The biggest social media concern for risk managers is the potential reputational impact to the organization, says risk expert David Bradford, who outlines mitigation steps.
Reputational risk comes in two areas, says Bradford, president of the research and editorial division at Advisen Ltd., which publishes the annual RIMS Benchmark Survey.
"One is from the company's own social media activities, which tend to be a little less regulated and controlled at the corporate level than other communications going through traditional public relations and advertising channels," says Bradford in an interview with Information Security Media Group's Eric Chabrow [transcript below].
The other area of reputational harm comes from public discussion about the organization via social media, "whether it's true or not true," he says. "It could be a rumor. It could be a fact. But it can spread like wildfire."
To mitigate the risks, an organization first and foremost needs to develop a social media policy. "[The company] has to be able to control what's coming out of the company via social media for the official channels," Bradford says.
In the policy, he says, it's important to designate who can talk about the company and what they're talking about. Also, guidelines should be established to provide employees with reminders about how their statements can reflect on the company and to be cautious of their own activities using platforms like Facebook, Twitter and LinkedIn.
Organizations also need to monitor social media to be aware of public attitudes towards the company and what's being said. "And have a plan in place to respond if there's an incident that results in a negative issue being communicated via social media," Bradford says.
In the interview, Bradford also addresses:
- How organizations should address what he characterizes as the "blur" between work and non-work time brought on by social media and mobile technologies;
- Increasing interest by organizations in cyber insurance; and
- Synergies between information risk management and overall risk management within an enterprise.
Bradford is president of the research and editorial division at Advisen Ltd., which publishes the annual RIMS benchmark survey, and serves as its editor in chief. Before joining Advisen, Bradford held management positions at Swiss Re America as head of treaty underwriting, national accounts and eBusiness ventures. Prior to Swiss Re, he was a senior vice president at Reliance Reinsurance, where he founded and managed the special programs department.
RIMS Benchmark Survey
ERIC CHABROW: First off, please take a few moments to tell us about RIMS and the Benchmark Survey.
DAVID BRADFORD: RIMS is the association of risk managers in the U.S. and risk managers are the buyers of insurance at larger companies, and we also have other responsibilities in terms of finding ways to manage and finance the risk of the organizations. The benchmark survey has been published for about 30 years. It started as a way for risk managers to compare their insurance programs against peer groups to see if they're purchasing the right limits and if they're paying the right amount for it.
Over the years, we've expanded the benchmark survey to address other areas of interest for risk managers. Each year now we do a couple of supplemental surveys on topical issues, and for this past survey one of the topical surveys that we conducted was on social media.
Cyber Insurance: A Recent Development
CHABROW: As I flip through the 150-page survey, I saw lots of figures about the cost of risk involving property, auto, workers compensation, malpractice, marine aviation, fiduciary, and so on, but I didn't see much about cyber. In a section about the IT industry, there were two related charts that reported 32 data breaches, an insurance payout of $91 million dollars in 2011, and in a telecom section the study reported ten cases of unauthorized data distribution and $170 million dollars in payouts; otherwise not much on cyber. Why so?
BRADFORD: Cyber exposures are increasingly a part of the concerns of risk managers, but that's actually a relatively recent development. Until just a few years ago, cyber exposures were perceived pretty much as in the domain of the IT department and risk managers didn't have a whole lot to do with it. In the past few years that has changed and still only about a third of large companies buy cyber insurance policies. Going forward, I suspect you probably will see more in the benchmark survey concerning cyber. It's a topic of growing concern for risk managers and certainly it's a very rapidly growing product within the insurance industry.
CHABROW: I was at a conference two months ago and someone from the industry was discussing one of the problems in dealing with cyber is there just aren't enough underwriters who really understand cyber insurance.
BRADFORD: Yeah. There are a growing number of companies. I believe there are 28 companies now that provide the coverage, but for a lot of them it's just been within the last couple of years. So it's still a learning curve for a lot of the underwriters.
CHABROW: What's the synergy between information risk management and other forms of risk management?
BRADFORD: I think you have to look at risk management in organizations in a more holistic way and more and more companies are doing that. Enterprise risk management has been a concept that has been around for a few years now, which is an attempt to get beyond siloing the management of risk in organizations in different departments. As far as information risk management, as far as data security goes, increasingly companies are looking at it as an enterprise wide problem, and not just something that sits on the servers and the IT department. It's especially the case now that more and more companies have employees with mobile devices that are connected to the system that can be lost or stolen. What has happened is that more and more companies are creating committees that span the organization to address data security issues and increasingly that includes the risk management department.
Social Media: Pros & Cons
CHABROW: What did the survey reveal about social media as an asset or liability to businesses, governments and not-for profits?
BRADFORD: We were looking to see if risk managers were perceiving social media as being important to their organization and whether their organization perceived social media as being important to their business purposes, and what kind of risks were associated with social media in their organizations. The majority of risk managers said their organizations do view social media as an asset. They do view it as an important part of their business plan going forward. They do see it as a way that they can communicate with customers and with other stakeholders. They do perceive the opportunities in social media as outweighing the risk and are actively pursuing ways to exploit social media for business purposes.
CHABROW: But there are risks there. What are some of the risks that are identified?
BRADFORD: The biggest concern that risk managers have about social media is reputation risk, and that's from two areas. One is from the company's own social media activities, which tend to be a little less regulated and controlled at a corporate level than other communications going through traditional public relations and advertising channels, and secondly, just from what's said out there in the social media domain about the company, whether it's true or not true. It could be a rumor. It could be a fact. But it can spread like wildfire. You can have the viral effect so if something happens within the company or perceived to happen or rumored to have happened, it can go around the globe instantaneously and then it becomes a real problem for the company to battle against that perception.
CHABROW: Are there ways that companies are addressing this?
BRADFORD: The key thing the companies really need to do is, first of all, have a social media policy. They have to be able to control what's coming out of the company via social media for the official channels, a company's own Facebook page for example, or by communications from their employees on social media. A company's first step is to really establish a social media policy as to who can talk about the company, what they can talk about, who's authorized to make certain types of statements and the like, and set some guidelines for employees and remind them that their statements reflect on the company overall, and to be cautious as to what they say in their own social media activities.
The other thing they need to do is to monitor social media and be aware of what's being said about the company, and have a plan in place to respond if there's an incident that results in a negative issue being communicated via social media.
The other thing companies need to do too is address some of the other risks that social media presents, and that can be things such as harassment and discrimination taking place via social media and perhaps outside of the work place but it's basically work-related issues that sort of spill over into the private domain. Because of social media, the line between work and not work gets blurred often, so that becomes almost a human resources issue in terms of communicating to people appropriate behavior with co-workers and subordinates outside the office.
CHABROW: I don't know whether certain industries have different approaches to this. Obviously not even social media but with mobile devices, there's a blurring of the lines between work and private time. I don't know whether this presents additional risks for organizations.
BRADFORD: It does in that you really do have a blur between work and not work or private time that can create issues, and with mobile devices the issue is sometimes having to deal with the fact that basically you have employees who are working around the clock because they have access to work, information. They have access to communication with their fellow employees and it becomes a wage, hour and time issue that you have to manage there. It's a little different with social media but it definitely presents the risk of work-related issues spilling over in the private domain where the company doesn't have a lot of control over what happens.
Exploring Cyber Insurance
CHABROW: As part of the social media survey, you asked your respondents if their organizations purchase cyber insurance. Fifty-six percent said no, 38 percent said yes and 6 percent didn't know. How does the purchase of cyber insurance compare with other types of insurance purchased by organizations?
BRADFORD: There are certain types of insurance that just about every organization purchases, either because they have to or because it's a very wise purchase and that would include things like worker compensation, property insurance, automobile insurance. Cyber insurance is viewed as much more of a discretionary purchase at this point in time, and risk managers really have to be educated on the need to purchase the coverage, what the coverage actually provides, and so far that's been a little bit of a difficult sell for brokers and partially it's because it's a new product with brokers as well. A lot of them just don't really understand the products that well themselves. They don't do an effective job of indicating the need to the buyers.
CHABROW: Companies that are offering cyber insurance, are they sort of standard types of policies or do you have a variety of different companies offering a whole different range of products?
BRADFORD: The products are becoming more and more standardized, which is a good thing because you can combine different policies into a single program now, but there's still a lot of diversity in the marketplace. There probably will be for a while and it's probably a good thing. As the exposures continue to evolve, the coverages continue to evolve and companies continue to innovate, you find that there's a lot of focus right now, for example, on providing services after a data breach via the policy. So if there's a problem, the insurance company sort of rallies the necessary resources to help address that problem, which is a pretty new coverage that just really wasn't there a couple of years ago. Companies are now scrambling their own version of that kind of coverage.
Enterprise Risk Management
CHABROW: One-third of the social media adopters in your survey said their organizations did not implement an enterprise risk management approach to the adoption of social media. Eighteen percent said they did and another 18 percent said they partially implemented an enterprise risk management approach, and the rest didn't know. What do you make of these findings?
BRADFORD: It actually is fairly consistent with other surveys that we've done about enterprise risk management in general, that there's a growing movement within risk managers to champion enterprise risk management programs within their organizations, but it's a big commitment on the part of the organization to actually implement. So what you find is that it's a growing number of companies that have enterprise risk management programs in progress, but a lot of them are still sort of in the beginning phases or in the middle phases and are making relatively slow progress towards actually getting a fully implemented program in place.
CHABROW: You're saying that enterprise risk management is relatively new?
BRADFORD: Well, the concepts behind enterprise risk management have been around for a long time, things like continuity, planning and the like, but in terms of looking at it as sort of a separate discipline with a name associated with it - enterprise risk management associated with it - this really is within the past decade that has really taken root.
CHABROW: And why so?
BRADFORD: It has just been a recognition on the part of more and more companies and within the risk management community itself that you cannot really break apart the organization's risks into pieces and effectively manage it, because there's just way too much spillover between the different types of risk, and to not look at it in a holistic sort of way leaves yourself open to really not understanding what the risk profile of your organization is. From the standpoint of senior management, it's less important that the loss comes out of the finance department rather than out of the production area, then it's the fact that the loss occurred and they want to look in a way that they can understand what their entire risk landscape looks like, what the risk profile looks like and know that's being managed in a centralized sort of way, and not being dealt with piecemeal.
It has been a growing awareness on the part of senior management organizations and the part that has been championed by risk managers who are looking to enhance their roles in the organization's broader areas of responsibility for themselves, and it has also been encouraged by Sarbanes-Oxley and just some of the requirements that Sarbanes-Oxley had, concerns of management overview of companies and corporate governance.