The threat environment faced by U.S. businesses is a scary one, with 237 million personal records breached in 2015 alone, according to Anthony Dagostino, executive vice president and FINEX cyber leader at Willis Towers Watson.
Dagostino moderated the "Managing Your Organization's Cyber Risk: Decoding Cyber Threats and Insurance for All Industries" panel discussion Tuesday at ALM's cyberSecure conference.
Panelists Craig Hoffman, risk manager for Wakefern Food Corp.; Ronald N. Sarian, vice president and general counsel of eHarmony; and Greg Vernaci, senior vice president and head of Cyber for U.S. and Canada financial lines at American International Group Inc. talked about the current cyber threat environment and the role of cyber liability insurance in addressing industry-specific risk exposures.
At eHarmony, the most common threat is a bot attack, Sarian said. And the company does a lot of baseline mapping so the IT department knows immediately when it's been attacked, he said.
Hoffman said he has seen a lot of phishing email recently at Wakefern Food. The company's IT group set up some fake attacks to help train employees, and Hoffman admitted that even he was caught by one of them.
When asked about the intersection of employees and cyber risk and its effect on insurance underwriting, Vernaci explained that the underwriters look at the size of the company, how much data it handles, what kind of data, what industry is the company in, and how does it manage its people, processes and technology. "Our focus," he said, "is how does the company think about and manage risk. Does it go from the top down?"
The clients who do this get better rates, he said.
Hoffman noted that his renewals are now more relationship driven. He's learning more about technology and cyber issues so he can work better with the underwriters.
All the panelists agreed that successful employee engagement starts with senior management and good governance. Dagostino said that people are the key part of the equation, and that many breaches are a result of human failure to implement appropriate protocols.
Read policies carefully
"Cyber is a meaningless term," Vernaci said. There are approximately 65 companies selling Cyber coverage, but there are no standard forms, terms and exclusions. Policies are really focusing on information security, he added, and coverage is evolving. He advises clients to frequently evaluate Cyber policies as their business operations and regulations change.
"Read every word of your endorsements and exclusions carefully," Sarian said. "And remember that coverage is all negotiable."
"Cyber security keeps risk managers up at night," said Hoffman. "It's important to work with your broker and outside counsel to be sure you're getting the coverage you're paying for.
"Also look at any contracts you have with a service provider," Dagostino said. "Make sure you know the terms and conditions, and confirm that you're covered in case of a cyber breach that occurs in the vendor's business."
At the end of the day, there is no one right answer, Dagostino said. Cyber coverage is a dynamic, continually evolving place.
Role of the general counsel, risk manager
The panel agreed on the roles played by the general counsel and the risk manager in developing a sound cyber security policy for their company. The general counsel has to be involved in the overall risk mitigation strategy, Sarian said, because any data breach will ultimate land on the his or her desk. The general counsel's role is to:
- Determine and analyze regulatory compliance matters, state notification laws and other legal risks that need to be addressed through insurance.
- Identify third-party vendors contracts and applicable indemnification provisions.
- Work with the risk manager and broker to review insurance coverage provisions.
In the event of a cyber breach or claim, the general counsel has to work with the risk manager to ensure proper claim handling and resolution of any coverage issues that may arise.
The risk manager's role, however, is to develop a risk mitigation strategy in collaboration with other key stakeholders that includes:
- incident response planning.
- IT security policies and procedures and workforce culture risk.
The risk manager also must work with the legal and IT departments to identify third-party providers, their level of access and the risk they present, and to understand the contractual liability requirements and obligations for all parties.
Finally, the risk manager must work with the broker to:
- Review insurance coverages, including markets and program structures.
- Use risk quantification models to determine the probabilities of a cyber loss, as well as its frequency and severity and.
- Ensure proper claims reporting and resolution.
Related:
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.