Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Q&A: Ben Beeson, Lockton Cos. L.L.C.

Reprints
Q&A: Ben Beeson, Lockton Cos. L.L.C.

The highly-publicized theft of consumer data from retail giants Target Corp. and The Home Depot Inc., as well as the leak of personal photos stored on Apple Inc.'s iCloud service, has brought new attention to the issue of cyber risk. In a recent conversation with Business Insurance Associate Editor Bill Kenealy, Ben Beeson, Washington-based vice president of cyber security and privacy at Lockton Cos. L.L.C., discusses how companies can best gird themselves against cyber risks. Edited excerpts follow.

Q: How have recent events altered people's perceptions about cyber risk?

A: I think we've moved from thinking that this was about prevention to thinking this was about being resilient to cyber risk. The message of the last few months is that anybody can be hit. I should stress that this does not mean that you should not do anything, because there are a lot of things you can do to help make it harder for bad guys to get in and search for easier targets. Nonetheless, companies should now expect hackers to be in networks, so the question now becomes what you are going to do about it.

Q: How well do the cyber policies available on the market match the actual risks companies are facing?

A: The insurance market has actually done a good job in dealing with cyber security. When you look at the events Target went through and Home Depot is now going through, the market can address those risks and the associated financial effects, such as data breach response costs and liability for class actions. We now know that Target had $100 million worth of insurance and has likely blown right through that. There are certainly other areas of cyber risk that have either yet to be addressed or there some solutions starting to emerge.

Q: Given this, should companies prioritize risk transfer over risk mitigation?

A: No. Risk mitigation comes first, and insurance comes second. However, insurance is playing a much larger role because no matter how much you mitigate this risk, you can't make it go away.

Q: What are best practices when it comes to mitigation?

A: The most sophisticated companies are employing a defense in depth strategy in their information technology departments. It involves multiple layers of defense including firewalls, intrusion detection systems, antivirus software and encryption.

Unfortunately, now even this is not enough, so security has to change. You now have to understand who is trying to attack you and what do they want. So you have to strategically base your security decisions and align them with what your business wants to do.

You need the most resources around your critical assets. Security has to become dynamic. Likewise, insurers will need to adopt a more dynamic underwriting approach, and they will want to see these dynamic measures in place before assuming the risk.

Q: Would it be safe to say that this is an inflection point in the cyber insurance market?

A: Absolutely. In the wake of Home Depot, we may see an entrenchment in the market in terms of capacity and coverage. Going forward, if you have a point-of-sale system that isn't properly locked down, I could foresee many insurers not wanting to cover that.

Read Next

  • Q&A: Nir Kossovsky, Steel City Re

    Nir Kossovsky is CEO and director of Steel City Re, a Pittsburgh-based broker and adviser specializing in corporate reputation management and risk transfer. Mr. Kossovsky recently spoke with Business Insurance Senior Editor Rodd Zolkos about the ability to quantify reputation risk and how that ability facilitates managing and insuring those exposures. Edited excerpts follow.