When It Comes to Cyber Risk, Isolation Is Not the Best Approach for Risk Managers

By: | April 25, 2019

James Curbeam, CPCU, ARM, AIC, is the director of risk management for the Las Vegas Valley Water District. He holds a B.S. in finance from Creighton University and an executive MBA from the University of Nebraska Omaha. James has served in the following industry leadership roles: President, Nevada Chapter of RIMS; President, Nebraska Chapter of RIMS; and President of the Las Vegas CPCU Society. James is also a founding member of the American Association of Water Distribution & Management, which was formed as a Thought Leadership Lab for risk management in the water industry. He also was named the 2019 PRIMA Risk Manager of the Year. James can be reached at [email protected]

The basic job description for a risk manager is to identify, assess and mitigate potential risk that may hinder an organization from reaching its goals.

To be a risk manager, one must be courteous, diplomatic, shrewd and persuasive. A risk manager must have broad understanding about a range of issues, including insurance, safety, contract law, electricity, chemistry, mechanics and human nature.

With this wealth of knowledge, however, risk managers may buy into the hype and belief that they are “all-knowing.”

A key to success for risk managers is to understand you cannot always work in isolation. As a risk manager, one of your primary duties is to place and renew your company’s insurance program.

While renewing some lines of coverage, such as property insurance, the isolation approach may not be a detriment. Coverage such as this is straightforward for most organizations, and in most instances, coverage is applied to any cause of loss except those which are specifically excluded.

Cyber insurance, on the other hand, is more challenging and complicated.

The simple isolationist approach used for property placement may not be effective when attempting to transfer the risk of a cyber loss. The cyber threats an organization faces change constantly, and most risk managers are not “all-knowing” relative to their organization’s cyber threats and risks.

For this reason, risk managers should not attempt to place cyber insurance in isolation, but rather work collaboratively with the organization’s information technology (IT) department to gain a better understanding of these exposures.

The incidence of data breaches and hacks, unfortunately, are becoming a regular phenomenon. In 2018, well-known organizations, including Facebook, Marriott, British Airways, Ticketmaster and Google, experienced data breaches. As cyber criminals become even more sophisticated, the adage “the further you are from you last breach incident, the closer you are to your next breach incident” seems to hold true.

So as a risk manager, what is in our toolbox to help us comply with our job description identify, assess and mitigate potential risk that may hinder an organization from reaching its goals?

Under the isolation approach, if we assume your IT department has all the adequate technology in place, the risk manager can simply complete the insurance application and transfer the risk to a reputable carrier. All the boxes have been checked, identified, assessed and mitigated.

While this seems simple, the risk manager has missed a big opportunity to better understand the cyber security threats, which may result in gaps in coverage or challenges in recovery from a breach.

A risk manager working in collaboration and not isolation may take a different approach: The collaborative risk manager recognizes they are not “all-knowing” relative to cyber threats that face the organization; therefore, they enlist those who are.

The first step is to engage your IT department.

Work with your organization’s data security personnel to understand potential exposures. The data security team should develop a variety of claim scenarios that could compromise the organization’s data systems. Then engage your insurance carrier to conduct a tabletop exercise and analyze how the policy responds to each claims scenario.

This is a great way to identify any gaps in coverage that may exist.

The second step is to develop a plan and identify your partners.

Who are your breach response providers? Who is your breach defense counsel? Do you need to hire a public relations team to provide communications support in the event of an incident or are your internal resources adequate?

Risk managers must rely on internal and external partners to ensure adequate planning and preparation to prevent or recover from a cyber-related breach.

The third step is to have agreements in place with these partners prior to an incident. 

The worse time to try and vet and negotiate an agreement for these services is while an incident is occurring.

Work with your insurance carrier to get a list of approved providers and begin securing your partners’ services. In most cases, you may find the carrier has already obtained preferred rates for a lot of these services. Then make sure you maintain your relationships with your partners — check in with them every few times a year and reaffirm their roles and responsibilities in the event of an incident.

Some insurance renewals may be simple, and the isolationist approach is appropriate. This is not, however, recommended for cyber insurance. Risk managers are not “all-knowing” and must work collaboratively to identify, assess and mitigate potential risk to the organization by taking a team approach. &

More from Risk & Insurance

More from Risk & Insurance