Smart technologies, while great for business, are also increasing our exposure to cyber risks. But Airbus Defence and Space’s risk manager Philippe Cotelle says it’s not rocket science. His approach to cyber risk is influencing our entire industry. His first lesson? Make the tech guys your new best friends

“I’m a space engineer,” says Philippe Cotelle, head of insurance risk management at Airbus Defence and Space. It’s an intriguing job title and one that is well earned – he’s worked in the sector for more than 20 years.

But while he might have started his career in engineering, he’s now also one of the most prominent risk managers in Europe and sits on the boards of Ferma and Amrae.

It’s a shift that happened almost accidentally, but not one that Cotelle regrets.

He explains: “When I interviewed with SCOR, I had no clue what they were or that there was even insurance on space. It was completely by chance. But then Airbus wanted to get me back on board because I was familiar with space insurance. Then I expanded to other subjects.”

Now he is responsible for insurance and risk management for several areas, including defence and military aviation, and manages an international team across France, Germany, the UK and Spain.

He jokes that he’s been around for ages – “since the 17th century,” he laughs, but his nearly 20 years’ working in insurance and risk make him well placed to comment on the changes we’re seeing in risk management.

“What is interesting is we have seen a rapid evolution of risks over recent years. Consequently, there have been quite a number of changes both for the risk management profession and also for insurance and reinsurance.”

YOU HAVE TO TALK TECH

There are three risks in particular that Cotelle believes are game changing for businesses: cyber, nat cats and the political environment. He is interested in all three topics, but it is the risks associated with digitalisation and cyber that makes him truly passionate.

It is obvious, he exclaims, “to say that digitalisation is changing our way of working, thinking and acting – both individually and at company level. Really, digitalisation is a must-have, it’s the core of the strategic growth for each and every company because of the huge opportunities you can achieve thanks to new technology.”

And the opportunities are vast: “Digitalisation is the way to expand in a market that is otherwise not really expanding. Developing services, being more efficient internally and saving costs leads to better financial results and economic growth.”

“The board is making decisions to develop new services, to introduce digitalisation into factories, to develop a completely new system of finance, etc.”

But for all the benefits, C-suite and executive management have made decisions to embrace new technologies without thinking about – or mitigating – the risks involved. This has left risk managers in a sticky situation – they are now trying to close the stable door after the horse has bolted.

“We’re playing catch-up. We now have a very difficult message to pass on, to say: ‘Well, there are new risks that have probably not been assessed or considered that need to be addressed now that we have chosen the digitalisation route.’”

Look at property risk – if you put in a sprinkler, you can safely say your risk has been addressed. But with cyber, the evolution means you constantly need to revise your view because the situation may rapidly change. Not because of the business but because the technology evolves and things that were impossible a few years ago may now be widely available on the internet

But these risks need to be dealt with as a matter of urgency – not necessarily an easy undertaking when strategic plans are already under way.

“Cyber needs to be addressed just like any other risk, but it has some specificity that needs to be taken care of. Cyber is a transverse risk, and can affect any part of a company, so you really need to look at every function to see which might be the most affected.”

“As well as that, you have a layer of compliance and legal to deal with.”

This, he feels strongly, is where risk managers need to raise awareness. “It’s not just firewalls and software! As an industry or service provider we are exposed, and that exposure can potentially threaten the future of the company.”

Dealing with cyber risks is an ongoing challenge and risk managers must constantly look for new threats, re-evaluate vulnerabilities and update strategies accordingly.

“Look at property risk – if you put in a sprinkler, you can safely say your risk has been addressed. But with cyber, the evolution means you constantly need to revise your view because the situation may rapidly change. Not because of the business but because the technology evolves and things that were impossible a few years ago may now be widely available on the internet.”

“You need to be agile and to anticipate that. The nature of the job is not that different, but the pace has evolved.”

This is critical, he suggests, because of the public nature of cyber risks. If a company has a breach, the top management will be the first to be challenged about what decisions they have made and whether they have put the company (as well as customers and suppliers) knowingly or unknowingly at risk.

“The board needs to be able to assess the consequences of their decisions, not on the tech side but the strategy side, and to have a view on the way the company is going to address that sort of exposure.”

“This will require internal resources, of course, but they are limited, so you need to make choices. You need to do arbitrage of resource to where the priorities of the company lie.”

MAN IN THE MIDDLE

However, top managers tend to see digitalisation as a ‘tech issue’. This, says Cotelle, means many risk managers face challenges in engaging IT and cyber security departments, as well as the C-suite and the board, and other stakeholders.

“As a risk manager you are not supposed to be an expert in cyber tech or other fields; most of my peers are not engineers. For years, these issues were just handled by technical experts and there is quite a high barrier to entry in that world. It’s a completely different vocabulary. Some risk managers are keen to omit the words ‘risk management’, because it’s just misunderstood.”

He adds: “Risk managers will also need to talk to financial, legal and complaints departments and be able to understand the risks that they describe and to sensitise that in a way that is understandable by everyone. You have to be the generalist of all the different fields.”

“The only solution is to acquire the credibility that makes people believe that if they go to you, they will get a clear response. This will help businesses access intelligence on the risk.”

 It’s a circle – your credibility will help the business and then people will give you more information as they know you are the right guy.”

“Thanks to our expertise, we can create real business impact, which raises our credibility. It’s a circle – your credibility will help the business and then people will give you more information as they know you are the right guy.”

Bridging that gap is something Cotelle has worked hard to achieve at Airbus, though it hasn’t been plain sailing. “I asked the tech guy: ‘Okay, have we suffered some attacks?’ and he said: ‘Yes, constantly.’ So, I asked: ‘Did we suffer any loss?’ and he said: ‘Yes, we had to repatch a number of computers, and reload some programmes and data.’ But when I asked what the business impact was, the guy was unsure.

“So, I figure that there was something missing. It’s just common sense that in business terms, we need to deliver products, cash receipts, deliver on sales – but that part of the link was missing. So, a lot of my work has focused on taking technical scenarios and translating the business impact into something that top management will understand. This is the part where risk managers can add value – the not-so ‘rocket science’ element of our roles.”

Another lesson he has learnt has been the importance of quizzing technical staff with the business model and future plans in mind. This, he says, can help you identify future risks and understand where hackers may strike next and what are the most important vulnerabilities.

“This wasn’t something I was aware of at first – but eventually I discovered that this is how the attackers are exploring. So, I asked: If you were on the other side, where would you put your effort to hurt the business the most – and are those scenarios realistic? Then I could quantify the impacts and take the issues to senior management.

“I had people telling me you can’t quantify a cyber exposure. And people were saying it was dangerous to put a number on it because if it fell into the wrong hands it could be used against the company. Today everyone is telling you we need to quantify risks but some years ago that really wasn’t the case.”

CHANGING THE INDUSTRY

His innovative approach to cyber risk is changing the way the industry thinks about these issues and Cotelle is both eager to share his learnings and proud of the impact they are having.

“When I developed the methodology to assess cyber risk and the feedback was good, I quickly concluded that it cannot be something that just sits at a company level, because digitalisation affects the whole industry.”

“When I developed the methodology to assess cyber risk and the feedback was good, I quickly concluded that it cannot be something that just sits at a company level, because digitalisation affects the whole industry.”

“I anticipated requests from third parties such as regulator and investors, who would want to understand the maturity of cyber risk management in a company and benchmark it with respect to others. I thought it was really important to share my views and explore how we can influence the future benchmarks that will ultimately come, with our best practice coming from practical experience. That’s why I want FERMA to share my work and discuss with it with my peers.”

“Now all the ratings industries are starting to work significantly on cyber risk assessment, and we have now published guidelines on cyber governance and insurance that can help companies to promote best practice and influence the way rating agencies or insurers do evaluations.