Risk management and the sports world unexpectedly intersected in a morning session at RIMS 2012, when panelists discussed how adopting an ERM strategy can help mitigate cyber risk while under the watchful eye (and whistle) of session moderator and well-known NFL referee Ed Hochuli. Much like in an NFL game, Hochuli, who is also an attorney with Jones Skelton & Hochuli, took control of the discussion by donning his referee jersey and throwing his penalty flag whenever any of the presenters went over a pre-determined time limit for remarks.
Panelists Carol Fox of RIMS, David Speciale of Identity Theft 911, Richard Magrath of USLAW NETWORK and John Hall of Hall Booth Smith & Slover were flagged for multiple delay-of-game penalties (and one good-natured taunting violation), but this did not stop them from delivering their timely and informative presentation.
As data breach incidents, such as Sony’s infamous PlayStation Network breach last year, have increased, so has the financial and reputational impacts. Perhaps more importantly, however, this so-called cyber risk no longer only belongs to IT departments. In fact, many IT departments may not even understand the entire scope of the risk. “They are used to dealing with how many servers they have, not necessarily what is on those servers,” said Fox. Since data breaches effect the entire enterprise, mitigation and remediation efforts need to involve all departments in order to effectively limit damages and reduce costs. This makes a data breach plan a vital component of a company’s ERM program.
And given all the complex data protection regulations, jurisdictional issues, and due diligence and privilege concerns, Magrath and Hall recommended that risk managers do not try to go it alone and instead, should engage counsel as a kind of quarterback to help them assess their risk and make sure they are as protected as they can be.
Speciale warned that despite all of a company’s best efforts, 100% protection may be impossible and some fallout may be unavoidable. “When a company is breached, a small percentage of people will never do business with them again,” he said. The key, then, is to be able to prevent as many breaches as you can and then strengthen your defense so you are a less attractive target.
In order to help companies develop a plan of their own, RIMS, US LAW NETWORK and Identity Theft 911 developed an executive report entitled “ERM Best Practices in the Cyber World.” The report details how risk managers can go about developing an effective data breach plan of their own. As the session made clear, thousands of dollars of investment could prevent millions of dollars in losses.
- Ed Hochuli Negotiates with the Big Boys
- Discussing ERM at RIMS 2011
- ERM vs GRC: The Right Tool for the Job
- ERM on the Rise
- RIMS ERM Conference 2012 Comes to San Antonio