It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.
Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after gaining an understanding of the company’s security controls and individual risk profile. In the rush to buy cyber insurance, companies may too often fail to appreciate the strengths and weaknesses in their security controls, their risks and exposures, and the coverage they need.
While a variety of potential approaches exist for assessing cybersecurity requirements, this article discusses one method to help you understand your company’s risks and exposures, and how that knowledge can be used to choose the security and risk transfer strategy that most appropriately fits your needs.
Start with an evaluation of the company’s high-value data and IT system risks. First, talk with the business unit leaders—in plain English—about “The Rules and The Jewels” that exist in their respective business lines:
Second, identify threats to the IT system that are not necessarily motivated by financial gain, but seek to disrupt the operations of the company or its customers. To do so, talk with the company’s IT department, along with security, privacy and other network professionals.
Next, quantify the probable losses that the company could suffer because of a high-value data loss or system disruption. Through discussions with the relevant company personnel (IT, security and privacy, business unit leaders, risk management, legal and finance), record the following for each potential event:
Then calculate the probable loss that each potential event may cause the company.
Once you know the company’s risks and exposures, analyze its existing security controls and make informed decisions about allocation of scarce investment dollars. If high-value data presents a particularly high exposure—as credit card and personally identifiable information does to a national retail chain—the company can invest in additional security controls to protect that high-value data. If a network disruption would cause large business interruption losses to the company or its customers, the company can focus its investments in that direction.
This process also can allow you to identify the strengths and weaknesses of the company’s security controls, which you can use to adjust the probable loss estimates.
Armed with the knowledge about the company’s systems and risks, you will be able to develop the company’s risk-transfer strategy. Consider the company’s two basic risk-transfer options—indemnity agreements and insurance.
Consider whether the company can require its vendors to indemnify it against cyber exposures. If it is possible, closely scrutinize the protection any such agreement actually will give the company. While the indemnitor might be able to protect the company against a small-scale event, the indemnitor might not be able to do so if many of its customers are affected by a large event. Consider whether the indemnitor has:
Cyber insurance policies offer a variety of coverages, some of which can provide the company more useful protection than others. Now that you understand the company’s risks and exposures in light of the analysis above, identify those coverages that are vital to the company and evaluate the proposed policy language to help ensure that the coverage is as broad as necessary.
The cyber insurance market is growing—currently there is no one standard policy form, and there is virtually no case law interpreting the various insurers’ forms. Ambiguities abound, but insurers often are willing to negotiate over and modify the policy’s terms.
Several examples of language issues:
Finally, consider the coverage limits that the company needs. Insureds commonly select limits based on a rudimentary “benchmarking” basis, comparing the limits that their peers have purchased in the past. This may not necessarily yield the limits that fit the company’s unique risk profile. Instead, consider using the information gleaned from the analysis above to evaluate the size of potential losses and claims that could be associated with any one event and select limits that sufficiently protect the company.
The analysis described above can lead directly into the preparation of an incident response plan. This plan should define—before an event—who will be responsible for the response, as well as processes for insurance reporting, consumer notification, containment and recovery, root cause analysis, communications and litigation defense.
Your pre-loss work can prepare the company to respond to future loss events. When a loss occurs, the company already will have developed an incident response plan, as well as a clear understanding of its IT system and security controls, its personnel’s capabilities and responsibilities, its vendors and customers, its exposures and its insurance coverage. It should be prepared to effectively and efficiently respond to a cyber event.
Tyler Gerking is an insurance coverage partner in Farella Braun + Martel’s San Francisco office. Mark Massey is a principal in Deloitte Financial Advisory Service’s San Jose office. They can be reached at firstname.lastname@example.org and email@example.com.