Exploring the Evolving Role and Scope of Cyber Risk Management

Lisa McQueen, Senior Director of Risk Manager, Saltchuk

Could you give a brief overview of the current scenario of the Cyber insurance space?

Cyber insurance is a relatively new phenomenon in the insurance market and is not yet well tested—concerns still exist about its potential. As a result, understanding the cyber insurance market poses a challenge for us. The credit card theft and the class action type lawsuits revolve around companies that focus on retail. But when you’re not a retail-oriented company, your challenges are much different. The contractual liability exposures, the type of cyber liability insurance you have and ensuring that insurance is in place, while making certain that insurance would respond to the type of loss, would be just some of the details that are within the scope of work for a contract.

The primary challenge is that the contractual liabilities are relatively vague and it is up to the risk manager to understand the scope of work attached to that contract, to ensure that the cyber liability policy could respond in the event of a loss. And this is not an easy thing to accomplish, especially when you’re a risk manager like me where you have seven different major business units with seven different types of operations.

The second challenge is that cyber liability insurance is currently in the process of testing. The landscape of insurance policy language is constantly changing, and in most cases, it’s improving. But the problem is that the coverage of cyber insurance is not well known as its new in the market and you don’t have coverage for something until that happens. So it’s my job to ensure I understand the cyber exposures throughout our home office, the parent company, as well as our business units to guarantee that I can bundle all of the cyber exposures that we cover under one policy.

It’s important to work in the team and not in a silo when it comes to cyber exposure

Last challenge is defining what limits of liability make sense for a certain amount that we carry, and that’s challenging. So I talk to colleagues all the time and ask them about the limits of insurance they carry, and there is no good guide for anyone right now in determining what kind of limits to carry other than carrying as much as you can afford.

What is the strategy that you follow to tackle these challenges?

I have attended forums and meetings where multiple risk managers are willing to share details of their cyber-related losses or concerns and whether or not they had coverage or had enough coverage. This is helpful, as we will be getting more information than what we could get just by reading the news where the information is limited. So I try to get information from every source I can, and then I push our brokers to go out and gather all the information they can, either from their own client experiences or from things they hear about in the industry. Also, I sit on panels with insurance companies, and we share our experiences, and we give each other feedback, and sometimes we customize policy language as well.

So carrying out all of this is a challenge, but not caring about cyber insurance is not an option. So the only thing that we can do is to ensure that we sit down and dissect all of our operations. I don’t do it by starting with the context of cyber because I think everybody narrows it down to what they know about. But it’s better to start from scratch and talk about all the things that we do and figure out the pieces that can be hacked. For instance, databases full of confidential information like a retailer, GPS, or cargo logs; I want to know everything we do, so I can figure out what part of those operations tie itself to data software or hardware. I will then backtrack and find out what your system securities are. I work very closely with our IT department at Saltchuk, and we’re building a cyber steering committee at our home office level where we all sit down twice a year and discuss all of our operations and what’s worked and hasn’t worked for cyber prevention. I take that from a risk management perspective and run with it the brokers to continue to try and customize our policies to meet our exposures or needs.

What does the future hold for Risk Management Services landscape?

Cyber threat actors will continue to evolve and get more sophisticated, and the good cops will always be catching up to the bad actors one step behind. But I think that as long as everybody remains vigilant and never let their guard down from an IT perspective, then that’ll work. I believe that anybody who thinks that their IT system is not penetrable is making a huge mistake. The attacks are bound to happen, but it’s not a matter of if, it’s a matter of when. If you start from that premise and evolve from there, you’ll always stand a good chance of avoiding a massive disaster or and not become the victims of a significant disaster, being able to recover without too much harm.

I also see the insurance industry is being responsive to the needs of their insurers, and that is really important. Also, the insurance policy language will continue to evolve and will make a big difference. Last but not least, contractually everybody who enters into scopes of work and contracts for services and even contracts for fee-for-service will have a better line of communication with each other on what’s expected of each person or organization’s security requirements. Insurance requirements and contracts have been a one-way street. If you were the main customer, you basically could dictate your terms, and somebody has to meet them, but it doesn’t work that way with cyber anymore. Thus, that part is evolving and changing, and there’s more communication between customers and suppliers as to what they need to do to protect themselves against cyber losses together.

What would be the single piece of advice that you could impart to your colleagues to excel in this space?

I would advice working in teams. Your risk management department should never be working without your IT department, COO, CEO, CFO, and chief legal officer. Cyber risk is never a matter merely for the IT team, although they clearly play a vital role. An organization’s risk management function need a thorough understanding of the constantly evolving risks, and it’s essential to work in the team and not in a silo when it comes to cyber exposures.

Check this out : Top Enterprise Risk Management Service Companies