NEW YORK—Risk managers must address an array of cyber threats, according to a presentation at the Business Insurance Risk Management Summit in New York.

Leslie Lamb, global risk manager at Cisco Systems Inc., said risk is rising as people's computer and Internet usage increases. Meanwhile, malicious behavior against corporate computer systems also is on the rise.

For example, she cited In re: Hannaford Bros. Co. Customer Data Security Breach Litigation, a lawsuit that stemmed from thieves breaking into the supermarket's computer system and stealing information, including customers' credit card numbers. More than 4 million records were exposed.

A group of plaintiffs sued in 2008 and alleged that Hannaford Bros. failed to protect cardholder data. However, a federal judge ruled that without any actual and substantial loss of money, consumers could not seek damages.

“We have to look at how we'll continue to protect ourselves,” Ms. Lamb said. Threats can range from lost laptops to information improperly tossed into dumpsters, she said. The easiest path for a thief to access a network is by way of a work station or user, she said.

Ms. Lamb advises risk managers to assess the likelihood and potential impact of threats to their companies such as website copyright infringement claims, regulatory fines or loss of revenue due to an attack. She said they should consider how much liability exposure their company has in the event of a breach.

To address such threats, she said companies can hold educational forums with their staff to discuss online security. She also said companies can establish cross-functional teams involving the legal department, human resources and enterprise risk management so they get into the habit of discussing risk regularly. Security “requires a collaborative approach,” Ms. Lamb said.

She said collaborating well with service providers also is important. Before signing agreements, risk managers need to obtain detailed information about what data a service provider has, how it uses the information and what it does to protect it. Agreements should state clearly each party's responsibilities and which party would pay the associated costs should a data breach occur. With some providers, an audit of the arrangement by an independent party may be prudent, Ms. Lamb said.

Insurance is available for employee-related theft or third-party unauthorized access to private information, regulatory compliance costs such as credit monitoring services for affected customers, transmission of viruses to third-party computers and systems, network business interruption, and expenses associated with a threat directed at the company to release confidential information, among other things.

But contract agreements can get tricky. A member of the audience pointed out that service providers may agree to compensate a company for losses, but sometimes the fine print in contracts limits their liability to the first two months of service.

Ms. Lamb recommended giving security risks separate and careful treatment in contract agreements, and using specific language to get the maximum protection possible.

Audrey Rampinelli, vp or risk management at Loews Corp., moderated the session.