What are your risk managers thinking about?

Security looks at operational risk, but most big companies have officers called risk managers who actually buy insurance policies for the company. What’s on their minds? If you run a security operation, you should know, because your work and their work are intertwined.

CSO contributor Bob Violino recently spoke with Christopher Taylor, head of Zurich North America Commercial’s Financial Institution segment, about issues related to security threats, corporate risk and insurance.

CSO: What are some of the top threats companies are concerned about today?

Christopher Taylor, Zurich NA: Based on a blind survey we did earlier this year of financial institutions, among their top concerns are:

• security and privacy;
• the impact of increasing regulations on the direction and offerings of the organization;
• all issues surrounding repossessed real estate [given the increase in real estate foreclosures];
• and enterprise risk management, or how events such as changes in the economy could threaten their entire organization.

CSO: How are you accounting for these types of threats in creating policy products?

Taylor: When youre creating products and services for any customer youve got to find out what they need, what their real exposure is, what theyre trying to accomplish and how you can help them accomplish that. The policy itself should say ‘here is what we will do in case of the following circumstances’.

Equally important is creating services that help the customer avoid security problems in the first place. We at Zurich try to do this by surveying the company and the industry [it is in], and designing products and services that meet their specific needs.

CSO: How can good information security controls affect policy costs and other terms?

Taylor: Any customer should really understand how theyve protected information in the past and how well they are doing it now. They need to assess their ability to do that and also look at ways they can improve what theyre doing. Ultimately the [cost of insurance] varies according to their particular situation.

CSO: What should security executives be ready to talk about when meeting with risk managers who are preparing to buy insurance for the company?

Taylor: Information security people, when speaking with the risk manager--as well as the C-suite executives--need to tell them what layers of security are in place, whats the likelihood of a breach and then [demonstrate] that they have done everything possible to minimize the likelihood that its going to have a security breach. In the case of information technology nothing is bullet proof.

But the idea is that the risk manager who wants to buy a policy needs to know what is being done in terms of security.

In the low-tech area, information security people need to [explain] to the risk manager how they have policies and procedures in place, and monitored, that outline the steps people should take when protecting information.