarily around governance and compliance issues. Certainly risk is much less sexy a topic than corporate technology – and yet, the latter could represent the next great opportunity for risk professionals.

How so? Well, over the past 20 years, many risk professionals learned that the job is more interesting, fun and engaging when working on issues that are prominent within an organisation. That is not to say issues such as safety, property losses, and litigation are not regarded as serious issues – they are – but, over time, such operational aspects of risk management become part of the background “white noise” of an organisation’s operations. In periods of such normalisation of risk issues, risk professionals wishing to better engage senior management should closely examine the environment for developing topics where they can engage the entity at a strategic level. They should seek issues that are popular in the media and in the collective conscience of senior management, which offer the risk professional the opportunity to demonstrate how they can contribute to the big picture.

Identifying opportunity for value-add

A past example of one such issue was Y2K, where risk managers came to play central roles in framing this issue for their organisation, and bring their expertise to bear on strategies to mitigate its anticipated impacts. Whether Y2K was a success for the discipline is subject to debate, but it was a period when risk was truly in senior management’s spotlight, and the role of the risk professional was regarded as relevant to strategic issues as well as operational ones. Other examples from the recent past would include post-9/11 anti-terrorism activities, and the various influenza pandemics and Ebola scares. In such cases, many risk professionals suddenly became part of the team developing policy and procedures to better prepare the organisation for addressing these significant risks. Such events highlight the contributions of the risk professional, and allowed them to operate on higher levels.

In periods of normalisation of risk issues, risk professionals should closely examine the environment for topics where they can engage at a strategic level

Is there a current opportunity for risk professionals to play a strategic role? I would argue that cybercrime is such an opportunity. In risk registers across the globe, cybercrime is regarded as a significant risk issue, with potential impact on operations, revenue, and reputation. So far, it has been regarded as a technical issue – the remit of IT Directors, Information Security experts, firewall manufacturers, and others. But on balance it is clear that cybercrime is not an exclusively technical issue, and shouldn’t be managed by IT professionals alone. In fact, it proffers the next great opportunity for risk professionals to contribute via the mitigation of significant threats to the organisation.

Non-technological risk management of cybercrime

It’s a myth, in need of dispelling, that cybercrime is a purely technological problem. Certainly this type of crime is facilitated by technology, and much of the answering mitigation activities have employed technology. Risk treatments have included such technological defences as:

1. Bunkering down – creating firewalls that are increasingly hard for cyber-criminals to penetrate. This is achieved through electronically hardening the entity’s IT resources and data to create a fortress, discouraging most criminals.
2. Threat detection – investing in systems that can detect a threat, such as a cybercriminal knocking at the door, and alert the system’s operators in time to respond.
3. Distribution of process – assigning application maintenance and data storage to third-party providers, such as cloud services providers, who will be responsible for thwarting future cybercriminals.

In most organisations, such actions are left exclusively to IT technicians, and, superficially, there appears to be little reason for the less-technically-trained risk profession to be involved. In reality however, the use of technology in combating cybercrime has proven itself to be a partial solution – at best. It remains an arms race where each side, the cybercriminal and the CIO, is each busily developing better technology to defeat the other. Rather than an exclusively technological battle, cybercrime is in fact equally a social, human problem. It is in addressing the latter side of the risk equation that risk professionals can excel.

An understanding of why people take risks is the bread and butter of our profession: we should be active in that space

For example, many cybercriminals are using low-tech, social engineering methods to penetrate technologically-fortified organisations. They use deception to manipulate individuals into divulging confidential or personal information that can be used for criminal purposes. One of the most successful forms of cyber-attack, accounting for 20% of cybercrime across the globe, is non-technical: namely phishing, sending fraudulent emails to trick users in divulging personal information, passwords and log-in details.

An understanding of why people take risks, how they perceive them, and how to best educate them to reduce risks, is the bread and butter of our profession. We should be active in that space, even if we don’t know the difference between a firewall and a garden wall. So where should we should get involved first, to be part of this emerging discussion on cybercrime and its risk management? I suggest there are two low hanging fruit at this time:

Engage Human Behaviour Risk

If we refute the view that cybercrime is a strictly technological issue, we need to identify and separate out the human risk aspects. These are, firstly, the phishing challenge discussed above, where staff compromise the corporate cyber fortress through unwitting letting cybercriminals in. Risk professionals must learn the meaning of cyber-terms like phishing, spear phishing, clone phishing, whaling, link manipulation, website forgery and file evasion. While technical sounding, such terms actually describe human behaviours that unknowingly assists cybercriminals’ efforts. Technology by itself will never be 100% effective against make these practices, and, once understood by the risk professional, risk mitigation programs can be developed to reduce the frequency of their success. Don’t be put off by the technological jargon, these are human error risk problems, well within the capabilities of the risk professional to address.

Secondly, cybercriminals can be employees as well as external individuals. Developing security strategies to minimise the motivation and opportunity of internal staff to perform acts of cybercrime is also well within the experience of the risk professional. We have extensive experience in managing employee crime risks, which can fruitfully applied to cyber cases.

Engage Cloud Services Risks

A clear trend across the sector is the increased use of cloud storage services by universities. Hoping to move data storage and maintenance responsibilities, as well as increase security against cybercriminals, many institutions are forging new relationships with cloud storage providers. As with many services, these relationships are covered by contracts, most of which are highly technical and. Hopefully, these contracts reflect the best service model for an institution’s needs, whether that is a hybrid model or an entirely outsourced solution. It may be difficult for the risk professional to add much to this conversation without an extensive technical background to draw on – however, there has emerged an associated issue very familiar to the risk professional.

Current cloud services contracts are extremely “one-sided” contracts of adhesion, whereby customers have to agree to the standard wording of the services contract. It lies well within risk professionals’ abilities to help review such contracts, especially when looking at clauses addressing contingent liability, penalties for lost data, or the impact of cybercrime. As you would expect, many existing contracts favour the cloud services provider, limiting their liability in the event of an involuntary disclosure of the data in storage. The risk professional should be in a position to help their entity decide whether they are comfortable with these arrangements. This is similar to issues that arose with security services contractors in the mid-2000s, where some wanted to greatly limit their obligations in the event of a serious incident or loss. We see the same behaviour from cloud services providers today, and the experienced risk professional can contribute to negotiations to reduce their employer’s risk exposure, while ensuring the cloud provider is financially responsible in the event of a serious cybercrime.

In conclusion, cybercrime is the next area of strategic risk that risk professionals should be participating in, and even leading the discussion on. It is the best forum to engage a wide spectrum of people; function both operationally and strategically; and demonstrate how past experience can be applied to benefit employers. We will be faced with cybercrime risks for years to come, and it is time for the risk manager to get off the bench and into the game. It should not be left solely to technical experts, as it is at least as much a matter of human risk as of technical. There is an important role to be played in this area by the risk discipline.

To review your cyber-risk management, read our Cyber-risks Checklist here.