Cyber Risks

Putting a Price On Cyber Risk

Most boards of directors are not reviewing insurance coverage for cyber-related risks.
By: and | October 1, 2013 • 6 min read

To engage senior executives and boards of directors in cyber security issues, risk managers must equate cyber risks with direct impact to business operations and the bottom line.

As cyber threats become more sophisticated, risk managers and the organizations they serve face significant challenges in understanding and managing the evolving exposures.

Cyber criminals today are targeting high-value intellectual property and confidential data, and are exploiting web applications, mobile devices and social media sites to reach their desired targets. They operate in stealth mode, and their presence is increasingly hard to detect.

Trustwave’s 2013 Global Security Report revealed that attacks on e-commerce sites accounted for 48 percent of all investigations. The report also indicated that the detection of attacks is not immediate: 64 percent of the organizations attacked took more than 90 days to detect an intrusion and the average detection time was 210 days.

Additionally, nearly two-thirds of the investigations indicated that when a third party was responsible for system support, development or maintenance, it introduced security vulnerabilities that were exploited by hackers.

Today, every company is vulnerable. Cyber risks have increased with outsourcing and clouds, the vast amount of data available, and the use of personal devices for corporate business. The responsibility for managing cyber risks, however, extends beyond the risk manager and IT department. Cyber risks are an enterprise issue that must be managed throughout the organization, including top management and the board of directors.

Cyber Risks Require Governance

Boards and senior executives, however, aren’t adequately engaged in the management of cyber risks. According to the 2012 CyLab Governance of Enterprise Security Report, boards and senior executives aren’t involved in the risk management of privacy and security or focused on activities that represent effective governance in this area. For example, 57 percent of the respondents (from the Forbes Global 2000 list) indicated that their boards were not reviewing insurance coverage for cyber-related risks.”


In large part, they don’t know how to exercise appropriate governance over the privacy and security of their digital assets. The four primary challenges are organizational and informational:

* Knowledge. Most boards and executives don’t understand their organization’s cyber vulnerabilities and their roles and responsibilities in effectively governing these risks, and they don’t have adequate informational flows established to keep them apprised of their organization’s security profile.

* Access. Most risk managers aren’t closely linked to their IT departments. They don’t have adequate information about cyber risks, and aren’t equipped to manage technology risks.

* Communication. Most CIOs and CISOs (chief information security officers) don’t know how to effectively communicate with the C-suite (much less the board) to get their attention and assistance on cyber security matters.

* Prioritization. Risk managers and senior executives have not endeavored to quantify the financial impact of potential cyber events, and are therefore unable to prioritize mitigation spending or establish proper limits of liability on cyber liability insurance programs.

The connection between the lack of governance and insurance should not be ignored. Most boards regularly review their insurance coverage and risk profile. So why is cyber neglected? Senior executives and boards may not have been engaged on cyber security issues because they haven’t been able to equate cyber risks with direct impact to business operations and the bottom line.

Getting Attention at the Top

Risk managers play an important role in bringing cyber risks to the attention of senior management and coordinating resources to assess and mitigate cyber exposures. The key may lie in the risk manager’s ability to translate all risks, including those involving cyber, into financial numbers that can be used by executives and boards to set strategies, allocate funding and integrate the issue into corporate planning and financial management. Valuations associated with business interruptions and exposures associated with cyber risks enable executives to incorporate cyber considerations into their decision-making processes, including appropriate insurance coverage.

Experience-based methodologies can help management better understand, manage and quantify cyber risk exposures. Risk managers need to work with IT and security personnel to establish a baseline assessment of an organization’s cyber exposures and vulnerabilities, and to use that for a comprehensive analysis and quantification of the financial consequences of first-party and third-party loss exposures. This process requires significant expertise in security risks, cross-functional capabilities, and loss and exposure assessment.

Effective cyber risk valuations should encompass assessments of the following:

* Risks associated with IT architecture and privacy and security programs.

* Cyber-related business interruption and supply chain risks.

* Business impacts resulting from the loss, disclosure or sabotage of intellectual property and/or confidential information.

* Loss potential from breaches of personally identifiable information.

* Cyber risks associated with third-party providers.

* Reputational impacts of cyber incidents.

* Response costs of forensic investigations, malware eradication, and system clean-up.

* First- and third-party loss exposures.”


A cyber risk assessment that is translated into business interruption valuations provides quantifiable information that boards and senior executives need to allocate resources for the effective management of cyber exposures. Armed with this information, and with the backing of leadership, risk managers can collaborate with finance, IT, operations, marketing, HR and individual business units to ensure that appropriate cyber risk mitigation strategies and effective emergency response and business continuity plans are developed. Moreover, the process also establishes factual input that helps an organization determine what cyber insurance coverage it needs and what levels of coverage are appropriate.

Often, however, these exercises aren’t undertaken prior to a cyber incident. Nevertheless, such a process is useful in helping establish appropriate limits of liability and establishing a basis for claims.

Post-Event Loss

Cyber evaluations and risk quantifications are equally valuable after a cyber event occurs. In many cases, an assessment/valuation process can be useful in assessing what happened, determining the cost of appropriate investigative and response measures, and helping establish appropriate limits of liability and a basis for claims.

Post-event assessments provide an excellent financial basis for informing boards and senior executives of IT and security issues, and providing a justification for executive attention to digital threats. In many cases, assessment and valuation expertise is needed to support claim preparation.

A cyber incident can spill into numerous business operations and create the kind of havoc that clarifies interdependencies between business units and IT systems. When assessing and valuing a cyber event, it is important to consider the entire financial impact that the event had upon business operations and to tabulate the costs associated with the forensic investigation, restoration of data and systems, corrective IT measures, notification costs, legal fees, down time for operations and reputational damage.

The cyber evaluation and risk quantification process can be useful to risk management and other functions within an enterprise both before and after an event. By identifying and quantifying cyber exposures and translating them into financial impacts to the organization, risk managers can more successfully get their leadership’s attention and support for cyber risk management initiatives. This process enables cyber risks to be managed as enterprise risks. Additionally, cyber risk management is an excellent avenue for paving relationships with IT, security, operational, and legal personnel.

A note of caution: Assigning financial valuations to cyber risks is a simple solution, but one that requires sophisticated expertise, both on the cyber evaluation and valuation sides of the exercise. Ensure that the professionals engaged have substantial expertise in both cyber assessments and business interruption valuations and have developed proven methodologies.

John D. Dempsey, CPA, CFE is the managing director and global practice leader of the Claims Preparation, Advocacy, and Valuation practice at Aon Global Risk Consulting. Jody R. Westby is CEO of Global Cyber Risk LLC, a consulting firm. They can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

2018 Risk All Stars

Stop Mitigating Risk. Start Conquering It Like These 2018 Risk All Stars

The concept of risk mastery and ownership, as displayed by the 2018 Risk All Stars, includes not simply seeking to control outcomes but taking full responsibility for them.
By: | September 14, 2018 • 3 min read

People talk a lot about how risk managers can get a seat at the table. The discussion implies that the risk manager is an outsider, striving to get the ear or the attention of an insider, the CEO or CFO.


But there are risk managers who go about things in a different way. And the 2018 Risk All Stars are prime examples of that.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Goodyear’s Craig Melnick had only been with the global tire maker a few months when Hurricane Harvey dumped a record amount of rainfall on Houston.

Brilliant communication between Melnick and his new teammates gave him timely and valuable updates on the condition of manufacturing locations. Melnick remained in Akron, mastering the situation by moving inventory out of the storm’s path and making sure remediation crews were lined up ahead of time to give Goodyear its best leg up once the storm passed and the flood waters receded.

Goodyear’s resiliency in the face of the storm gave it credibility when it went to the insurance markets later that year for renewals. And here is where we hear a key phrase, produced by Kevin Garvey, one of Goodyear’s brokers at Aon.

“The markets always appreciate a risk manager who demonstrates ownership,” Garvey said, in what may be something of an understatement.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Dianne Howard, a 2018 Risk All Star and the director of benefits and risk management for the Palm Beach County School District, achieved ownership of $50 million in property storm exposures for the district.

With FEMA saying it wouldn’t pay again for district storm losses it had already paid for, Howard went to the London markets and was successful in getting coverage. She also hammered out a deal in London that would partially reimburse the district if it suffered a mass shooting and needed to demolish a building, like what happened at Sandy Hook in Connecticut.

2018 Risk All Star Jim Cunningham was well-versed enough to know what traditional risk management theories would say when hospitality workers were suffering too many kitchen cuts. “Put a cut-prevention plan in place,” is the traditional wisdom.

But Cunningham, the vice president of risk management for the gaming company Pinnacle Entertainment, wasn’t satisfied with what looked to him like a Band-Aid approach.


Instead, he used predictive analytics, depending on his own team to assemble company-specific data, to determine which safety measures should be used company wide. The result? Claims frequency at the company dropped 60 percent in the first year of his program.

Alumine Bellone, a 2018 Risk All Star and the vice president of risk management for Ardent Health Services, faced an overwhelming task: Create a uniform risk management program when her hospital group grew from 14 hospitals in three states to 31 hospitals in seven.

Bellone owned the situation by visiting each facility right before the acquisition and again right after, to make sure each caregiving population was ready to integrate into a standardized risk management system.

After consolidating insurance policies, Bellone achieved $893,000 in synergies.

In each of these cases, and in more on the following pages, we see examples of risk managers who weren’t just knocking on the door; they were owning the room. &


Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, clarity of vision and passion.

See the complete list of 2018 Risk All Stars.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]