Risk managers recall first time buying cyber coverPosted On: Apr. 15, 2016 12:00 AM CST
The road to obtaining cyber insurance for the first time can be a long and arduous one, risk managers say.
“It was a daunting, overwhelming process,” said Donna Stone, Houston-based director of insurance risk management at GDF Suez Energy North America Inc.
“It took us a long time to get out of denial” and realize the need for a policy, she said.
The Paris-based energy firm initially was concerned about operational risk, but then came the realization that it also had personal employee data such as driving and health records.
In all, she said during the Risk & Insurance Management Society Inc.'s annual conference in San Diego, it was a two-year process to determine the need for cyber cover.
She said the attitude of the company's board of directors was, “We don't know what we're buying, but we're too afraid not to buy, so let's do that.”
The policy was renewed this year, which required the participation human resources, regulatory compliance and communications arms of GDF Suez Energy, she said.
“We're still learning as we go,” Ms. Stone said.
“It's a long process the first time” said Timothy J. Flaherty, manager of insurance risk management at Pittsburgh-based Alcoa Inc. One challenge, he said, is that insurers' offerings are different and “it's very time consuming” to compare them.
Risk managers must conduct a gap analysis and work with their brokers he said. When it comes to the first time of getting cyber coverage, “underwriters want to understand how you're protecting yourself,” which cannot be accomplished by sending an email or flash drive, he said.
This information is “kind of the crown jewels,” he said. In Alcoa's case, the company's chief security officer personally handed over the required information to its broker.
“Make sure you know exactly who's getting the information and track that. Keep the spreadsheet on who has it,” Mr. Flaherty recommended.
Obviously, senior management needs to be involved, which he said is “critical, especially when it comes to limits and retentions” decisions.