Risk managers' expertise valuable in cyber risk effortsReprints
Most risk managers might not be information technology experts, but they can effectively manage cyber risks by applying their expertise in such areas as contract risks, assessing the value of exposures and communicating the potential impact of exposures across their organizations.
“I'm not an IT expert,” said Lee Garvin, director of risk management at JetBlue Airways Corp. in Forest Hills, N.Y. “But what I do see are the contracts, and that's the place that we can do our best to protect our companies, in my opinion.”
As companies outsource more and more IT and data processing tasks, a vendor might offer just the technology solution your company is looking for, Mr. Garvin said. But it's important to consider what they are providing in terms of both data security and indemnification for losses resulting from any service interruptions or data breaches.
“Some of the products that are out there are absolutely fantastic, but what are they backed up with?” he asked. “How much is the indemnity that's in the contract really worth to you?”
As privacy rules continue to emerge at the state and federal levels, cyber risk management is becoming an increasingly important topic for risk managers and their superiors, said Jim Whetstone, senior vp and U.S. technology and privacy manager for Hiscox Specialty in Chicago. “Hacking events have a much more material effect on the company than they did in the past,” he said.
“In the past you could argue that maybe there was a reputational risk,” Mr. Whetstone said. “Now risk managers can say there's a direct cost of these events.”
Using last year's California Supreme Court ruling in Pineda vs. Williams Sonoma Stores Inc. that held that ZIP codes can be considered personally identifiable information in certain cases as an example, “It's really quite a changing time in terms of what's out there in terms of risks and what companies' potential risks and liabilities might be,” said Scott N. Godes, of counsel in the insurance coverage practice at Dickstein Shapiro L.L.P. in Washington.
“We now have 46 states with data breach notification statutes. There's pending legislation in Congress,” Mr. Godes said. In addition, the U.S. Securities and Exchange Commission has produced cyber security disclosure guidance requiring publicly traded companies to disclose their cyber risks to investors and makes those companies' boards responsible for assessing their exposures and taking appropriate steps to address them, he said.
“Because of the ongoing changes, it's certainly something companies need to be paying attention to,” he said.
Mr. Garvin said it's important that the risk manager advise others in the organization about possible exposures as they outsource IT services, educating leaders of such areas as supply chain and procurement and those in the information technology department about the potential exposures and the need to seek indemnification from vendors.
“In the end they might not want to do it, but at least you've let them know what's going on,” he said.
As the company seeks those outside partners, “I come up with contractual wording that I've worked out with my brokers and we tell people this is what we want in our RFP,” Mr. Garvin said.
“From a risk manager's perspective the insurance is just one avenue,” Mr. Whetstone said. “They need to be talking not only to the IT department but to legal about how to address some of these issues in contracts.”
Other people the risk manager should involve in the discussion about cyber exposures varies by organization, he said. “I've been in meetings where a company has brought a dozen or more individuals from various departments, and they've all had something to share,” Mr. Whetstone said.
Meanwhile, a knowledgeable risk manager can help other areas of the company address potential cyber exposures.
“The more the risk manager knows about this, the more they may be able to help,” he said. For example, the IT department might say it can't afford to encrypt every laptop. But, by citing the potential costs of dealing with a data breach if a laptop is stolen, the risk manager can help make the case for the funds needed for encryption tools.
“I feel confident that we have people looking at this stuff,” said JetBlue's Mr. Garvin. But, he conceded, with cyber risks, “I don't think you can ever say you're great, because somebody will find a way in. A lot of this stuff—it can happen to anybody.”
In 2011, for example, JetBlue notified employees that their personal information had been compromised by malware, though no evidence was found that the hackers ever actually got access to files with personal information.
Taking the right approach to managing cyber risks can help a company obtain favorable coverage terms, experts say. While acknowledging the losses his company has experienced, Mr. Garvin said, “Because of the approach that we take I think that might make the underwriter more apt to write us, and I do think we have favorable terms.”
“There are factors that play into it that make us more comfortable with the risk than otherwise,” said Mr. Whetstone. “Do they have somebody in the organization who owns these issues? Do they have a risk manager who understands these problems?”
According to one cyber risk insurance expert, there are three basic areas risk managers should consider first as they look to address their organizations' cyber liability exposures.
If a risk manager has addressed what he or she sees as the three primary legs of managing cyber exposures, the task of obtaining adequate cyber risk coverage is made considerably easier, said Jennifer G. Smith, vp in the global technology and privacy practice with Lockton Cos. L.L.C., Washington.
“If you complete the three-ring circus, you're actually going to have better premiums…and better terms.” she said.
Ms. Smith said the best cyber risk policies she's seen have been heavily manuscripted “with really up-to-date terms and conditions.”
The first step for risk managers is to identify their organization's relevant internal documents. “Take a look at the one or two most applicable information security standards to their organization,” she said.
In most cases two of those will prove to be ISO 27001 and ISO 27002. Part of a family of information technology security standards published by the International Organization for Standardization, ISO 27001 focuses on risk assessment, while ISO 27002 focuses on best practices recommendations for information security management.
Within their organizations, risk managers also should be able to find some kind of information security policies and practices manual.
The second step is for the risk manager to identify the relevant internal stakeholders, she said. “It's really important for risk managers to know who in their organization is responsible for what in terms of IT,” she said. “It's usually legal, it's usually IT or information security, it's usually somebody in finance, somebody in risk management and, in bigger organizations, someone in compliance or audit.”
The third step is to identify external resources, according to Ms. Smith. “Know what you've already got in the way of outside counsel if you have it,” she said. A risk manager also should identify existing outside support the organization might have in such areas as forensic computer investigation and breach notification providers.
“If you've done one, two and three, the fourth is a breeze,” Ms. Smith said. “That's insurance.”
This story is from the March 19, 2012, issue of the weekly print edition of Business Insurance, a special theme issue featuring an in-depth look at how organizations can protect themselves against cyber risks.
Copies of this issue, which includes a data poster featuring detailed information on cyber insurance purchasing trends, are available for $100 by contacting our Single Copy Sales department at 888-446-1422.
To subscribe to Business Insurance to receive all future special print issues, click here.