As 2015 draws to a close, cyber security remains a priority as shown by the more than 1,000 legal, insurance and risk professionals who attended ALM’s cyberSecure conference on Dec. 15-16 in New York City.

A highlight of the conference was the presentation of National Underwriter Property & Casualty’s 2015 Excellence in Cyber Security Risk Management Award, sponsored by the Institutes. The winner for 2015 was XL Catlin’s information risk management team, headed by Thomas Dunbar, senior vice president.

The award was presented to Dunbar at the conference by Mary Ann Cook, senior vice president of knowledge resources and content development for the Institutes. Cook lauded Dunbar as a leader who excels at what he does — one who provides inspiration for everyone in the industry to draw from. “It is especially important in today’s environment that we have leaders that we can look toward for expertise in the face of emerging cyber security threat and risk, and Tom Dunbar is one of these leaders,” she said.

Cook noted that Dunbar and his team are entrusted with the daunting task of protecting sensitive data throughout a company that spans 60 offices in more than 20 countries. “A key part of Dunbar’s risk management program includes arming all of this company’s employees with the knowledge they need to help protect both themselves and the company from dangerous cyber intrusions,” she added.

“We recognize that need to educate, to put people in the front lines of emerging threats relating to cyber risk,” Cook said. “The Institutes salutes Tom for that prolific approach to cyber threat and cyber security that, obviously, he takes so seriously.”

Related: Meet the winner of NU’s 2015 Excellence in Cyber Security Risk Management Award

What actually works?

Following the award presentation, Dunbar; Henry French, corporate compliance director for XL Catlin; and Martin J. Frappolli, senior director of Knowledge Resources, The Institutes, appeared on a panel moderated by NUPC’s editor-in-chief, Shawn Moynihan, titled “What Actually Works? Proven Strategies in Cyber Security Risk Management,” to discuss XL Catlin’s program and why it’s so successful.

Responding to Moynihan’s question of how he develops that sense of collective responsibility across the whole organization, Dunbar said, “It’s important to have a rapport with company executives who recognize and understand the risk. “If they recognize the risk and its importance, we can work together to protect the company’s valuable data.”

XL Catlin Team with Moynihan and Cook with award

Thomas Dunbar and XL Catlin’s information risk management team with Shawn Moynihan, editor-in-chief, National Underwriter P&C. (Photo: Rosalie Donlon,

Dunbar also noted the importance of partnering with colleagues in legal and compliance, procurement, and internal audit, as well as having a strong partnership with the IT department. He believes that protecting data within the organization is a collaborative effort. “We talk about information security being everybody’s responsibility within our organization,” he added, from the C-suite to the maintenance crew. His team reminds everyone regularly that “Security starts with you.”

Related: 7 Cyber risk stakeholders and why they matter

Clarifying the role of insurance

As cyber attacks and cyber losses increase, policyholders turn to insurance to mitigate both first-party and third-party risks, Moynihan explained. “But how do policyholders navigate, because there is no one standard of Cyber insurance yet?”

Frappolli drew an analogy between fire insurance and Cyber insurance. “If you think about fire risks — when you suspect there’s a threat of fire that could disrupt your organization — finding a fire policy is not the first thing to do. A lot is done to mitigate that risk, such as building fire-safe construction, conducting safety drills, and having a fire extinguisher — and then you buy a fire insurance policy as well.”

“When we look at cyber threats,” Frappolli added, “even though the threat has been around for a few decades now, it’s still not well known, so it’s a risk we need to figure out how to manage.” Commercial property policies typically cover buildings and personal property, and some have a sub-limit for electronic data breach; however, they typically exclude losses that aren’t related to damaged property, which is going to exclude most cyber events, he explained.

Dunbar added that even though it’s his job to protect the company’s data, 100% security is not guaranteed. “Insurance is there to help when something does happen, no matter how good the organization’s program is,” he said. As the underwriters understand what an organization’s program should look like, he believes, they’re going to help raise the level of information security that the business has.

Related: Do you know these 9 hacking terms?

Navigating the state law maze

The issue of different state laws was raised as an important factor to consider when protecting against cyber breaches. “When aMoynihan and Dunbar with award company suffers a breach, fines and other penalties may be incurred from different states. How does an organization prepare for that scenario?” asked Moynihan. (Shown at right with Dunbar and the award. Photo: R. Donlon,

French said that the biggest concerns if you have a data breach, especially in the United States, are what you’re required to do and navigating the different state laws. “Our company has found that it’s helpful to have cyber insurance,” he said, explaining that “The biggest advantages of having a policy are dedicated counsel listed in the policy and dedicated forensic experts, who will give an expert view of what you should do, guide you through the process, and then navigate the process with the states.” He noted that it is very difficult to have that expertise in house, especially as it relates to keeping up with 47 different state laws, not to mention federal laws and regulations.

The tipping point?

It is estimated that only about 30% of businesses currently buy cyber insurance, Moynihan pointed out. He asked the panel, “How long will it be before we reach the tipping point at which cyber liability becomes a standard buy for businesses much like the way [employment practices liability insurance] was five years ago?”

“Even though this is a threat we’ve worked on and known about for quite a while, it’s not at a state of maturity yet,” Frappolli said. “It comes down to that issue of cyber hygiene. As organizations learn how to manage their cyber risks better, then Cyber insurance will become that back-stop in the same way that your fire insurance is now not your only plan.” But he doesn’t know — and won’t predict — how long it will take for Cyber insurance to become a standard buy.

French concluded that he sees cyber coverage as very useful in managing an organization’s own cyber security risk. “Buying the coverage is a decision we made at XL Catlin a few years ago, and we’re very happy with it.”

You’re invited to join us on Facebook.