“Too many companies are making a mistake by managing risks in different departments, or what we call silos,” said William Barr, vice president for the Chubb Group of Insurance Companies in Pleasanton, Calif., during an interview at a recent conference here on e-crime.

Mr. Barr urged companies to establish enterprise-wide risk management programs, overseen by either their chief executive officer or a chief risk officer, reporting to the CEO.

Many companies still view their information technology departments as being the primary source of their cyber-risk control, expecting them to manage cyber-threats alone, he emphasized, speaking at the recent Strategic Stakeholders e-Crime Congress in London.

However, he added, IT executives dont have all the expertise needed to manage risk, particularly since cyber-risks can generate non-IT-related exposures involving physical, human and capital resources.

With such a “silo approach,” the effectiveness of cyber-security efforts often depend upon how well the IT director or chief information officer understands the cyber-threat issue, as well as their interest level in the exposure, he continued.

“Ive also seen situations where a physical security director who deals with the security of sites and cargo and the like is tapped on the shoulder and told, Youre now also the cyber-security director,” Mr. Barr stressed during an interview at the e-crime meeting.

“You really have to have somebody who is really knowledgeable on both sides of the issue to be able to manage the threat,” he said during an interview. “That person also has to be knowledgeable or enlightened enough to understand that, even if they have that knowledge, they cant manage it themselves.”

Chris Mandel, president of the New York-based Risk and Insurance Management Society, admitted that e-threats may not be a priority for those risk managers who concentrate on property-casualty or hazard exposures, simply because this isnt an area that has touched them much from an insurance standpoint.

“But if youre pursuing a broader approach to risk, as many of us are, you have no choice but to make sure that IT risk is one of the many things [examined in a companys risk profile],” said Mr. Mandel, who is also assistant vice president of enterprise risk management for USAA in San Antonio.

At USAA, Mr. Mandel said three representatives from information technology participate on an enterprise risk management committee, “and we dialogue with them all the time.”

“My first bit of advice–and its part of my platform for the year that Im president of RIMS–is that everybody needs to step out and sign up for that broader application of the risk management model for their enterprise,” he said. “You can call it what you want, but in my view, the future for us is getting outside of that hazard-risk realm and getting involved in any and all material risks that could affect the enterprise.”

RIMS, he added, “recognizes the value of putting more attention and resources to the effects of cyber-crime. But when you deal with risks on an enterprise-wide basis, you deal with so many things, its only going to get so much of our attention going forward. But I think in the future, more of our members will have that as a part of their list of exposures that receive an allocation of their time.”

Mr. Barr expressed concern that e-threats have not been included in the threat assessments of some companies, and have “not wound their way into proactive and reactive programs to minimize threats.”

In the proactive area, he said, some companies have failed to develop “a corporate culture among the employees to make sure that the employees know how to respond to security issues, particularly as they respond to the cyber-threats.”

While the technical firewall–the software–is extremely important and is the first line of defense, he said, if “you dont have a knowledge firewall on the employees side, then you have significant gaps in your program.”

He further recommended that companies analyze interdependencies, or what would happen if an unprotected supplier, business partner or customer were to experience a business interruption or go out of business due to a cyber-disaster. Its important to determine what measures these firms have taken to protect themselves, he emphasized.

Reactive programs include the development of contingency management and disaster recovery plans that address cyber-crime incidents, as well as other disasters, he noted.

“Most traditional disaster recovery plans have ignored or downplayed cyber-threats,” Mr. Barr said, noting that any proper plan has to address e-threats and has to be constantly reassessed and tested for flaws.

The majority of a corporations e-threat vulnerabilities are software-related, he said. “The baddies out there are opportunistic in the way they come at you. They count on you not fixing those problems on a timely basis,” he noted.

However, he added, there are also organizational flaws that allow these problems to exist. Mr. Barr cited the example of assigning untrained people to do security, not authorizing any fix at all, or authorizing a short-term fix when a long-term solution is required.

“Of course, then there is the ostrich syndrome–putting your head in the sand and hoping it will go away; hoping if it bites you, it wont bite you too hard,” Mr. Barr contended.

To effectively address the e-risk problem on a macro level, Mr. Barr encouraged corporate insurance buyers to partner with law enforcement officials (who can put cyber-criminals behind bars), government officials (who create the laws and regulations required to arrest them), and other industry peers (to create best practices).

Marylu Korkuch, vice president and federal affairs director for Chubb, said that to combat e-threats, the Warren, N.J.-based insurer is emphasizing the importance of teamwork within a company and across an industry, as well as with government and law enforcement.

“I dont know too many risk managers outside of the high-tech industry who on a regular basis meet with and communicate with their IT counterparts,” she said, noting that its important to alert companies to the problems this lack of communication can cause. “I also will tell you that not too many people in the IT world will go and seek out their risk managers,” Ms. Korkuch affirmed.

She speculated that not too many IT people talk to the people responsible for a companys physical security, or even know who they are, even though theyre the eyes and ears of the company.

Security people are often treated as second-class citizens within their organizations, even though most physical security directors for organizations are former law enforcement officials, she observed. “A lot of people dont give them the credit that they should get for the fact that on their shoulders rests the entire security of a plant, of a campus, of an operation,” she said. “They would be such great allies of the IT people if you could break that barrier down and get them talking to each other.”

In addition, its not just the security people who are left out of the inner circle of a company–sometimes this is also the case for risk managers, she said.

Sometimes the risk manager reports up the line to human resources or to administration, rather than up to the financial side of the house, she said. When that happens, its more likely that the chief financial officer or the CEO is not as aware of the fact “that a lack of teamwork can really compromise the integrity of the organizationin terms of bottom-line security,” she said.

“Every company is a high-tech company, whether they realize it or not,” she emphasized, because theyre all relying on computers to conduct daily transactions.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, January 6, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.