Using ERM to assess cyber risk

If you read the news in 2011, it should be no surprise that data is more vulnerable than ever. The threats are growing more sophisticated by the day and the fallout if you suffer a data breach can cost a fortune. Risk managers need to take a more active role in this arena. It can no longer be the sole responsibility of IT.

“The volume and value of sensitive data has never been higher and the sophistication of those who want to steal it continues to increase,” said David A. Speciale, of Business Acquisition at Identity Theft 911. “All the while, the potential cost of a data breach grows ever more catastrophic in terms of financial, legal, and reputational damage. Failure to act is not an option.”

To this end, RIMS (the organization that publishes this blog) has released a new paper on how ERM can help. “ERM Best Practices in the Cyber World” discusses looking at cyber-risk as less an exercise in patching network systems and more about changing your mind-set. It’s about using ERM principles to better prioritize the actual threats and gauging how severely each could hurt the company.

The paper also provides advice on creating a better information security plan and gives an excellent, detailed overview of the many cyber-related rules and regulations that companies must abide by in 2012: HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley, the FAIR Act, the Red Flags Rule, the PATRIOT Act, the Data Protection Directive, and the many state-specific notification laws that kick in following a data breach.

“ERM Practices in the Cyber World” is free to RIMS members and $29 for non-members.

Similar Posts:

• RIMS Survey Reveals Continued Confidence in Cyber Insurance
• RIMS Membership Has a Say in COSO’s New ERM Framework
• RIMS President Deborah Luthi Speaks on ERM
• The World Is Becoming a Riskier Place — But That Isn’t Always a Bad Thing for Companies
• Risk Managers of ERM Least Satisfied with Brokers, Insurers, Study Finds