I just read a well written article on the intersection between Cyber risk and Property risk.
The article covers the ground that risk managers have been reading and hearing about for years; the threat to businesses around the globe that arises from the interconnection of systems and devices. By now, we have heard about the hacking of a German steel mill in late 2014 and the attack on the electrical power grid in Ukraine just 2 months ago. These events, along with the computer system breaches in a number of entertainment, hospitality, healthcare and retail companies should be enough to demonstrate to all of us that the cyber risk is no longer a risk of the future, but a risk of today. At a recent property insurance meeting, John Lupica of Chubb commented to his audience that “Cyber is the only risk area where someone is trying to do real harm to your business every day”.
Interconnectivity between devices and systems has become the norm rather than the exception, both at home and in the workplace. The sharing of data, reports and analyses between systems is so commonplace that we hardly think of the risks that are attached to that convenience.
No area is so concerning to Chief Information Officers or Chief Information Security Officers as the risks associated with bringing in third party software applications and public cloud-based computing applications. In these configurations, the user must trust the integrity and security of an application for which they have no direct control over the data storage, the code, the application testing or release management.
This is particularly true with Risk Management Information Systems, which host large amounts of confidential corporate data including, for example, information relating to individual employees, business details and medical records. When considering (or reconsidering) your RMIS selection, as Whole Foods Markets Risk Manager, Margot Roth recently noted, “You don’t want the Risk Management Department to introduce additional levels of risk into the business.” This is why Ms. Roth and other risk managers very diligently evaluate their service providers’ cyber security arrangements when selecting an RMIS system.
An obvious way to prove compliance with security requirements is to look for compliance audit results and certifications. However, there are pitfalls, as some providers who use third party development platforms will provide the third party certifications as if they were their own certifications. This is a subtle difference, but it is vitally important to look for service providers that are certified and audited not only for their data platform but that the entire organization is certified and regularly audited. Certifications to look for are:
- HIPAA compliance audit results (confidentiality of personal and medical information)
- SOC1 report (Service Organization Controls)
- The security of the service provider’s systems
- The availability of those systems (reliability to provide services)
- The processing integrity of those systems o The confidentiality of the information that the service provider maintains for others (the security of YOUR information in their systems)
- The privacy of personal information that the service provider collects, uses, retains, discloses and disposes of for its users.
- ISO/IEC27001:13
- Internationally recognized standard relating to the protection of financial information, intellectual property, employee and/or third party personal information that has been entrusted to an organization.
In a related context, for those risk managers still using spreadsheets or desktop computing database software, there are security concerns for you as well. Primarily, these applications are not collaborative in nature, meaning that only one user or “contributor” can work on these applications and make changes at any one time. Beyond that, the physical security of the computer is a concern, as well as the encryption and other protection of the data has to be considered. If you are concerned about data integrity and security or business resiliency and continuity, a desktop risk management data tool is probably not the solution of choice any more.
Before making decisions on using any third party software application, it is best practice to involve your IT, Security, and Compliance departments in the selection process so that all of the most current technical evaluations are made and that the process results in choosing the most reliable and secure installation. When the third-party application is a risk management information system, the caution from Margot Roth above is so very appropriate!
Jeff Gehrke is Ventiv's Chief Risk Technology Evangelist. Contact Jeff at Jeff.Gehrke@ventivtech.com or +1.720.445.9531. Connect with Jeff on LinkedIn: https://www.linkedin.com/in/jeffjgehrke
