Nicolas Mason, group risk and insurance manager at Oberthur Technologies, is running today’s cyber risk workshop. StrategicRISK interviewed him to find out some of the key issues which will be discussed and his views on the real threats businesses face from the cyber world …
Do risk managers in France understand the level of risk posed by cyber issues?
From a general standpoint awareness has now grown quite high among the risk management community. There are a number of reasons for this, but certainly more communication from the insurance industry thanks to their own activities in this area, and also from IT security managers has driven the message through and created a greater understanding of the risks involved.
Obviously, cyber risk has always been high on the agenda for a company such as ours in the technology sector as it is core to our business. However, we have started to see a greatly increased interest in the subject from traditional ‘bricks and mortar’ businesses also.
This rise has been particularly apparent over the past three or four years among ‘mainstream’ companies that are now seeking solutions through prevention, protection or other means such as insurance. Risk managers now need to ensure they take a holistic approach to tackling cyber-related issues as the area is so broad and wide ranging.
Is that level of awareness reflected at board level? Are directors driving the idea of cyber risk through businesses or is it down to risk managers and chief technology officers to do this?
There is a level of understanding and concern at board level and that has been generated by what board members pick up from different areas within their own company, but also from news coming from the public domain. High-profile data breaches and malicious cyber attacks which emerge and new legislative/legal constraints regarding handling of third-party data certainly would prompt chief technology officers [CTO] to call their IT managers. The Edward Snowden revelations, even though they were seemingly more political rather than business related, still served to focus the minds of business boards. The massive development of smartphones use in the corporate world, and ‘BYOD’ (bring your own device) policies, however satisfying on a communication quality standpoint, bring a massive amount of additional new cyber risks for a company CTO.
Also, the potential losses which can be incurred from a cyber-related issue can be huge in terms of reputation, business interruption and other liabilities. Again, this gets attention from boards.
You are hosting a cyber workshop at Amrae this morning – what will you be looking to explore in this session?
The first panelist is a former French police officer, his presentation will be focused on national issues which relate specifically to French headquartered businesses – looking at how the French state views risk and the potential impact, what does the French state do to help protect them, and the new cyber legislation which is also coming out.
Our workshop will also have an IT security manager give his view on the cyber issues that are out there, how those risks can be mitigated and how best to achieve a successful collaboration with businesses.
We will also have representatives from an IT security consultancy firm and an insurer who will jointly talk about technical prevention solutions and the culture which is needed within a company, as well as cyber risk mitigation through insurance solutions.
What are the main cyber threats to businesses in France?
In essence the threats to businesses in France are no different to those affecting other companies in Europe. Cyber criminality is clearly a concern – corporate spying, blackmail, data breaches and other malicious attacks represent the main dangers. Direct financial impacts coming from reputational damage, or business interruption losses due to server breakdown following an attack are also serious threats.
In terms of emerging threats – what should businesses in France and indeed elsewhere be looking at regarding future cyber dangers?
Probably very similar to those mentioned in my previous answer only on a more massive scale. The world of communicating objects and e-identity is around the corner. This will make our societies as a whole more vulnerable to large cyber attacks. As everything is increasingly connected and internet critical to doing business, cyber attacks will have increasingly dire consequences. Some of these malicious attacks could affect a region or indeed an entire country and focus on utilities, media groups, financial institutions and so on and are specifically aimed at disrupting the way of life, if not bringing chaos. To mitigate these risks, states and corporate entities, as well as insurers should be working more hand-in-hand in the future.