
Exploring the Evolving Role and Scope of Cyber Risk Management

Could you give a brief overview of the current scenario of the Cyber insurance space?
Cyber insurance is a relatively new phenomenon in the insurance market and is not yet well tested—concerns still exist about its potential. As a result, understanding the cyber insurance market poses a challenge for us. The credit card theft and the class action type lawsuits revolve around companies that focus on retail. But when you’re not a retail-oriented company, your challenges are much different. The contractual liability exposures, the type of cyber liability insurance you have and ensuring that insurance is in place, while making certain that insurance would respond to the type of loss, would be just some of the details that are within the scope of work for a contract.
The primary challenge is that the contractual liabilities are relatively vague and it is up to the risk manager to understand the scope of work attached to that contract, to ensure that the cyber liability policy could respond in the event of a loss. And this is not an easy thing to accomplish, especially when you’re a risk manager like me where you have seven different major business units with seven different types of operations.
The second challenge is that cyber liability insurance is currently in the process of testing. The landscape of insurance policy language is constantly changing, and in most cases, it’s improving. But the problem is that the coverage of cyber insurance is not well known as its new in the market and you don’t have coverage for something until that happens. So it’s my job to ensure I understand the cyber exposures throughout our home office, the parent company, as well as our business units to guarantee that I can bundle all of the cyber exposures that we cover under one policy.
It’s important to work in the team and not in a silo when it comes to cyber exposure
Last challenge is defining what limits of liability make sense for a certain amount that we carry, and that’s challenging. So I talk to colleagues all the time and ask them about the limits of insurance they carry, and there is no good guide for anyone right now in determining what kind of limits to carry other than carrying as much as you can afford.
What is the strategy that you follow to tackle these challenges?
I have attended forums and meetings where multiple risk managers are willing to share details of their cyber-related losses or concerns and whether or not they had coverage or had enough coverage. This is helpful, as we will be getting more information than what we could get just by reading the news where the information is limited. So I try to get information from every source I can, and then I push our brokers to go out and gather all the information they can, either from their own client experiences or from things they hear about in the industry. Also, I sit on panels with insurance companies, and we share our experiences, and we give each other feedback, and sometimes we customize policy language as well.
So carrying out all of this is a challenge, but not caring about cyber insurance is not an option. So the only thing that we can do is to ensure that we sit down and dissect all of our operations. I don’t do it by starting with the context of cyber because I think everybody narrows it down to what they know about. But it’s better to start from scratch and talk about all the things that we do and figure out the pieces that can be hacked. For instance, databases full of confidential information like a retailer, GPS, or cargo logs; I want to know everything we do, so I can figure out what part of those operations tie itself to data software or hardware. I will then backtrack and find out what your system securities are. I work very closely with our IT department at Saltchuk, and we’re building a cyber steering committee at our home office level where we all sit down twice a year and discuss all of our operations and what’s worked and hasn’t worked for cyber prevention. I take that from a risk management perspective and run with it the brokers to continue to try and customize our policies to meet our exposures or needs.
What does the future hold for Risk Management Services landscape?
Cyber threat actors will continue to evolve and get more sophisticated, and the good cops will always be catching up to the bad actors one step behind. But I think that as long as everybody remains vigilant and never let their guard down from an IT perspective, then that’ll work. I believe that anybody who thinks that their IT system is not penetrable is making a huge mistake. The attacks are bound to happen, but it’s not a matter of if, it’s a matter of when. If you start from that premise and evolve from there, you’ll always stand a good chance of avoiding a massive disaster or and not become the victims of a significant disaster, being able to recover without too much harm.
I also see the insurance industry is being responsive to the needs of their insurers, and that is really important. Also, the insurance policy language will continue to evolve and will make a big difference. Last but not least, contractually everybody who enters into scopes of work and contracts for services and even contracts for fee-for-service will have a better line of communication with each other on what’s expected of each person or organization’s security requirements. Insurance requirements and contracts have been a one-way street. If you were the main customer, you basically could dictate your terms, and somebody has to meet them, but it doesn’t work that way with cyber anymore. Thus, that part is evolving and changing, and there’s more communication between customers and suppliers as to what they need to do to protect themselves against cyber losses together.
What would be the single piece of advice that you could impart to your colleagues to excel in this space?
I would advice working in teams. Your risk management department should never be working without your IT department, COO, CEO, CFO, and chief legal officer. Cyber risk is never a matter merely for the IT team, although they clearly play a vital role. An organization’s risk management function need a thorough understanding of the constantly evolving risks, and it’s essential to work in the team and not in a silo when it comes to cyber exposures.
Check this out : Top Enterprise Risk Management Service Companies
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
The Intelligent Legal Department
Data Protection Trends - GDPR as a forthcoming global privacy benchmark
The 5 questions you should be asking about legal tech
Technology as a Tool to Aid the Legal Function
Building On Your Legal Tech Journey
Enhancing Productivity of Lawyers with Technology
