Today, cyber risks are high on the list of the most significant risks that organisations say they face, but FERMA board member Julia Graham believes that many risk managers are not yet playing a full part in their management.

“There is a tendency in my experience for risk managers to step away from this subject, ceding it to the domain of the chief information officer or his or her equivalent. Yet, this is not only an IT risk. It is an enterprise risk, and risk managers must step up and be stakeholders in its management,” she says.

Julia Graham

Julia Graham

The issues of risk management, risk financing and who should be involved in the management of cyber risks will be the subject of a workshop at the FERMA Forum, which starts on 29 September in Maastricht. Julia has a particular interest in cyber risks and urges risk managers to take part. (See below for a link to full details).

She says, “You don’t need to be a technology geek to have enough understanding to manage the risk, and there are readily available sources of information and guides that provide the risk manager with easy to digest advice that’s also fit for the board.”

Cyber-security, she says, “should be integrated into the enterprise risk management (ERM) system, and boards should play a critical oversight role. They should ask more detailed questions about cyber-security threats and responses than they have in the past.”

Nor does risk management end once the risk management approach has been agreed. “Cyber threats are exceeding the pace of enhancements in information security. The management of cyber risks should be a continuous process and part of the way an organisation manages all risks”, says Julia.

Cyber insurance

The European Commission is exploring the cyber-security insurance market, a process which FERMA is contributing to.

Julia comments that the scope and limits of cover and entrants to the market for cyber insurance have improved considerably over the past 24 months. She welcomes a trend toward bundling the insurance cover with appropriate value-added solutions, including support for breach detection and response.

At the same time, she argues that before insurance is considered, the risk should be assessed, controls understood and, where appropriate, improved. There should then be a gap analysis against existing insurance programmes – some cyber risks will already be covered – and the residual risk evaluated. Only then, is it worth considering whether what risk remains should be insured.

Julia points out that the cyber insurance is still in development and coverage needs to be matched to the exposure which  varies considerably with the type of business. “The same policy will not suit companies with financial data from consumers, design-led businesses, law firms and other consultants with valuable intellectual property, and critical infrastructure. Buyers should also check what cover they have under existing programmes,” she concludes.

For full details of the FERMA Forum, see

FERMA welcomes journalists to the Forum.

To receive a free press pass: use the new users’ registration box in the following link to register for the FERMA Forum :

Insert the PrFF2013 discount code in the relevant field.