The Risk Manager’s Role in Mitigating Cyberrisk
With cyberrisks becoming more prevalent, organizations in every industry and faced with the increased possibility of legal exposure, reputational harm and business interruption that can wreak havoc on a company’s bottom line. As a result of the potential losses, risk managers must become more educated on matters relating to the financial impact of cyberexposures and assist corporate directors and officers in satisfying fiduciary duties to protect their company’s assets. After identifying, qualifying and quantifying their cyberrisks, risk managers should consider the following steps to protect their organizations:
1. Implement a Cybermitigation Policy
While proactive measures to mitigate risk can be costly and time consuming, they are far less demanding than the consequences of a serious breach. Moreover, having a robust, well-documented program to monitor cyberrisks may provide favorable evidence of the company’s efforts, thus reducing liability should an incident occur.
A cybermitigation program should start with the following:
- Implement IT security access, use and protection policies and procedures. Note that insurance underwriters will rely on third-party security assessments when conducting due diligence to quote a premium and coverage for cyberinsurance
- Assist legal with contractual allocation of liability
- Train and monitor employees, subcontractors, third parties and others regarding such best practices. Updates to written policies and procedures with ongoing training assists in creating a culture of best practices.
- Model the range of potential frequency and severity of losses from cyberincidents for your unique industry and entity specific circumstances
- Determine the entity’s risk appetite to retain, mitigate and transfer cyberexposures compared to the entity’s overall enterprise risk management
Capable risk management advice, combined with legal and IT security, can not only prevent or limit information security breaches, but can mitigate the most adverse consequences of such breaches.
In light of the increased significance of cybersecurity matters, it is essential that corporations develop a comprehensive program. A team consisting of IT, legal, risk management, CIO, security, human resources, product development, sales, marketing and other pertinent personnel should be involved in developing and executing the program.
Risk managers should advise their IT security department to audit and regularly review reliance on different forms of technology (i.e., computers, smartphones, tablets, USBs) and ensure that various uses of such technology (i.e., work, social media, personal use) are appropriately regulated in company IT and/or social media policies and guidelines.
2. Evaluate Third-Party Providers
Vendors, suppliers, consultants, IT providers and a range of other third parties have occasion to access various types of confidential corporate information. A risk assessment should be conducted for each third-party provider and, depending on the type of data being shared, additional steps should be considered to prevent security breaches. Risk managers should evaluate a range of questions, including:
- How does the provider erect security walls between data from different customers?
- Who will have access to the information and is encryption possible?
- Will customers be notified that their information will be stored in a cloud?
- Does the cloud provider have its own adequate insurance coverage (possibly requesting that your organization be named as an “additional insured”)?
- Is some information simply too sensitive to turn over to a third party?
Third parties should, at a minimum, be expected to accept inclusion of language in which they warrant that they are in compliance with applicable laws relating to information privacy and security. Contracts should contain indemnification provisions that commit the third-party providers to indemnify you should a security or privacy breach occur.
Risk managers may discover that their organization is unaware of which vendors and suppliers have access to your confidential data, such as personally-identifiable information on customers and employees, or proprietary information about the company’s products. The first step in implementing a system to manage this exposure is to identify the various suppliers and vendors and to determine precisely what type of information each third-party entity is being sent (or otherwise accessing). A robust audit is essential. These audits should examine not only the outsourced IT service providers, such as storage providers, but also any other type of third-party organization or individual who might have access to corporate data.
Risk management should consider the benefits of implementing a data breach management policy to address and outline internal corporate prevention, detection and incident response processes in response to a security breach. It could help in defending an allegation that the company failed to take reasonable care in handling a data security breach.
3. Review Possible Coverage Under Existing Insurance Policies
While some categories of losses might be covered under standard policies, many gaps often exist. In the United States, insurers are filing declaratory judgment actions against their insureds to deny coverage for cyberexposures under property, general liability, professional liability and crime policies. Some courts are finding that these traditional policies, such as property policies, do not cover the types of intangible harm that results from data breaches. Coverage may also be denied if intentional acts are excluded from coverage.
Property, general liability, crime/bond, D&O, professional liability, and kidnap and ransom insurance may apply in the event of a cyberincident. Many breached entities and other responsible parties have been aided tremendously by their insurance policies. Business-to-business firms (predominantly technology centric) that participate in the personally identifiable information (PII) chain can blend cybercoverage into a commercial errors and omissions policy to contemplate a large percentage of the risks, but such firms continue to struggle to ensure insurability where their technology and information asset exposures evolve on a regular basis. Insurers are also denying coverage under professional liability/errors and omissions and D&O policies, with mixed outcomes in the courts.
Risk managers should work with their insurance broker to analyze such policies and determine any potential gaps in existing coverage as cyberevents have the ability to impact numerous lines of insurance coverage.
4. Consider Specific Cyberinsurance to Fill Any Obvious Gaps
Insurance specifically designed to cover the unique exposures of data privacy and security can act as a backstop to protect a business from the financial statement harm resulting from a breach. Coverage for cyberlosses generally fit into two categories, depending on the nature of the event:
- First-party financial loss: The party that experienced the cyberevent suffers financial losses or costs associated with the event. The most commonly cited examples include costs associated with data breach response and lost income attributable to network/IT interruption.
- Third-party financial loss: A party other than that which experienced the cyberevent suffers financial losses or costs associated with the event. This could be a customer, business partner, employee or unrelated third party, such as lost personally identifiable information or supply chain disruption.
Available policies can cover privacy breach notification and crisis management, regulatory defense and civil penalties, and liability resulting from a breach. Limits of more than $300 million are available, with premiums ranging from $5,000 to $50,000 per $1 million of coverage, depending upon the retention, losses, revenue, scope of business and risk mitigation employed.
The application process is becoming streamlined whereby multiple carriers will quote pricing, terms and conditions based on one common application. However, it is well advised to develop a comprehensive list of specific priority coverage grants and dictate such requests to the insurance carriers in the form of a submission priority coverage matrix. Policy wording is paramount to successful coverage.
Some policies include first-party network business interruption – to cover loss of revenue during network interruption; information asset – to cover restoration costs or loss of value associated with electronic data; cyberextortion – to pay an extortion threat if doing so successfully wards off a cyberevent; and contingent business interruption – to cover loss of revenue during the downtime of a critical outsourced IT provider (i.e., cloud services).
Given the exposures and constantly evolving risks associated with cyberevents that could cripple companies, industries and critical infrastructures, prudent insureds should review their insurance program with their insurance broker and seek out professionals who understand the cyberinsurance market before those catastrophic events take place. Organizations must understand the insurance coverage they have and just as importantly, understand what cyberinsurance coverage they deliberately decided not to purchase. A good risk manager can help its organization understand the options and alternatives for cyberinsurance thereby giving the insured the proper information to make an educated decision as to what type and how much insurance will be in place for the next big cyberattack.