Future threats grounded in past
Posted On: Apr. 24, 2016 12:00 AM CST
SAN DIEGO — Risk managers should be sure their cyber insurance policies include retroactive provisions.
It is “super important” that cyber policies provide this coverage, said Christopher Liu, head of cyber for financial institutions at American International Group Inc., in noting it takes roughly 200 days before a cyber breach is discovered.
In theory, a breach could have occurred five or 10 years ago, with the firm “only discovering it today,” he said.
AIG, he said, is happy in such cases to pay for the forensic analysis and other costs associated with such a breach.
“We're just not going to pick up the legal liability” or regulatory liability associated with such breaches that occurred in the past, he said.
Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburgh, told attendees at the Risk & Insurance Management Society Inc.'s annual conference that she has never placed a cyber policy with a retroactive date of less than a year.
Cyber coverage also is a consideration in mergers and acquisitions, said Timothy J. Flaherty, Alcoa Inc.'s Pittsburgh-based manager of insurance risk management.
“If you acquire somebody, you want to make sure that you understand whom you're buying,” he said. “You really can't do a deep dive” into security before completion of the deal, but should use an external provider to do a thorough check as soon as possible, he said.
“You'll find out quickly where your weaknesses are,” Mr. Flaherty said. Before integrating the systems of an acquired company, “you have to make sure you stop and understand what you're bringing in.”
Underwriters also have changed how they handle the underwriting process, Mr. Liu said. Whereas AIG once had a 100-page questionnaire and conducted on-site visits, now “we're down to 10 questions” that address about 50 points of cyber coverage, he said. “It's basically sort of a first pass.”
One factor of interest to AIG is whether firms have someone with technical expertise on their board, he said.
Another issue for the industry is the amount of cyber exposure in insurers' portfolios, said Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C. “There's coverage in other policies” aside from in cyber policies, he said.
Modeling cyber risk also is a major challenge, he said.
“There's a massive demand for this risk and limited supply today,” in addition to limited actuarial data, Mr. Beeson said.
“It's a static process with a very dynamic risk,” with new attack vectors appearing frequently, he said.
He suggested companies use the voluntary framework to improve critical cyber security infrastructure recommended by the Gaithersburg, Maryland-based National Institute of Standards and Technology.
“It's one of the better things the government has done,” Mr. Beeson said.
The road to obtaining cyber insurance for the first time can be a long and arduous one, risk managers said.
“It was a daunting, overwhelming process,” said Donna Stone, Houston-based director of insurance risk management at GDF Suez Energy North America Inc. “It took us a long time to get out of denial” and realize the need for a policy.
The Paris-based energy firm initially was concerned about operational risk, but then came to the realization that it also had personal employee data such as driving and health records.
In all, she said, it was a two-year process to purchase the coverage. The policy was renewed this year, which required the participation of the human resources, regulatory compliance and communications arms of GDF Suez Energy, she said.
“We're still learning as we go,” Ms. Stone said.
“It's a long process the first time,” said Mr. Flaherty.
No easy comparisons
One challenge, he said, is that the coverage varies from insurer to insurer, and “it's very time-consuming” to compare them. Risk managers also must conduct a gap analysis and work with their brokers, taking into account other coverage that the company has, including directors and officers liability insurance.
When it comes to getting cyber insurance coverage for the first time, he said, “underwriters want to understand how you're protecting yourself,” which cannot be accomplished by sending an email or flash drive.
This information is “kind of the crown jewels,” he said. In Alcoa's case, the company's chief security officer personally handed over the required information to its broker.
“Make sure you know exactly who's getting the information and track that. Keep the spreadsheet on who has it,” Mr. Flaherty recommended.
Obviously, it is important that senior management also becomes involved in this process, he said. “It's critical, especially when it comes to limits and retentions.”