Cyber Risk Conference: The role of the board in managing risk

Insurance isn't a bandaid solution

When it comes to cyber security, or really anything, senior management and the board have different roles, said Adel Melek, managing director of global enterprise risk services at Deloitte. Management should be responsible for designing and implementing effective cyber programs, while the board must have the technical knowledge to evaluate and even challenge management’s decisions.

Board members also have to make decisions about mitigating or transfering cyber risk, said Brian Rosenbaum, senior vice president at Aon Canada. He stresses insurance isn’t a bandaid solution, though, and companies should adopt security measures that make them an attractive risk for insurers. Rosenbaum also warns that some insurers add cyber exclusions to D&O policies, while others add very limited first party coverage to D&O “to whet the appetite of the insured to buy cyber.” That’s particularly dangerous because the board might think they’re fully covered for breaches when there are many risks left exposed.

Copyright © 2017 Transcontinental Media G.P.
Transcontinental Media G.P.