Cyber Top of Mind for Public Risk Managers
Public risk managers are expecting cyber challenges to escalate in the coming years, and are actively searching for mitigation strategies to help them meet those challenges head-on.
Several dozen public risk managers met on Monday afternoon at the RIMS convention in Denver for a session on Public Entities: Risk Management Issues and Strategies.
The session, moderated by Marsh workers’ comp market research leader Mark Walls, included panelists Laura Peterson, director of risk management for the University of Wyoming; Michael Fann, director of loss control for The Pool; Debra Darnofall, risk manager for the city of Longmont, Colo.; Stewart Ellenberg, risk manager for the city of Boulder, Colo.; Raymond Sibley, director of risk management for the city and county of Denver; and Betty Coulte, director of risk management and insurance for the University of North Carolina at Charlotte.
The free-form, interactive session touched upon some of the key issues public risk managers are neck-deep in right now, including the broad spectrum of cyber risks.
Public entities are doing more online than ever before. Yet by a show of hands, only a handful of those in attendance had already purchased cyber coverage for their organizations. Some risk managers were hamstrung by state rules disallowing the purchase of cyber coverage, but risk managers seem determined to change that.
“This is the coverage of the future and we should all be looking at it,” said one city risk manager. Some entities have already had a taste of what it will mean to continue going forward without cyber coverage. One university recently had to pull $2 million out of its pockets to cover costs related to a simple breach, even though no protected data was actually stolen.
In terms of developing programs for managing enterprisewide cyber risks, many public risk managers are also facing heavy pushback from IT. Department managers often have an “It’ll never happen here” mentality, and presume that risk management is questioning their competency as well as their authority.
University risk managers, in particular, have a unique and alarming brand of social-media related liability to contend with.
One university risk manager related a situation involving students creating a Facebook page where anonymous posters were disclosing information about the names, residences, class schedules and workplaces of female students, in some cases including messages of a sexual and/or violent nature – seriously compromising the safety of the students identified. Aggravating liability issues for the university, the Facebook page used the university’s name and photos from its website.
Marijuana related issues are also opening up new cans of worms for public entities, as the laws continue to evolve. “In my opinion, we’ve created a lot of problems for the future,” said one city risk manager.
One point of concern is that marijuana currently available is typically of higher potency than in years past, and there’s an increased risk of overconsumption, particular in the area of edibles. That concern is spilling over from regions where marijuana is legal into neighboring states where it is not. Some university risk managers in bordering states are seeing a sharp increase in pot-related campus incidents. Other unexpected side effects of pot legalization include the need to retrain or replace drug-sniffing dogs and the increased risk of theft for marijuana shop owners coming to make their tax payments in cash.
Speakers and attendees exchanged ideas about fostering positive relationships with law enforcement agencies, which typically don’t react well to what they perceive as interference from risk management.
One city risk manager stressed the importance of demonstrating to law enforcement that “risk management is not the enemy.” Aligning risk management strategies with law enforcement culture and value is one strategy public risk managers are using to overcome that hurdle.