2018 RIMS
Crucial Cyber Peril Defense and Coverage Considerations
The rate at which the cyber peril expanded and the complexity of the coverage questions it raises present challenges that almost every risk manager and their carrier and broker partners are going as fast as they can to address.
At a Monday afternoon session at the RIMS annual conference in San Antonio, Jean Nkamdon, the risk management and compliance manager for the Washington Post, and Shiraz Saeed, the national practice leader-cyber risk for the Starr Companies, attempted to give attendees a blueprint for building a risk management bulwark to address a threat that even the most sophisticated minds in risk management and insurance find perplexing.
To begin, both Nkamdon and Saaed took pains to tell the audience the views they were expressing were their own and they were not speaking on behalf of their companies.
Launching into their discussion, they went over some of the basics of cyber risk management; quantifying the exposure, understanding the threat landscape and the importance of having a detailed knowledge of coverages, and not just your cyber coverages. It’s on that latter point, in which the cyber coverage issue gets so complicated, heads might start to spin.
Depending on the event, whether it be a theft of data, a hack that results in machinery malfunction, reputational damage or even bodily injury, risk managers who want to forestall damage for any of the above might want to first ask themselves who should place the coverage or take the lead in placing it.
“The biggest challenge is what broker are you going to use?” Saeed said. Should it be a cyber specialist, a property broker or a casualty broker? It’s not a question that’s easily answered, which is why one of Saeed and Nkamdon’s first recommendations, quantifying the exposure, is so important.
In quantifying the exposure and creating policies and practices to defend against an event, Nkamdon, who works for a prominent media company with its own share of online liability exposure, said expectations that a firewall of some other defense must not fail are not realistic.
“There is no foolproof system. You want to show the underwriter that you have been a prudent person,” Nkamdon said.
In Nkamdon’s case, Saeed pointed out, damage to the parts of the Washington Post infrastructure that enable reporters to file their stories and editors to edit and publish them, like an attack that brings that system down for two or three days, would be far more devastating than a data breach. Which is why, for so many companies, creating systems for quicker recovery from an attack are just as much of a priority than coverage.
“If you are not resilient, it does not matter how much insurance you have,” Nkamdon said.
Which brings us to one trending point about the cyber insurance market, which although it is growing, is still in its adolescence. A market that began life as a product intended to cover notification, legal and credit monitoring costs is now being driven more by business interruption coverage, Saeed said. &