Risk Insider: Carol Zacharias

Cyber Directors: Greater Expertise, Greater Liabilities?

By: | October 17, 2016 • 2 min read
Carol Zacharias is underwriting counsel to QBE North America, a multinational insurer. She has a master's degree in corporate law from New York University School of Law. She can be reached at [email protected]

The World Economic Forum places cyber security ahead of terrorism as one of the top 10 economic threats to 140 countries. Cyber security risk in the corporate arena is the responsibility of the board.

As noted by the commissioner of the SEC, “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.”

Boards have taken up the charge. Cyber security has moved from 11th place to third place on board agendas according to the Lloyd’s of London “Biennial Risk Index” of 2011 and 2013.  The increased spending on cyber security protection by companies further supports this trend.

Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?

According to Gartner Inc., companies spent $86 billion on protection efforts in 2015, which reflects an 18 percent increase from the prior year, and are expected to spend $94 billion in 2016.

Expertise

The issue becomes, how can a board address cyber risk complexities and meet its duty of care?

Congress proposes mandating cyber experience on boards. The Cybersecurity Disclosure Act of 2015 requires that public companies disclose whether the company has a director with cyber security experience or expertise, or disclose what cyber security steps it has taken that mitigate against acquiring board expertise.

At the same time, boards today are addressing cyber risk in one of several different ways.

Some address cyber security as a plenary board, receiving reports, engaging in discussions and making critical decisions as a whole. This can prove challenging due to the paucity of time at a board meeting and lack of board level cyber expertise.

Alternatively, boards may delegate cyber risk management to established audit committees. A committee forum provides greater time for analysis and expert consultation. However, audit committees are more likely to have financial rather than cyber expertise, and are more attuned to financial rather than technology and innovation issues.

Other boards create a cyber security committee or seek to add a cyber expert to the board itself. Either way, the board is seeking greater cyber expertise and experience at the board level.

Liability 

The issue becomes whether the cyber expert director has a higher risk of liability than fellow directors. Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?

All corporate directors owe a fiduciary duty of care to the company and its shareholders. In executing their duty of care, the director must act in a manner that a reasonably prudent person would act under the circumstances.  A reasonable person means one with the expertise of the director in question. If a director has a particular expertise, skill or experience, they are expected to apply it.

Accordingly, the cyber expert-director could be held to a higher standard of care and diligence in reviewing cyber-related matters than a director without cyber expertise.

While no director can turn a blind eye to negligence, and while all directors must act with diligence and care in addressing cyber matters, the cyber expert-director will tenably be expected to act in a manner that a reasonably prudent cyber expert would act under the circumstances, conducting a diligent technical review and evaluation of cyber matters that a director without cyber expertise could not undertake.

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

Maila Aganon is the personification of the American dream. The vice president of treasury and risk for Caesars Entertainment Corp. immigrated from the Philippines and worked her way to the top.
By: | October 12, 2017 • 4 min read


R&I: What was your first job?

I actually had three first jobs at the same time at the age of 16. I worked as a cashier in a fast-food restaurant, a bank teller and a debt collector for an immigration law firm.

R&I: Who is your mentor and why?

I have a few. The first one would be the first risk manager I reported to. He taught me the technical part of the job, risk financing, captives and insurance. I am also privileged to be mentored by Lori Goltermann (CEO of U.S. Retail for Aon Risk Solutions).  From her I learned to be resilient and optimize life/work balance. Then of course I also have a circle of ladies at work who I lean in to!

R&I: How did you come to work in this industry?

Advertisement




I was once a bank teller and had a client who was an insurance agent. He would come in every day to make deposits. One day, he offered me a job. He said, “How would you like to have your own desk, your own phone and your own computer?” And I said, “When do I start?” I worked for this personal lines insurance company for six years.

R&I: Did you take to it immediately?

Yes, I did sales, claims and insurance accounting. I left for a couple years and that is when AAA came calling, which was my first introduction to risk management. I didn’t know there was such a thing as commercial insurance. They called me and the pitch was “how would you like to run a captive insurance company?”

R&I: What have you accomplished that you are proudest of?

It is not so much the job but I say that I am the true product of the American Dream. I came to the U.S. when I was 16. I worked three jobs because I didn’t want to go to high school (She’d already graduated high school in the Philippines.) I spoke very little English, and due to hard work, grit and a great smile I’m now here working with all of you!

R&I: What is your favorite book or movie?

In movies, it is a toss-up between Gone with the Wind and Big Daddy.

R&I: What is your favorite drink?

Advertisement




I like anything sweet. If you liquify a dessert that’s my perfect drink.

R&I: What is the most unusual/interesting place you have ever visited?

This is easy because I just got back from Barcelona on a side trip. I visited the Montserrat Monastery, which is a thousand-year old monastery. It was raining and foggy. I hiked for three hours and I didn’t see a single soul. It was a very peaceful place.

R&I: What is the riskiest activity you ever engaged in?

This is going back to working at a fast food chain when I was young. I worked in a very undesirable location in San Francisco. At 16 I used to negotiate with gang members so they wouldn’t rob me during my shift. I had to give them chicken so they wouldn’t rob me.

Maila Aganon, VP, Treasury and Risk, Caesars Entertainment Corp.

R&I: If the world has a modern hero, who is it and why? 

I can’t say me. They have to be my kids Kyle and Hailey. They can make me laugh and cry within a half-minute of each other. Kyle is 10, a perfect Mama’s boy. Hailey is seven going on 18.

R&I: What about this work do you find the most fulfilling or rewarding?

I think the most fulfilling part is how you build relationships with people and then after a while they become your friends.

R&I: What is the risk management community doing right?

Risk managers do a great job of networking. They are number one. Which is not a surprise because the pillar of our work is building a relationship with underwriters, clients and brokers.

R&I: What could the risk management community be doing a better job of? 

Advertisement




I am experiencing that right now; talent.  We need to a better job in attracting and retaining talent. Nobody knows about what we do. You tell someone ‘I’m as risk manager’ and they give you a blank look. What does that mean?

We’re great marketers and we should use this skill set in attracting talent. We should engage our universities, our communities, even our yoga groups and talk to them about the exciting world of risk. It is an exciting career because there is nothing like it.

R&I: What emerging commercial risk most concerns you? 

It would have to be the increasing cyber risk and the interdependency of systems.

R&I: What does your family think you do? 

I took my seven year old daughter once to an insurance event that had live music, dancing and drinks. She thinks that whenever I go to an insurance meeting, I’m heading to a party.




Katie Siegel is an associate editor at Risk & Insurance®. She can be reached at [email protected]