Canadian Insurance

• You are here:
• Home
• News

• Email
• Print
• Text Size
• Recommend

The “hacktivists” are coming–are your clients ready?

Client confusion offers brokers, consultants, an educational opportunity.

Related Articles

• Canada’s top 10 riskiest online cities
• M&A activity on the rise: Towers Watson
• Weekly news roundup
• 25 worst passwords of the year

Most companies know their client and employee data is valuable, but despite high profile examples of online vulnerability, few heed growing cyber risks or even know what they might cost, according to findings from Towers Watson’s 2011 Risk and Finance Manager Survey.

Canadian Insurance Top Broker spoke to Larry Racioppo, head of Towers Watson’s executive liability practice, and Corey Gooch, senior ERM consultant about client awareness of–and action on–cyber risks.

CITB: The survey found that only 27% of survey respondents have some kind of cyber liability coverage. What accounts for the gap between awareness and action?

LR: A couple of things: some feel that their own internal IT controls are adequate. And [that's] interesting [because] it speaks to an over-reliance on the IT department–even the best IT department can’t control a lost laptop or Blackberry. And that’s where a risk transfer solution can come in handy. The survey found that 15% are not overly concerned about the risk. That tells me that brokers and risk consultants need to do a better job of educating them about the risks and exposures.

The same holds true for the percentage who said they were unable to understand the value of information assets and the cost of a breach. We need to do a better job in that area as well. We like to work with risk assessment firms–the risk management solution is fine, but even before you get there, it makes sense to have a better sense of where the exposures lie, and to quantify the exposures.

CITB: Reports put Sony’s exposure to their latest breach in the $2 billion range. Do clients have access to that kind of coverage?

LR: There aren’t enough insurers or capacity to insure against that level of exposure. That said, there are enough markets–20 to 25 offer it–so, upwards of $150 million or even as high as $200 to $250 million is within striking distance when constructing a program.

CG: Clients need to look at multiple options, including risk transfer. It’s one of the tools they need to look at. We don’t discount the fact that they have IT security departments and controls in place, but recent events at Sony and Epsilon show that even world-class organizations are having security breaches. You can’t forget that cyber criminals are patient, well funded and will stop at nothing to get around it, especially [in] this world of “hacktivists” who are looking for ways to get into these large organizations.

Even with the best security controls in place, it still might not be enough. They need to continually evaluate those and look at other mitigation solutions like insurance, which is a relatively cheap source of capital for recovery in the event that [breaches] occur.

CITB: This risk runs across industries. Every company has consumer data, employee data and other information to lose. Do some think they’re not at risk because they’re not a Sony?

LR: That might be part of it. I think organizations are starting to come around. The retail sector, the financial institutions and the healthcare sector were the early buyers. We’re getting beyond that now, but I don’t think we’re where we need to be.

CITB: What else can they do to mitigate the risk?

LR: It starts with risk assessment and making sure they’re doing all they can from a diligence standpoint, working with independent third parties. In the event of a lawsuit, you want to be sure you’re prepared. It’s similar to how we counsel clients on employee practices–even the best practices aren’t going to prevent an employee from suing you. That said, when it happens, there are certain things you can and should be doing to put yourself in a better position to defend the lawsuit. That holds true in the cyber world. There are best practices you should be following, because at the end of the day [a breach] may be inevitable.

CITB: Should organizations ramp up Enterprise Risk Management [ERM]?

CG: It’s one area organizations should be looking at. It’s also something that continually evolves. Recent events have shown that at one point in time, the  security controls were considered top of the line.

But over time, if you don’t keep up with new security patches, new protocols, new ways of doing business and protecting your data or your customers’ data, they become outdated and people find ways around them. It needs to be continually monitored [and] risk assessment will help companies understand where the vulnerabilities are in their cyber security program, what they are doing about it, and what else they need to be doing.

CITB: What kinds of conversations should brokers be having with clients?

LR: Even with some of the ancillary lines of coverage–D&O and E&O–talk about risks and exposure, the markets available. Make sure you’re having those meaningful conversations.

CG: When you couple that kind of analysis with more assessment work, it will help you in two ways: it will help you understand how big the risk exposure is from a quantitative perspective. So–are the mitigations effective or not? And it will give you some kind of basis to gauge whether you’re willing to take that risk or not. If not, what’s the risk appetite for the organization? Then, you can begin to measure ROI on any of the risk mitigation strategies you’re looking at.