Cyber risk management requires range of expertsReprints
SAN FRANCISCO — Effectively addressing cyber risk requires close collaboration among companies' internal units as well as cooperation between industry sectors and with the government.
Craig Maccubbin, vice president and chief technology officer of Dallas-based Southwest Airlines Co., was a key participant when the airline bound its first cyber insurance in 2014.
“I felt that the insurance for cyber coverage was so important that I wanted to be involved personally. I wanted to make sure the risk team had all the support it needed and accurately conveyed what was going on,” said Mr. Maccubbin.
“Craig's involvement almost had an immeasurable impact on the initial placement, and probably on the renewal even more so,” said Lauri L. Floresca, senior vice president and a partner at Woodruff Sawyer & Co. in San Francisco and Southwest's insurance broker.
While some underwriters ask “deep technological questions” about the systems you are using, “others are much more focused on people and processes,” so “having people who can speak to both audiences is very useful,” Ms. Floresca said during Business Insurance's Cyber Risk Summit last month in San Francisco.
Some network security people do not have a “business presence,” she said. But Mr. Maccubbin presents to Southwest's board regularly. He “understands business objectives, but can also get in-depth with underwriters,” she said.
Find a senior company leader with technical expertise and develop a good rapport with them, said Kristy M. Harris, Southwest's manager of corporate insurance.
Several years ago technical experts considered it “almost insulting” for risk managers to be involved in buying cyber insurance. But in light of major data breaches since then, there is “now more humility” among technical experts, Ms. Floresca said. “I think there's an acknowledgment that nobody is 100% secure, and that risk management is totally reasonable.”
There is also an internal governance dimension of internal communications, speakers said.
Scott Corzine, managing director at New York-based FTI Consulting Inc., said if companies have a chief information security officer, the question is, “Where does that person ideally report?”
Traditionally, it's the chief information officer, but that is the “worst place to do it” because the CIO's job is efficiency, while “the job of the (chief information security officer) is to put a governor on the engine,” he said.
Jody R. Westby, CEO of Washington-based cyber risk consultant Global Cyber Risk P.L.C., agreed the chief information security officer should not report to the chief information officer. Among other issues, the chief information officer determines the chief information security officer's budget.
Information should be shared between companies and the government, said M.K. Palmore, assistant special agent in charge of the San Francisco FBI office.
“There does seem to be some movement towards getting some sort of legislation for data sharing” in Congress, said Mark Humphreys, vice president of litigation and risk management at Santa Monica, California-based real estate development and investment firm Watt Cos.
The “conversation is ongoing, but I would say it's really at a rudimentary phase,” said Catherine A. Mulligan, senior vice president of special products at Zurich North America.
Different constituencies across and outside the organization need to communicate, said John Farley, New York-based vice president and practice leader of cyber risk management services at Hub International Ltd.
“You need a lot of back and forth” where people are “constantly talking to one another,” he said.