4 Ways Risk Managers Can Engage on Cyber

Risk managers can no longer simply react to cyber attacks. Four tactics will get you started on preventing them, or at least preparing for one.


Five years ago, a cyber-attack on your organization would likely have been a quick one-two punch to compromise your firewalls and obtain your customers' personal data. As the risk manager, you would have been informed of the breach by IT staff, determined the severity of the incident and given an account to the company's compliance staff.

Fast forward to today. An attack takes a subsidiary's corporate network offline and threatens the entire firm's email system. Critical product formulas or sales data may have been stolen. You are called to not only provide a report of the incident to the chief information security officer but also to the CFO and CEO. The media and shareholders are clamoring to know how it happened, and the board wants to know how you plan to prevent another one.

Prepared or not, your role has changed as cyber criminals have grown more sophisticated - and more menacing. You can no longer simply react to cyber events. You are a crucial member of cybersecurity task forces and cyber risk strategy teams and are increasingly relied on by the most senior corporate leadership.

You're probably routinely called to be part of the team that develops best practices for assessing, managing and responding to cyber events, on top of ensuring that effective cyber insurance or other risk transfer mechanisms are in place. As regulators, shareholders, customers and others hold senior corporate leadership accountable for cybersecurity, you have to be diligent in identifying, analyzing and anticipating all of your organization's risk exposures.

Four Steps to Cyber Risk Management

To help meet the increasingly difficult and complex challenge of cyber risk management, start with these four tactics:

  1. Create an operational risk working group around cyber that includes IT, information security, legal and others. As a risk manager, you're probably uniquely positioned - for example, through risk committees - to pull together a cross section of key stakeholders around an issue such as cybersecurity.
  2. Quantify, as much as possible, the costs of a cyber event across all business units. Consider using analysis and assessment tools that quantify impacts by business, sector and other areas.
  3. Communicate the potential impact of risks to various stakeholders inside the organization as well as to third-party vendors.
  4. Deliver the cyber risk management strategy to the chief information officer or the C-suite/board in a timely manner - and be accountable for maintaining and amending the plan as required.

Heightened awareness of cyber events has enabled risk executives to play an ever-more critical role in their organization's cybersecurity strategy, but only with the right risk management tools can you truly succeed.

This article is part of a series that discusses cyber awareness among key stakeholders. For access to the other cyber articles, please click here.

Robert Parisi

Profile picture for user RobertParisi

Robert Parisi

Robert Parisi is a managing director and national practice leader for technology and network risk and telecommunications specialist in Marsh’s New York City headquarters. His responsibilities include advising clients on intellectual property, technology, privacy and cyber-related risks.

Read More