How to Keep the Board Aligned and Invested in Your Cyber Security

A board that isn’t proactive in protecting against cyber attacks is a board vulnerable to regulatory fines, reputation damage and public scrutiny.
By: | March 11, 2019 • 6 min read

Cyber risk ten years ago looks nothing like cyber risk today. In that same vein, cyber risk ten months ago looks nothing like cyber risk today.

With technology ever-changing, and more and more companies incorporating these advancements into day-to-day operations, “every company today has become a tech company,” said Tom Mackey, risk management consultant, EPIC Insurance Brokers & Consultants.

Advertisement




Some may argue they’re not, but Mackey said most companies have some type of technological element to their business — from electronic payment schedules to electronic files. Even email is an open door for cyber attackers. “Cyber security is a company-wide issue; not just an IT issue,” he said.

“There’s a belief tech will solve our problems,” added Shawn Ram, head of insurance, Coalition Inc. “But with tech comes risk and security concerns.”

It’s no wonder, then, that there’s a growing interest in incorporating the board in cyber conversations. As cyber crimes grow in sophistication and data privacy regulations like GDPR come into play, company directors will undoubtedly be held liable for cyber breaches that compromise customer data and erode shareholder value. Just look at NotPetya and the aftermath of that malware attack.

“The standard of care goes beyond ignorance. ‘I didn’t understand’ is no longer a valid reason,” Ram said.

Boards are likely to be held accountable if they don’t proactively combat their companies’ cyber risks. The problem, however, is that “generally, risk management understands the role and understands the objectives [of the board], but struggles with how to communicate upward,” said Ram.

So what can be done?

Knowing What to Ask

First, while a board should understand its cyber vulnerabilities, that doesn’t mean the board has to be the most up-to-date on every aspect of cyber exposure. Cyber security is a technical field; having a universal language on cyber is important.

Shawn Ram, head of insurance, Coalition Inc.

“Boards don’t need to be experts. But they need to know the right questions to ask,” said Evan Fenaroli, cyber product manager, Philadelphia Insurance.

“In evaluating cyber, the board should have an understanding of the company’s digital assets. If you don’t know what your assets are, you won’t know what to do.”

Ram added that assets used to be considered tangible things— like machinery— “today it’s intellectual property. Digital assets.” If the board isn’t thinking about its data like it’s an asset, it’s going to face scrutiny.

Here’s where risk management can shine: “Establish metrics around cyber security. Establish how to quantify cyber risks within your organization,” which includes knowing, finding, and proposing ways to ensure regulatory compliance, he said.

The more familiar with what the technological infrastructure is, the more likely the board is to understand the technological exposures.

Dan Frusciano, vice president of cyber for Ironshore Professional Lines, added: “The more knowledge from the top down in cyber, the better.”

He reiterated that a board doesn’t need to know every kind of cyber risk and cover, “but they should know if their organization can be targeted and why they might be. From there, they have to figure out the best way to protect the company,” he said.

 “Every company today has become a tech company … cyber security is a company-wide issue; not just an IT issue.” — Tom Mackey, risk management consultant, EPIC

To do just that, all committees and the board need to start with the right information, EPIC’s Mackey explained. “Where are we exposed and what can we put in place to handle those exposures?

Advertisement




“You could hire someone to develop a program that may sit on your shelf for a year — it’s a check in the box, but that’s not a true solution,” Mackey said.

Instead, building a team can be the best proactive step to effectively communicate cyber risk.

Building the Best Cyber Team

But who should be included on that team? The board and the risk management department are no brainers: “Risk management in general should be central to the conversation. Those are the people involved in buying insurance,” said Fenaroli.

“Communicating the actual threat has become easier. Five years ago, you would hear that it was an IT issue. But I think it’s been made clear in the news and through other organizations that cyber can be debilitating.”

“Board members are realizing this risk is there and they want to talk about it,” Brendan Goodwin, regional cyber director-Northeast, Gallagher, added. He said that in addition to risk management, “every member of your executive committee and your IT members” should be included on the cyber team.

“The relationship between the CIO and board is critical,” said Ram.

Others agreed; Fenaroli went a step further and said that there should be a definitive difference between a company’s technology officer and its information security officer, because each focuses on different avenues of cyber.

Additionally, the following should be a part of the cyber team:

C-Suite – “The board, the whole C-suite, should be involved,” said Frusciano. “Those are your decision makers.”

The Legal Team – “They know the regulatory environment and what’s going on,” said Ram. “The board needs to have an understanding of where they have an impact on regulations.”

Human Resources – Almost acting as an extension of legal, HR keeps employees up-to-date on cyber policies. Ram said, “Legal will oftentimes bring in HR, which then is instrumental in training cyber security.”

Operations – It’s good to have someone from the logistics side who understands the impact of a cyber attack.

Tom Mackey, risk management consultant, EPIC Insurance Brokers & Consultants

Your Broker – “The broker’s role should be highly integral to the board to manage this risk,” said Mackey. He suggested the broker be a part of the cyber security planning phase so that they may be able to introduce the company into the insurance market and explain exactly what their needs are.

“The broker should play a prominent role. They see how [their client’s] peers address cyber security and can determine best practices. They should be at the discussion table,” added Goodwin.

“In a way, this whole team is risk management. Everyone is playing a risk management role,” Ram said.

Defining the Risks and Staying Proactive

“Scrutiny can come from all angles,” said Fenaroli. He added that any breach could be scrutinized no matter the size or type of company. Class actions, he said, are not unique to publicly traded companies; he’s seen nonprofits and private companies fall victim to a cyber breach’s repercussions.

“From a cyber threat perspective, it’s common to think at the high, nation-state level. But many smaller threats exist below,” said Ram.

That could be anything from spearphishing/email phishing scams, data breaches, patch management failures, a compromise of login credentials, host service inequalities and more.

All these cyber incidents can lead to D&O claims, scrutiny upon the board having “appropriate” mitigation strategies in place or regulatory matters in hand, continued Ram. Technology is driving sales, supply chains, HR — “Information security needs to be at a level that goes beyond the CEO, because of how integrated technology is in companies.”

Advertisement




“Depending on the type of company you are, you can lose the faith of your customers. Regulatory fines are a monetary concern, as well,” said Frusciano.

And taking a reputational hit may also affect the company’s ability to attract the best talent, suppliers and investors.

“More and more brokers are coming out with assessments on how to work with the IT team,” continued Frusciano.

One strategy experts agreed is a great educational tool for every cyber team was table-top exercises.

“They can help see any holes in the [cyber breach] plan,” said Gallagher’s Goodwin. “It’s the hands-on approach to see if a risk team and its company’s executives are prepared to take the right steps.” &

Autumn Heisler is the digital producer and a staff writer at Risk & Insurance®. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Exclusive | Hank Greenberg on China Trade, Starr’s Rapid Growth and 100th, Spitzer, Schneiderman and More

In a robust and frank conversation, the insurance legend provides unique insights into global trade, his past battles and what the future holds for the industry and his company.
By: | October 12, 2018 • 12 min read

In 1960, Maurice “Hank” Greenberg was hired as a vice president of C.V. Starr & Co. At age 35, he had already accomplished a great deal.

He served his country as part of the Allied Forces that stormed the beaches at Normandy and liberated the Nazi death camps. He fought again during the Korean War, earning a Bronze Star. He held a law degree from New York Law School.

Advertisement




Now he was ready to make his mark on the business world.

Even C.V. Starr himself — who hired Mr. Greenberg and later hand-picked him as the successor to the company he founded in Shanghai in 1919 — could not have imagined what a mark it would be.

Mr. Greenberg began to build AIG as a Starr subsidiary, then in 1969, he took it public. The company would, at its peak, achieve a market cap of some $180 billion and cement its place as the largest insurance and financial services company in history.

This month, Mr. Greenberg travels to China to celebrate the 100th anniversary of C.V. Starr & Co. That visit occurs at a prickly time in U.S.-Sino relations, as the Trump administration levies tariffs on hundreds of billions of dollars in Chinese goods and China retaliates.

In September, Risk & Insurance® sat down with Mr. Greenberg in his Park Avenue office to hear his thoughts on the centennial of C.V. Starr, the dynamics of U.S. trade relationships with China and the future of the U.S. insurance industry as it faces the challenges of technology development and talent recruitment and retention, among many others. What follows is an edited transcript of that discussion.


R&I: One hundred years is quite an impressive milestone for any company. Celebrating the anniversary in China signifies the importance and longevity of that relationship. Can you tell us more about C.V. Starr’s history with China?

Hank Greenberg: We have a long history in China. I first went there in 1975. There was little there, but I had business throughout Asia, and I stopped there all the time. I’d stop there a couple of times a year and build relationships.

When I first started visiting China, there was only one state-owned insurance company there, PICC (the People’s Insurance Company of China); it was tiny at the time. We helped them to grow.

I also received the first foreign life insurance license in China, for AIA (The American International Assurance Co.). To date, there has been no other foreign life insurance company in China. It took me 20 years of hard work to get that license.

We also introduced an agency system in China. They had none. Their life company employees would get a salary whether they sold something or not. With the agency system of course you get paid a commission if you sell something. Once that agency system was installed, it went on to create more than a million jobs.

R&I: So Starr’s success has meant success for the Chinese insurance industry as well.

Hank Greenberg: That’s partly why we’re going to be celebrating that anniversary there next month. That celebration will occur alongside that of IBLAC (International Business Leaders’ Advisory Council), an international business advisory group that was put together when Zhu Rongji was the mayor of Shanghai [Zhu is since retired from public life]. He asked me to start that to attract foreign companies to invest in Shanghai.

“It turns out that it is harder [for China] to change, because they have one leader. My guess is that we’ll work it out sooner or later. Trump and Xi have to meet. That will result in some agreement that will get to them and they will have to finish the rest of the negotiations. I believe that will happen.” — Maurice “Hank” Greenberg, chairman and CEO, C.V. Starr & Co. Inc.

Shanghai and China in general were just coming out of the doldrums then; there was a lack of foreign investment. Zhu asked me to chair IBLAC and to help get it started, which I did. I served as chairman of that group for a couple of terms. I am still a part of that board, and it will be celebrating its 30th anniversary along with our 100th anniversary.

Advertisement




We have a good relationship with China, and we’re candid as you can tell from the op-ed I published in the Wall Street Journal. I’m told that my op-ed was received quite well in China, by both Chinese companies and foreign companies doing business there.

On August 29, Mr. Greenberg published an opinion piece in the WSJ reminding Chinese leaders of the productive history of U.S.-Sino relations and suggesting that Chinese leaders take pragmatic steps to ease trade tensions with the U.S.

R&I: What’s your outlook on current trade relations between the U.S. and China?

Hank Greenberg: As to the current environment, when you are in negotiations, every leader negotiates differently.

President Trump is negotiating based on his well-known approach. What’s different now is that President Xi (Jinping, General Secretary of the Communist Party of China) made himself the emperor. All the past presidents in China before the revolution had two terms. He’s there for life, which makes things much more difficult.

R&I: Sure does. You’ve got a one- or two-term president talking to somebody who can wait it out. It’s definitely unique.

Hank Greenberg: So, clearly a lot of change is going on in China. Some of it is good. But as I said in the op-ed, China needs to be treated like the second largest economy in the world, which it is. And it will be the number one economy in the world in not too many years. That means that you can’t use the same terms of trade that you did 25 or 30 years ago.

They want to have access to our market and other markets. Fine, but you have to have reciprocity, and they have not been very good at that.

R&I: What stands in the way of that happening?

Hank Greenberg: I think there are several substantial challenges. One, their structure makes it very difficult. They have a senior official, a regulator, who runs a division within the government for insurance. He keeps that job as long as he does what leadership wants him to do. He may not be sure what they want him to do.

For example, the president made a speech many months ago saying they are going to open up banking, insurance and a couple of additional sectors to foreign investment; nothing happened.

The reason was that the head of that division got changed. A new administrator came in who was not sure what the president wanted so he did nothing. Time went on and the international community said, “Wait a minute, you promised that you were going to do that and you didn’t do that.”

So the structure is such that it is very difficult. China can’t react as fast as it should. That will change, but it is going to take time.

R&I: That’s interesting, because during the financial crisis in 2008 there was talk that China, given their more centralized authority, could react more quickly, not less quickly.

Hank Greenberg: It turns out that it is harder to change, because they have one leader. My guess is that we’ll work it out sooner or later. Trump and Xi have to meet. That will result in some agreement that will get to them and they will have to finish the rest of the negotiations. I believe that will happen.

R&I: Obviously, you have a very unique perspective and experience in China. For American companies coming to China, what are some of the current challenges?

Advertisement




Hank Greenberg: Well, they very much want to do business in China. That’s due to the sheer size of the country, at 1.4 billion people. It’s a very big market and not just for insurance companies. It’s a whole range of companies that would like to have access to China as easily as Chinese companies have access to the United States. As I said previously, that has to be resolved.

It’s not going to be easy, because China has a history of not being treated well by other countries. The U.S. has been pretty good in that way. We haven’t taken advantage of China.

R&I: Your op-ed was very enlightening on that topic.

Hank Greenberg: President Xi wants to rebuild the “middle kingdom,” to what China was, a great country. Part of that was his takeover of the South China Sea rock islands during the Obama Administration; we did nothing. It’s a little late now to try and do something. They promised they would never militarize those islands. Then they did. That’s a real problem in Southern Asia. The other countries in that region are not happy about that.

R&I: One thing that has differentiated your company is that it is not a public company, and it is not a mutual company. We think you’re the only large insurance company with that structure at that scale. What advantages does that give you?

Hank Greenberg: Two things. First of all, we’re more than an insurance company. We have the traditional investment unit with the insurance company. Then we have a separate investment unit that we started, which is very successful. So we have a source of income that is diverse. We don’t have to underwrite business that is going to lose a lot of money. Not knowingly anyway.

R&I: And that’s because you are a private company?

Hank Greenberg: Yes. We attract a different type of person in a private company.

R&I: Do you think that enables you to react more quickly?

Hank Greenberg: Absolutely. When we left AIG there were three of us. Myself, Howie Smith and Ed Matthews. Howie used to run the internal financials and Ed Matthews was the investment guy coming out of Morgan Stanley when I was putting AIG together. We started with three people and now we have 3,500 and growing.

“I think technology can play a role in reducing operating expenses. In the last 70 years, you have seen the expense ratio of the industry rise, and I’m not sure the industry can afford a 35 percent expense ratio. But while technology can help, some additional fundamental changes will also be required.” — Maurice “Hank” Greenberg, chairman and CEO, C.V. Starr & Co. Inc.

R&I:  You being forced to leave AIG in 2005 really was an injustice, by the way. AIG wouldn’t have been in the position it was in 2008 if you had still been there.

Advertisement




Hank Greenberg: Absolutely not. We had all the right things in place. We met with the financial services division once a day every day to make sure they stuck to what they were supposed to do. Even Hank Paulson, the Secretary of Treasury, sat on the stand during my trial and said that if I’d been at the company, it would not have imploded the way it did.

R&I: And that fateful decision the AIG board made really affected the course of the country.

Hank Greenberg: So many people lost all of their net worth. The new management was taking on billions of dollars’ worth of risk with no collateral. They had decimated the internal risk management controls. And the government takeover of the company when the financial crisis blew up was grossly unfair.

From the time it went public, AIG’s value had increased from $300 million to $180 billion. Thanks to Eliot Spitzer, it’s now worth a fraction of that. His was a gross misuse of the Martin Act. It gives the Attorney General the power to investigate without probable cause and bring fraud charges without having to prove intent. Only in New York does the law grant the AG that much power.

R&I: It’s especially frustrating when you consider the quality of his own character, and the scandal he was involved in.

In early 2008, Spitzer was caught on a federal wiretap arranging a meeting with a prostitute at a Washington Hotel and resigned shortly thereafter.

Hank Greenberg: Yes. And it’s been successive. Look at Eric Schneiderman. He resigned earlier this year when it came out that he had abused several women. And this was after he came out so strongly against other men accused of the same thing. To me it demonstrates hypocrisy and abuse of power.

Schneiderman followed in Spitzer’s footsteps in leveraging the Martin Act against numerous corporations to generate multi-billion dollar settlements.

R&I: Starr, however, continues to thrive. You said you’re at 3,500 people and still growing. As you continue to expand, how do you deal with the challenge of attracting talent?

Hank Greenberg: We did something last week.

On September 16th, St. John’s University announced the largest gift in its 148-year history. The Starr Foundation donated $15 million to the school, establishing the Maurice R. Greenberg Leadership Initiative at St. John’s School of Risk Management, Insurance and Actuarial Science.

Hank Greenberg: We have recruited from St. John’s for many, many years. These are young people who want to be in the insurance industry. They don’t get into it by accident. They study to become proficient in this and we have recruited some very qualified individuals from that school. But we also recruit from many other universities. On the investment side, outside of the insurance industry, we also recruit from Wall Street.

R&I: We’re very interested in how you and other leaders in this industry view technology and how they’re going to use it.

Hank Greenberg: I think technology can play a role in reducing operating expenses. In the last 70 years, you have seen the expense ratio of the industry rise, and I’m not sure the industry can afford a 35 percent expense ratio. But while technology can help, some additional fundamental changes will also be required.

R&I: So as the pre-eminent leader of the insurance industry, what do you see in terms of where insurance is now and where it’s going?

Hank Greenberg: The country and the world will always need insurance. That doesn’t mean that what we have today is what we’re going to have 25 years from now.

How quickly the change comes and how far it will go will depend on individual companies and individual countries. Some will be more brave than others. But change will take place, there is no doubt about it.

Advertisement




More will go on in space, there is no question about that. We’re involved in it right now as an insurance company, and it will get broader.

One of the things you have to worry about is it’s now a nuclear world. It’s a more dangerous world. And again, we have to find some way to deal with that.

So, change is inevitable. You need people who can deal with change.

R&I:  Is there anything else, Mr. Greenberg, you want to comment on?

Hank Greenberg: I think I’ve covered it. &

The R&I Editorial Team can be reached at [email protected]