Cyber Risks

Putting a Price On Cyber Risk

Most boards of directors are not reviewing insurance coverage for cyber-related risks.
By: | October 1, 2013 • 6 min read

To engage senior executives and boards of directors in cyber security issues, risk managers must equate cyber risks with direct impact to business operations and the bottom line.

As cyber threats become more sophisticated, risk managers and the organizations they serve face significant challenges in understanding and managing the evolving exposures.

Cyber criminals today are targeting high-value intellectual property and confidential data, and are exploiting web applications, mobile devices and social media sites to reach their desired targets. They operate in stealth mode, and their presence is increasingly hard to detect.

Trustwave’s 2013 Global Security Report revealed that attacks on e-commerce sites accounted for 48 percent of all investigations. The report also indicated that the detection of attacks is not immediate: 64 percent of the organizations attacked took more than 90 days to detect an intrusion and the average detection time was 210 days.

Additionally, nearly two-thirds of the investigations indicated that when a third party was responsible for system support, development or maintenance, it introduced security vulnerabilities that were exploited by hackers.

Today, every company is vulnerable. Cyber risks have increased with outsourcing and clouds, the vast amount of data available, and the use of personal devices for corporate business. The responsibility for managing cyber risks, however, extends beyond the risk manager and IT department. Cyber risks are an enterprise issue that must be managed throughout the organization, including top management and the board of directors.

Cyber Risks Require Governance

Boards and senior executives, however, aren’t adequately engaged in the management of cyber risks. According to the 2012 CyLab Governance of Enterprise Security Report, boards and senior executives aren’t involved in the risk management of privacy and security or focused on activities that represent effective governance in this area. For example, 57 percent of the respondents (from the Forbes Global 2000 list) indicated that their boards were not reviewing insurance coverage for cyber-related risks.”


In large part, they don’t know how to exercise appropriate governance over the privacy and security of their digital assets. The four primary challenges are organizational and informational:

* Knowledge. Most boards and executives don’t understand their organization’s cyber vulnerabilities and their roles and responsibilities in effectively governing these risks, and they don’t have adequate informational flows established to keep them apprised of their organization’s security profile.

* Access. Most risk managers aren’t closely linked to their IT departments. They don’t have adequate information about cyber risks, and aren’t equipped to manage technology risks.

* Communication. Most CIOs and CISOs (chief information security officers) don’t know how to effectively communicate with the C-suite (much less the board) to get their attention and assistance on cyber security matters.

* Prioritization. Risk managers and senior executives have not endeavored to quantify the financial impact of potential cyber events, and are therefore unable to prioritize mitigation spending or establish proper limits of liability on cyber liability insurance programs.

The connection between the lack of governance and insurance should not be ignored. Most boards regularly review their insurance coverage and risk profile. So why is cyber neglected? Senior executives and boards may not have been engaged on cyber security issues because they haven’t been able to equate cyber risks with direct impact to business operations and the bottom line.

Getting Attention at the Top

Risk managers play an important role in bringing cyber risks to the attention of senior management and coordinating resources to assess and mitigate cyber exposures. The key may lie in the risk manager’s ability to translate all risks, including those involving cyber, into financial numbers that can be used by executives and boards to set strategies, allocate funding and integrate the issue into corporate planning and financial management. Valuations associated with business interruptions and exposures associated with cyber risks enable executives to incorporate cyber considerations into their decision-making processes, including appropriate insurance coverage.

Experience-based methodologies can help management better understand, manage and quantify cyber risk exposures. Risk managers need to work with IT and security personnel to establish a baseline assessment of an organization’s cyber exposures and vulnerabilities, and to use that for a comprehensive analysis and quantification of the financial consequences of first-party and third-party loss exposures. This process requires significant expertise in security risks, cross-functional capabilities, and loss and exposure assessment.

Effective cyber risk valuations should encompass assessments of the following:

* Risks associated with IT architecture and privacy and security programs.

* Cyber-related business interruption and supply chain risks.

* Business impacts resulting from the loss, disclosure or sabotage of intellectual property and/or confidential information.

* Loss potential from breaches of personally identifiable information.

* Cyber risks associated with third-party providers.

* Reputational impacts of cyber incidents.

* Response costs of forensic investigations, malware eradication, and system clean-up.

* First- and third-party loss exposures.”


A cyber risk assessment that is translated into business interruption valuations provides quantifiable information that boards and senior executives need to allocate resources for the effective management of cyber exposures. Armed with this information, and with the backing of leadership, risk managers can collaborate with finance, IT, operations, marketing, HR and individual business units to ensure that appropriate cyber risk mitigation strategies and effective emergency response and business continuity plans are developed. Moreover, the process also establishes factual input that helps an organization determine what cyber insurance coverage it needs and what levels of coverage are appropriate.

Often, however, these exercises aren’t undertaken prior to a cyber incident. Nevertheless, such a process is useful in helping establish appropriate limits of liability and establishing a basis for claims.

Post-Event Loss

Cyber evaluations and risk quantifications are equally valuable after a cyber event occurs. In many cases, an assessment/valuation process can be useful in assessing what happened, determining the cost of appropriate investigative and response measures, and helping establish appropriate limits of liability and a basis for claims.

Post-event assessments provide an excellent financial basis for informing boards and senior executives of IT and security issues, and providing a justification for executive attention to digital threats. In many cases, assessment and valuation expertise is needed to support claim preparation.

A cyber incident can spill into numerous business operations and create the kind of havoc that clarifies interdependencies between business units and IT systems. When assessing and valuing a cyber event, it is important to consider the entire financial impact that the event had upon business operations and to tabulate the costs associated with the forensic investigation, restoration of data and systems, corrective IT measures, notification costs, legal fees, down time for operations and reputational damage.

The cyber evaluation and risk quantification process can be useful to risk management and other functions within an enterprise both before and after an event. By identifying and quantifying cyber exposures and translating them into financial impacts to the organization, risk managers can more successfully get their leadership’s attention and support for cyber risk management initiatives. This process enables cyber risks to be managed as enterprise risks. Additionally, cyber risk management is an excellent avenue for paving relationships with IT, security, operational, and legal personnel.

A note of caution: Assigning financial valuations to cyber risks is a simple solution, but one that requires sophisticated expertise, both on the cyber evaluation and valuation sides of the exercise. Ensure that the professionals engaged have substantial expertise in both cyber assessments and business interruption valuations and have developed proven methodologies.

John D. Dempsey, CPA, CFE is the managing director and global practice leader of the Claims Preparation, Advocacy, and Valuation practice at Aon Global Risk Consulting. Jody R. Westby is CEO of Global Cyber Risk LLC, a consulting firm. They can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

Janet Sheiner, VP of risk management and real estate at AMN Healthcare Services Inc., sees innovation as an answer to fast-evolving and emerging risks.
By: | March 5, 2018 • 4 min read

R&I: What was your first job?

As a kid, bagging groceries. My first job out of school, part-time temp secretary.

R&I: How did you come to work in risk management?

Risk management picks you; you don’t necessarily pick it. I came into it from a regulatory compliance angle. There’s a natural evolution because a lot of your compliance activities also have the effect of managing your risk.

R&I: What is the risk management community doing right?


There’s much benefit to grounding strategic planning in an ERM framework. That’s a great innovation in the industry, to have more emphasis on ERM. I also think that risk management thought leaders are casting themselves more as enablers of business, not deterrents, a move in the right direction.

R&I: What could the risk management community be doing a better job of?

Justified or not, risk management functions are often viewed as the “Department of No.” We’ve worked hard to cultivate a reputation as the “Department of Maybe,” so partners across the organization see us as business enablers. That reputation has meant entertaining some pretty crazy ideas, but our willingness to try and find a way to “yes” tempered with good risk management has made all the difference.

Janet Sheiner, VP, Risk Management & Real Estate, AMN Healthcare Services Inc.

R&I: What was the best location and year for the RIMS conference and why?

San Diego, of course!  America’s Finest City has the infrastructure, Convention Center, hotels, airport and public transportation — plus you can’t beat our great weather! The restaurant scene is great, not to mention those beautiful coastal views.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

The emergence of risk management as a distinct profession, with four-year degree programs and specific academic curriculum. Now I have people on my team who say their goal is to be a risk manager. I said before that risk management picks you, but we’re getting to a point where people pick it.

R&I: What emerging commercial risk most concerns you?


The commercial insurance market’s ability to innovate to meet customer demand. Businesses need to innovate to stay relevant, and the commercial market needs to innovate with us.  Carriers have to be willing to take on more risk and potentially take a loss to meet the unique and evolving risks companies are facing.

R&I: Of which insurance carrier do you have the highest opinion?

Beazley. They have been an outstanding partner to AMN. They are responsive, flexible and reasonable.  They have evolved with us. They have an appreciation for risk management practices we’ve organically woven into our business, and by extension, this makes them more comfortable with taking on new risks with us.

R&I: Are you optimistic or pessimistic about the U.S. health care industry and why?

I am very optimistic about the health care industry. We have an aging population with burgeoning health care needs, coupled with a decreasing supply of health care providers — that means we have to get smarter about how we manage health care. There’s a lot of opportunity for thought leaders to fill that gap.

R&I: Who is your mentor and why?

Professionally, AMN Healthcare General Counsel, Denise Jackson, has enabled me to do the best work I’ve ever done, and better than I thought I could do.  Personally, my husband Andrew, a second-grade teacher, who has a way of putting things into a human perspective.

R&I: What have you accomplished that you are proudest of?

In my early 20s, I set a goal for the “corner office.” I achieved that when I became vice president.  I received a ‘Values in Practice’ award for trust at AMN. The nomination came from team members I work with every day, and I was incredibly humbled and honored.

R&I: What is your favorite book or movie?

The noir genre, so anything by Raymond Chandler in books. For movies,  “Double Indemnity,” the 1944 Billy Wilder classic, with insurance at the heart of it!

R&I: What is your favorite drink?


Clean water. Check out for how to help people enjoy clean, safe water.

R&I: What’s the best restaurant at which you’ve eaten?

Liqun Roast Duck Restaurant in Beijing.

R&I: What is the most unusual/interesting place you have ever visited?

China. See favorite restaurant above. This restaurant had been open for 100 years in that location. It didn’t exactly have an “A” rating, and it was probably not a place most risk managers would go to.

R&I: What is the riskiest activity you ever engaged in?

Eating that duck at Liqun!

R&I: If the world has a modern hero, who is it and why?

Dr. Seuss who, in response to a 1954 report in Life magazine, worked to reduce illiteracy among school children by making children’s books more interesting. His work continues to educate and entertain children worldwide.

R&I: What do your friends and family think you do?

They’re not really sure!

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]