Custom-built cyber policies deliver best protectionReprints
Before obtaining cyber insurance coverage, risk managers should conduct a risk assessment, find out where the gaps in coverage are, look at their different policies, find any shortcomings and “tailor the cyber policy to fill those gaps,” says a risk manager.
Timothy J. Flaherty, Pittsburgh-based manager of insurance risk management at Alcoa Inc., spoke at a session on advancements in cyber risk insurance Tuesday at the Risk & Insurance Management Society Inc.'s annual conference in New Orleans.
Face-to-face meetings with insurers are critical, and the topic of cyber exposures should be introduced to senior management. “Keeping them involved is critical,” Mr. Flaherty said of senior management.
Another key topic that risk managers would want to get involved with is the retroactive date on their cyber policies, which sometimes can be obtained for as long as two years, he said.
Risk managers should also check with their corporate development team “to be sure if a potential acquisition is out there,” Mr. Flaherty said. The issue is how the acquisition's policies align with your own, he said.
In addition, make sure the cyber policy “fills the gaps for any other policies you have in your risk management programs,” Mr. Flaherty said.
Mr. Flaherty warned about the length of time negotiating a cyber policy can take. “This can be very protracted,” he said. In Alcoa's case, he said, the company's first cyber policy, which was obtained a year ago, took eight months from the time its purchase was first considered to being bound, Mr. Flaherty said.
Also speaking at the session was Roberta D. Anderson, a partner with law firm K&L Gates L.L.P. in Pittsburgh. The largest breaches that have been reported so far have “certain similarities,” including the human element, which is “so difficult to control,” Ms. Anderson said.
Yet another issue is vendors, whom hackers use to penetrate larger client companies. The cyber policy should “respond to the reality of that risk,” said Ms. Anderson.
It is important that firms' cyber policies respond to the regulatory and legal framework as well, said Ms. Anderson. She also recommended the cyber framework proposed by the Gaithersburg, Maryland-based National Institute of Standards and Technology.
The NIST framework “is a really good vehicle for companies to get a good handle on the current state of cyber risk management,” said Ms. Anderson. Although the framework is directed at critical infrastructure, and is voluntary, “I think it's going to become a de facto standard for risk management,” she said.
Ms. Anderson also pointed to interest in the area of cyber by the U.S. Securities and Exchange Commission, the Federal Trade Commission and the Federal Communications Commission.
“One of the things the SEC is asking about, and asking a lot, is whether you have cyber insurance,” Ms. Anderson said.