AIG Cyber Risk Handbook

Key Principles and Practical Guidance for Corporate Boards in Europe

Boards are increasingly focused on addressing cyber threats

AIG, ISA (Internet Security Alliance) and Ecoda (a representative body of national institute of directors across Europe) have developed a cyber-risk handbook to provide board members with a simple and coherent framework to understand cyber risk, as well as a series of straight-forward questions for boards to ask management to assure that their organisation is properly addressing its unique cyber-risk.  The handbook will promote continued adoption of uniform cybersecurity principles for corporate boards not only in Europe but across the globe. We’ve laid out a summary of the 5 principles for managing cyber risk below, along with key recommendations.

Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue

Key recommendations:

• Information security should not be considered as purely a technical issue left to the IT department;
• Cybersecurity has to be perceived as an enterprise wide risk management issue through the whole life cycle of the company;
• The risk-oversight should be a function of the full board;
• The board should not rely on a one-size-fits-all approach, they must define their own tailor-made plans;
• The board should develop the right culture inside the company to ensure that all employees take cybersecurity as a serious matter;
• Management’s duty is to make information related to the prevention, detection and response capabilities and knowledge of the maturity scale in which the company operates, available to the board. In doing so, management should not consider only the organisation’s own networks but its larger ecosystem.

Principle 2: Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances.

Key recommendations:

• Cybersecurity is not just about reputational issues; it is also about liability of board members;
• Board members should have a good knowledge of the existing legislations be at European or national level, or even industry-specific in order to exercise properly their duty of care.

Principle 3: Boards should ensure adequate access to cybersecurity expertise, and appropriate reporting, at both Board and Committee level.

Key recommendations:

• Board members should employ the same principles of inquiry and constructive challenge as for strategic decisions;
• The board has the duty to precisely specify its expectations to management and be directive in the type of information they wish to receive;
• Even if cybersecurity is entrusted to a specific committee, the full board should feel concerned and get at least quarterly debriefings from management;
• Cybersecurity should not be treated as a stand-alone topic; it has to be embedded in all dimensions of the company’s strategy.

Principle 4: Board directors should ensure that management establishes an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective and response capabilities, monitoring and communication at all levels. Resources should be adequate and allocated appropriately by the strategies adopted.

Key recommendations:

• Management should establish both an enterprise-wide technical framework (mobile devices, AI, ...) as well as a systematic framework (with a forward-looking approach) that will facilitate board oversight of cyber risk;
• Management should have an integrated approach to cyber risk in order to establish a clear accountability framework, clear processes and communication guidelines;
• Management should opt for a bottom-up aggregation approach;
• The board and management should set the tone at the top and develop the right culture and raise awareness to develop cyber-resilience.

Principle 5: Board discussion about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, etc).

Key recommendations:

• The board should consider the return on cyber investments and shift to a risk-based approach;
• Cybersecurity must be conceptualised as a measure of future loss.

More Information

For more information or to receive a copy of the handbook, please contact Patricia.Cullen@aig.com or your AIG business development contact.