Like many people associated with the insurance sector, I've seldom had personal experience with insurance or risk management issues. There's been the occasional fender bender — not my fault, officer — but generally I've been fairly lucky.
Home insurance is just something that's wrapped with the mortgage payment, legal liability is not much more than a concept and refusing the extended warranties offered on electronic devices is just part of the routine.
For the most part, insurance and risk management issues have been a purely professional concern.
That's changed, however, with the onset of cyber risk. As a holiday shopping procrastinator, the Target breach was out in the open before I'd even started the annual grind around department stores, but I've had my fair share of problems with cyber crime.
On the hardware front, I had my iPhone snatched while riding the train home a while ago. Of course, after I paid to replace the phone, I bought insurance. Closing the barn door after the horse has bolted, I know, I know.
Perhaps more troubling, though, is the fact that I've had to cancel my credit card three times in the past year because of what I presume are cyber thieves who tried to use it to buy everything from audio-visual equipment in New Jersey to watches in Spain.
Other than the feeling of helplessness when someone accesses your personal information, such incidents may be only an irritating inconvenience for consumers, because federal law caps liability. For banks and other financial institutions, however, cyber crime can add up to colossal costs. The Target Corp. breach cost banks $10 to replace each card, according to the Consumer Bankers Association, and about 40 million credit and debit cards were affected as a result of the breach.
And that was just one, albeit sizable, breach. The long list of cyber breaches that happened over the past two months make the Target breach seem like a distant memory.
The introduction last month of the National Institute of Standards and Technology's cyber security framework, which explicitly focuses on risk management processes, should help organizations assess their cyber weaknesses and give them a footing to build a cyber security policy.
Some critics have complained that the framework is too vague; but given that it's a public document that can give cyber security advice to both those seeking to protect data and those who are trying to steal it, such a framework can only provide so much detail.
And there's the rub: How does anyone provide widespread guidance to businesses on ways to protect data without providing a road map to the bad guys, too?
Clearly, organizations need to invest in cyber security tailored to their own circumstances, and those investments often can be expensive.
Cyber risk management seems to be a headache for all of us. And, at the moment, there's little relief in sight.