RC: In your experience, how do boards generally view their company’s potential exposure to cyber risk? Is it still widely considered an issue for the IT department?

Gossé: Directors and officers used to believe cyber risk is only about IT security – but this is wrong. Cyber risk is a global issue for organisations. Perceptions are changing and we are seeing stronger involvement from boards in terms of cyber risk management. This is mainly due to highly publicised incidents like Sony, Target and Orange. A study by the World Economic Forum suggests that cyber risk is within the top 10 most important risks faced by every organisation. Additionally, when we talk about cyber risk, most of the time we only think about companies that handle a massive amount of personal data, but that’s just a portion of cyber risk. Companies also need to consider the extent to which their activities are dependent on their IT system. If there is a failure of the IT system, what will happen to the company? Will it be unable to manufacture products? Will it be unable to provide services to clients? IT systems already control just about everything, and this will only increase with the Internet of Things. If something goes wrong with an IT system that connects and controls everything, the financial consequences for the company could be huge.

Melides: Recent incidents, particularly those we have seen in the last 12 months such as Target and Sony, or even with financial institutions like JP Morgan, indicate that the risk is developing and no industry is immune to that risk. This is an area of exposure that can affect any kind of corporation holding significant amounts of personal or customer data. The surge in cyber attacks is also a sign that something is broke – or at least potentially broken – in enterprise security. It is an element that needs to be reviewed, continuously monitored and safeguarded.

Jan-Mar 2016 Issue