NU Online News Service, May 19, 3:50 p.m. EDT
Purchasing insurance is not the answer to a corporation's cyber risk and information technology security exposures, but the last piece of a complete security process, according to a broker from Marsh.
The observation came during a webinar titled "Information Security and Cyber Risks: Battling Breaches and Protecting Privacy," sponsored by insurance broker Marsh, a subsidiary of New York-based Marsh & McLennan Companies.
The webinar was part of Marsh's continuing series of New Reality of Risk Webcasts.
"This may sound counter to what you would expect an insurance broker to tell you, but, frankly, placement of coverage is the last step in the process and one that may not occur," said Bob Parisi, leader of Marsh's professional liability practice within its Financial and Liability practice.
"Insurance…is never a valid alternative to good risk management," he added.
The greatest threat, Mr. Parisi noted, is for any corporation turning a "blind eye" to the security risks that information technology presents.
While risk transfer may help, he said the risk of a security breach to privacy data needs to be viewed from a combination of remediation of risk, prevention and education.
John Mullen, an attorney and chair of complex litigation risk for the law firm of Nelson, Levine, DeLuca & Horst, pointed out that for corporations, a breach of data is a "high severity exposure" that boards and shareholders need to deal with.
Mr. Mullen said corporations need to spend time understanding the laws and regulations related to cyber security and personal information breaches, and how they must respond if a breakdown in security takes place. He added that any company would benefit from having "an empowered decision-maker" following these legal issues.
Alan Brill, senior manager with Marsh's sister company Kroll, said, "There is no such thing as 100 percent cyber security."
He said security flaws are being discovered every week as unscrupulous technology engineers continue to design programs aimed at robbing businesses of personnel information.
Companies need to develop and test plans to deal with cyber security breaches, he noted. Some breaches are unpredictable, and some may be unstoppable, but many are not and should be detected and stopped before they take place.
"A dollar spent on perfectly reasonable security measures before a breach can help a company avoid hundreds of thousands of dollars of expenditure, plus severe reputational damage," noted Mr. Brill.
He said companies skimp on security expenditures as IT competes for dollars with other parts of the company. This, he suggested, is poor management of the risk.
"This can be a very expensive loss," Mr. Brill pointed out. "This is a case where risk mitigation, when it is combined with appropriate risk transfer, can provide senior management with what I think is realistic and very effective solution."
A replay of the webinar is available at www.marsh.com.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.